Latest News
Friday, January 31, 2020
Brexit Update for Privacy Shield Certified Businesses
Updated Guidance: Privacy Shield and the United Kingdom
The International Trade Administration’s Privacy Shield Team would like to make you aware of updated guidance explaining how a Privacy Shield participant may rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s withdrawal from the EU. The guidance is available on the Privacy Shield website at: https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs and is included below for your convenience.
Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s withdrawal from the EU?
UPDATED January 31, 2020
Under the Withdrawal Agreement, EU law (including EU data protection law) will continue to apply to and in the UK during the Transition Period from January 31, 2020, until December 31, 2020.
During the Transition Period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants. In addition, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.
After the Transition Period, Privacy Shield participants still seeking to receive personal data from the UK in reliance on the Privacy Shield must have taken the following steps by December 31, 2020:
-
First, a Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK.
Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield. If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy. Model language for these updates is provided below:
(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after December 31, 2020.
-
Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.
After December 31, 2020, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.
The Department of Commerce encourages Privacy Shield participants who receive personal data from the United Kingdom to use the Transition Period as an opportunity to prepare any needed updates to their privacy policies. We will continue to monitor the United Kingdom’s withdrawal from the European Union and update this guidance as needed.
Monday, April 30, 2018
GDPR Practioners and ISO27001 Implementers Needed
Less than four weeks to go until 25th May and we are busier than ever with clients looking for support on all aspects of their data security and GDPR. As such, The Security Circle is looking to add to its team of experienced GDPR practitioners and ISO27001 lead implementers. Please get in touch at gdpr@thesecuritycircle.com if you have the experience we need to support our growing network of local, national and international clients
Thursday, November 09, 2017
ICO survey shows most UK citizens don’t trust organisations with their data
The latest research from the ICO has revealed a significant deficit of trust that organisations must address if they want to innovate with personal information.
The ICO research found that only one fifth of the UK public (20%) have trust and confidence in companies and organisations storing their personal information.
Steve Wood, Deputy Commissioner said:
“As personal information becomes the currency by which society does business, organisations need to start making people’s data protection rights a priority. Putting data protection at the centre of digital businesses strategies is the key to improving trust and digital growth. ”
He added:
“Changes to data protection legislation, which include the introduction of the GDPR, offer organisations an opportunity to re-engage with their customers about data. The new laws require organisations to be more accountable for data protection and this is a real commitment to putting the consumer at the heart of business.”
Mr Wood delivered a speech about the importance of building consumer trust and confidence at Ctrl Shift's Personal Information Economy conference in London.
Other statistics from the ICO survey show British adults are broadly unfamiliar with the specifics of how their personal data is being used by companies and organisations in the UK, with only one in ten (10%) saying they have a good understanding of how their personal data is used.
The survey was conducted by ComRes on behalf of the ICO and is designed as benchmark measurement for the ICO’s Information Rights Strategic Plan 2017-2021. One of the ICO’s main strategic goals over the next four years is to increase the UK public’s trust and confidence in how data is used and made available.
Other key findings from the survey include:
-
UK citizens are more likely to trust public bodies than private companies or organisations regarding holding or sharing their personal information.
-
Three in five (61%) say they have trust and confidence in the NHS or local GP to store and use their personal information while half say the same of the police (53%) or national government departments and organisations (49%).
-
One in ten UK adults (12%) say they have trust and confidence in social messaging platforms storing and using their personal information.
-
Less than one in ten (8%) of UK adults say they have a good understanding of how their personal data is made available to third parties and the public by companies and organisations in the UK.
-
Older UK adults are more likely than their younger counterparts to say they have little trust and confidence in companies and organisations storing and using their personal information.
Mr Wood added:
“By now organisations should be aware of the changes to data protection law next May. It’s no longer acceptable to see the law as a box ticking exercise. Organisations will need to be accountable, to their customers and to the regulator.
“We want to see improvements in these figures. It’s time for organisations to start building the UK public’s trust and confidence in how data is used and made available.”
Wednesday, September 27, 2017
Businesses tackle GDPR head on as ISO 27001 certification figures increase by 20%
Regular readers of the IT Governance blog will have noted the recent post about the rise in ISO 27001 certifications.. up by 20% for the second year, according to the latest ISO Survey. In 2016, 33,290 certifications were issued worldwide, compared to 27,536 certifications the previous year.
Completing ISO 27001 indicates that organisation is following information security best practice, so with the deadline to GDPR compliance fast approaching, it comes as no surprise that more businesses are using ISO 27001 as part of their GDPR routemap.
ISO 27001 certifications remain highest in Asia-Pacific (+23%) and Europe (+20%), which now have 14,704 and 12,532 organisations certified to the Standard respectively. However, growth is highest in Africa (+74%) and Central/South America (+63%), which have 224 and 564 organisations certified to the Standard respectively.
In the UK, ISO 27001 certifications rose to 3,367, a rise of 21% from the previous year. The UK is ranked fifth in the world in ISO 27001 certifications, and 10% of the world’s certifications are now by UK businesses.
Data breaches and cyber attacks are, unfortunately, becoming a regular occurrence. Some 3.1 billion records were leaked in 2016. As a result, organisations worldwide are recognising the need for an information security management system (ISMS) certified to ISO 27001.
Many organisations are aware that ISO 27001 is an excellent approach to tackling EU General Data Protection Regulation (GDPR) compliance – which is helpful, as the deadline for complying with the Regulation is coming around quickly: 25 May 2018. An ISMS aligned to ISO 27001 can help organisations protect all their corporate information and intellectual property, as well as personal data.
ISO 27001 certification brings a wealth of benefits, including:
-
Avoid penalties and financial losses due to data breaches.
-
Meet increasing client demands for greater data security.
-
Protect and enhance your reputation.
-
Get independently audited proof that your data is secure.
To find out more about GDPR or ISO 27001, please contact a member of The Security Circle team at info@thesecuritycircle.com.
Monday, September 11, 2017
GDPR: The Death Knell for Programmatic Advertising?
The latest Data-Driven Thinking column at ADExchanger.com talks about the impact of GDPR on programmatic advertising. Written by Mark Roy, founder and chairman at REaD Group, it discusses how the new regulations will effectively bring an end to the concept of automating relationship building....
The GDPR has been developed to directly address customers’ concerns about the safety of their personal data. Like it or not, anyone in possession of customer data will need to be compliant by next May, when the regulation comes into effect. GDPR contains strict new rules around individual data, including customer consent and their “right to be forgotten.” GDPR will be unforgiving to those who fail to comply; organizations will face astronomical fines of 20 million euros ($24 million) or 4% of annual global turnover, whichever is greater.
I cannot see how programmatic can ever be GDPR-compliant unless it is limited to a small number of organisations, rather like a prospect pool. The GDPR will require advertisers to obtain active consent from customers, which will involve them specifically opting in to, rather than out of, a deal. While some organisations may be able to circumvent this by limiting premium services to those who opt in for data collection, such as customers agreeing to the collection of cookies, obtaining consent for programmatic advertising is going to cause a real headache. As of next May, if advertisers have not obtained specific consent from individuals, they cannot market to them in any shape or form.
The “right to be forgotten” rule, in which an individual can have their historic data removed from a database, will leave the programmatic industry with a significant conundrum. In order to be “forgotten,” we must be able to know what needs to be forgotten. Every click, path, transaction, request or click-through must be recorded and be deletable. Therefore, by putting data assets into the ether and allowing thousands of organisations to use it, it is nigh on impossible to comply with the GDPR.
The EU’s new privacy rules are likely to disrupt the global digital marketing scene by preventing companies from using an EU citizen’s data unless they have obtained their direct consent. This will apply to the data of every EU citizen, regardless of where in the world their data is being used or stored. This means that US companies, such as Facebook and Google, which no doubt possess a large amount of EU citizen data, will have to pay attention to the regulation across the pond and take the same steps as everyone else to become compliant.
The target in the crosshairs of the EU rifle has always been and will be the US tech behemoths. When I first engaged with the EU on this years ago and was talking to legislators in Brussels, it was shortly after Mark Zuckerberg had decided that all those pictures, stories and photos on Facebook belonged to the company and not the millions of EU citizens who had posted them. Legislators were apoplectic, but even more determined to tackle the issue head-on.
So, what does the future hold for advertisers? Overall, it is clear that every organisation in possession of customer data will be affected by the GDPR. The programmatic advertising sector will feel the regulation the most, due to the data requirements it needs for targeting. The GDPR is likely to shift advertising away from the algorithmic models of communicating, back toward a simpler form of advertising, relying on less volume and better-quality data.
I predict programmatic technology will be used in a far more limited way and largely in a retention and customer management environment, and there will be a return to a more personal touch in advertising facilitated by human beings rather than machines. GDPR will herald a new era of greater trust between organisations and customers still willing to share personal data to access tailored services. Organisations need to clearly explain to customers how their data will be used and how they can expect to benefit from it.
Follow REaD Group (@REaD Group) and AdExchanger (@adexchanger) on Twitter.
Thursday, August 24, 2017
More than one in four organisations will suffer a data breach over the next two years
On average, organisations have a 27.7% chance of suffering a material data breach in the next two years, according to Ponemon Institute’s 2017 Cost of Data Breach Study.
A material data breach involves at least 1,000 lost or stolen records containing customers’ personal information. Although material data breaches are reportedly more likely than a year ago, the average cost of a breach has decreased from $4 million (about £3.13 million) last year to $3.62 million (about £2.83 million). The average cost of each lost or stolen record containing sensitive and confidential information decreased from $158 (about £123.52) last year to $141 (about £110). Approximately 48% of this decline (about $8 or £6.25) is due to the strength of the US dollar in the past year, Ponemon Institute claims.
These figures don’t necessarily mean that organisations are getting better at protecting data. In fact, they indicate that approximately 350 more records were lost or stolen per breach this year compared to 2016.
For the third year in a row, the study found a relationship between the speed at which an organisation identifies and contains a data breach and how much they cost. The average time to identify a breach was 191 days (with a range of 24 to 546 days) and the average time to contain a breach was 66 days (with a range of 10 to 164 days).
Ponemon Institute reports that organisations in certain countries are more likely to suffer a data breach. Over the past four years, South Africa and India have had the highest estimated probability of a data breach, followed by Australia, the Association of Southeast Asian Nations and the UK. Germany and Canada currently have the lowest likelihood of a breach.
Even the most secure organisations can suffer data breaches. Attacks are frequent enough that organisations need to accept that one will eventually be successful. That’s why an organisation’s resilience to these attacks – identifying and responding to security breaches – is critical, and why they need to adopt a cyber resilience strategy.
Combining cyber security and business, this strategy helps you implement:
-
Effective cyber security without compromising the usability of your systems; and
-
A robust business continuity plan that covers your information assets so that you can resume normal operations as soon as possible after a successful attack.
Luke Irwin, IT Governance
Wednesday, August 16, 2017
The Security Circle's CEO is Keynote Speaker at forthcoming Insider Cyber Security Business Breakfast
The Security Circle's CEO, Scott Simpson, is the Keynote Speaker at Scottish Business Insider's Cyber Security Business Breakfast on 24th August in Glasgow. Talking about GDPR and what it means for all organisations, Scott will outline the real practical implications of the new rules and what businesses need to develop a roadmap to compliance.
Scott, alongside a panel of experts, will answer questions on GDPR, data protection and cyber security. Participants will also be provided with a handout to take away on the practical steps needed to comply with the regulations, which come into force in May 2018.
Thursday, June 01, 2017
Major UK Companies at Risk of Breaking Key GDPR Principle on Collecting PII
New research shows that more than a third of all public web pages of FTSE 30 companies capturing personally identifiable information (PII) are in danger of violating the GDPR regulations by doing so insecurely.
The FTSE 30 is made up of the 30 most influential companies listed on the London Stock Exchange. The study by RiskIQ looking at the sites of these organizations finds that more controls on outward facing web assets are needed.
The study found 13,194 pages on sites owned by these companies that collect PII, an average of 440 pages per organization. Of these, 34 percent of pages that collect PII are doing so insecurely, 29 percent are not using encryption, 3.5 percent are using very old, vulnerable encryption algorithms, and 1.5 percent have expired certificates.
Insecure collection of PII is of course not just a GDPR compliance violation. The loss of personal data, profit, and reputation resulting from the use of insecure forms is a legitimate concern for consumers, as well as shareholders. In addition to personal claim liability, GDPR's Article 83 provides guidance on fines for faults. These start at the greater of €10m or two percent of global annual turnover for the preceding financial year. This applies to all companies actively engaging with European citizens, regardless of whether they have a physical presence in Europe.
"Thorough knowledge of an organization's web presence is crucial to steering clear of potential GDPR repercussions," says Colin Verrall, vice president of RiskIQ EMEA. "Our customers are using RiskIQ Digital Footprint to capture their full digital footprint and actively identify potential areas of non-compliance, including insecure data collection pages and forms."
You can find out more about insecure forms and the risks they pose on the RiskIQ blog.
Article written by Ian Barker and published by BetaNews
Wednesday, May 31, 2017
GDPR Misconceptions; Consolidated Ad Fraud
ExchangeWire Research’s weekly roundup brings you up-to-date research findings from around the world, with additional insight provided by Rebecca Muir, head of research and analysis, ExchangeWire. In this week’s edition: GDPR misconceptions; Consolidated ad fraud; and State of marketing automation.
GDPR Misconceptions
Almost three-quarters (72%) of UK marketers either cannot answer, or incorrectly list, the necessary conditions to meet GDPR (General Data Protection Regulation) requirements for ‘opt-in’ consent, finds research by Mailjet.
With less than a year to go ahead of the 25 May, 2018 deadline, only 17% of respondents have taken all of the recommended steps towards GDPR compliance, while the same proportion admit they have not enacted any such checks or changes.
This could well be explained by the fact marketers believe they’re facing a total fine of €5.2m (£4.52m). In reality, the maximum penalty for noncompliance is €20m (£17.37m), or 4% of their global revenue.
Over a third of marketers (34%) incorrectly think individuals over the age of 70, and those who have not been responsive for 90 days, are exempt from all automated marketing decisions. Almost half (44%) of respondents claim businesses that employ over 250 staff must appoint a chief data officer, despite this only being a requirement where data is of a particularly sensitive nature.
Consolidated Ad Fraud
The majority of ad fraud is concentrated in a small percentage of sources within the RTB programmatic market, according to a study by Fraudlogix.
The report finds that 68% of fake impressions came from just 3% of publishers. Additionally, it found that those sources that generated the highest percentage of fraudulent impressions contributed a disproportionately high amount of impressions to the RTB market.
Sites with more than 90% fraudulent impressions accounted for only 0.9% of publishers, but contributed 11% of the market’s impressions. This signifies how detrimental fraudulent publishers can be to market quality, as sites generating fake impressions can quickly outpace sites sending real traffic.
Overall, the study found 18.8% of impressions to be fraudulent. An impression was considered fraudulent (or fake) if a combination of digital and behaviour characteristics synonymous with ad traffic generated through fraudulent means such as bots, scripts, hijacked devices, and click farms was detected.
State of Marketing Automation
The six biggest technologies hold over 57% of the marketing automation marketshare, finds a study by SimilarTech and Bold Digital Architects.
Hubspot was found to have the largest marketshare in 2016 (21%). The total number of websites using marketing automation technologies in 2016 has increased to 482,765.
Other findings include:
– Marketing automation is most popular among B2B companies
– Most billion-dollar companies (enterprises) use Marketo
– Pardot has seen the largest growth in 2016 with an astonishing increase of 108.9%. The rest of the six dominant technologies averaged a growth of 48%
Among companies that generate between USD$1m-USD$10m annual revenue, despite being a rather small player, Infusionsoft surpassed Marketo in this market share. This might be the target market for Infusionsoft, since we hardly see any usage among bigger companies.
Article written by Hugh Williams on 1st Jun 2017 published by ExchangeWire
Wednesday, May 31, 2017
‘Lack of awareness’ about Mobile Phone Cybercrime Threat
JUST a third of consumers have installed anti-virus software on their mobile phone despite 94% appreciating the importance of data security, a survey has found.
Almost 24 million Britons use their mobile to shop, and nearly 23 million use internet banking services, the poll for Virgin Mobile found, but just 34% have protected their phone with software.
Meanwhile, 17% of Britons admit to storing their passwords on their mobile phone. Of these, 43% save passwords in the Notes app, 28% save them as the names of the organisation in their contacts list and 26% save them under celebrity names.
Some 43% do not use a numerical passcode to secure access to their phones, while 11% admit that they have never changed any of their online passwords.
Even among those who consider themselves to take data security seriously, 7% have used public WiFi to send bank details.
Despite increasing levels of cybercrime, one-fifth of Britons (17%) do not think that anyone will ever steal information from their phone, while almost one in three (29%) believe that security applications are not necessary on mobile phones.
Virgin Mobile commissioned the survey as it launched a mobile security package, including a password manager service, for all customers for free for the first year of use.
Jeff Dodds, managing director at Virgin Mobile, said: “While Brits spend more time browsing the web on their smartphones than on laptops, our research shows a lack of awareness about security.
“Not enough people are protecting themselves from the growing threat of cybercrime on the very device they use the most.”
Cyber.uk director Jessica Barker said: “The British public are increasingly aware of cyber security and the overwhelming majority agree that it is important. However, there is a gap between this awareness and behaviours.
“A driving factor in this is that cyber security can seem difficult and overwhelming. However, it does not need to be this way and security online is increasingly important.
“With phones becoming more powerful and connected, people use them to do internet banking, shopping, sharing content on social media and even sending intimate selfies.
“This information can be vulnerable to attack, like anything on the internet, but there are lots of straightforward steps you can take to better protect yourself and your data.”
Opinium surveyed 2,006 UK adults online from May 12 to 16.
Published by The Sunday Post - Author: Josie Clarke, 01 June 2017
Tuesday, May 30, 2017
Security Launches Free GDPR Advisory Service
The Security Circle has a UK wide team of certified GDPR Consultants and Practitioners who are available to help businesses or organisations understand GDPR.
One of the key difficulties for organisations in dealing with GDPR is actually understanding what the responsibilities are and how GDPR will affect their functions and processes. It is also about scoping out the costs and the time scales to becoming compliant - in as far as compliance is possible in a developing set of Regulations. There are also several nuances and pitfalls to avoid.
To help with this, The Security Circle has launched a GDPR Advisory Service where companies can have a free one hour consultation with one of our experts on the phone or in an online meeting.
This will give companies the opportunity to find out some of the key information required in terms of what GDPR compliance will mean for that company or organisation.
To book a free consultation, please visit our website at https://www.securitycircle1.com/gdpr
Thursday, May 18, 2017
84% of UK Small Business Owners ‘Unaware of GDPR’
According to Research Live – 84% per cent of UK small business owners and 43% of senior executives of large companies are unaware of the forthcoming General Data Protection Regulation (GDPR), according to new research.
This is despite the vast majority (95% of senior executives and 87% of small business owners) claiming to have at least some understanding of their industry’s legal requirements.
The GDPR, which replaces existing European data protection laws from May 2018, is intended to bring greater strength and consistency to the data protection given to individuals within the EU.
The survey, from information security company Shred-it, conducted by Ipsos, also revealed that just 14% of small business owners and 31% of senior executives were able to correctly identify the fine associated with the new regulation (up to €20m or 4% of global turnover).
Of those who claimed to be aware of the legislation change, just 40% of senior executives have already begun to take action in preparation for the GDPR.
"As we approach May 2018, it’s crucial that organisations of all sizes begin to take a proactive approach in preparing for the incoming GDPR," said Robert Guice, senior vice president, Shred-it EMEAA.
"From implementing stricter internal data protection procedures such as staff training, internal processing audits and reviews of HR policies, to ensuring greater transparency around the use of personal information, businesses must be aware of how the legislation will affect their company to ensure they are fully compliant.
Article from Research Live - https://www.research-live.com/article/news/84-of-uk-small-business-owners-unaware-of-gdpr/id/5022592"
Monday, May 22, 2017
HR and the GDPR: How is Consent Changing?
In this article we examine what will be required for valid consent to processing data under the General Data Protection Regulation (GDPR) and how employers should be preparing for that.
Background
Under the Data Protection Act 1998 (DPA) employers routinely rely on individuals' consent for the lawful processing of data. When the GDPR comes into force in May 2018 this is likely to change and the use of consent will be very different to what we know now. For employers, along with the expansion of the definitions of personal and sensitive personal data, this will be a very significant change.
What's the difference?
There is no definition of consent under the DPA but the Courts must interpret it in accordance with the European Data Protection Directive; this requires consent to be unambiguous and defines it as:
'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.'
The GDPR specifically defines consent as:
'freely given, specific, informed and unambiguous indication of a data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement of the processing of personal data relating to him or her.'
The GDPR is clear that consent requires affirmative action and that silence, pre ticked boxes or inactivity will not constitute consent. In addition, where data is processed for several purposes consent needs to be obtained for each purpose (if relied on). Employers will need to demonstrate that consent has been given for a particular type of processing.
So, what does this mean?
A general 'catch all' consent clause in an employment contract or employee facing data protection policy will no longer be sufficient; not least because it usually seeks to capture consent to processing for numerous purposes.
The GDPR also requires employees to be informed of the right to withdraw consent and for it to be as easy to withdraw as it is to give. This information is unlikely to be included in current data protection clauses found in employment contacts.
While employers have always been aware that consent by its very nature is unreliable, as it can be withdrawn, it has largely become the default basis for processing personal and sensitive personal data; in many cases because it has been relatively easy to obtain from unquestioning employees and avoids the employer having to show the processing complies with another processing condition. This is despite the validity of consent in an employment relationship being questioned (including in ICO guidance) as the employee is in a subordinate position.
The GDPR makes it plain that consent will not be freely given if the individual has 'no genuine or free choice'. Specifically, consent will not be a valid basis for processing data where there is a clear imbalance between the individual and the data controller; hence its use in an employment context (where the employer is generally in a far stronger negotiating position than the individual) is likely to be limited.
If employers still want to rely on consent, what will be needed?
Enough information will need to be given to an individual for them to understand what they are consenting to and the extent of the processing. If individuals are asked to sign a declaration of consent then it must be provided in an 'intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms'.
The individual will also need to understand the identity of the data controller and the purposes for the processing. The declaration will need to be distinguishable from other terms and not hidden in lengthy documents or within a website or software system.
Consent will need to be verifiable in line with the GDPR's accountability requirements (which requires proof of compliance); employers will need to show that compliant consent has been given. Therefore the procedure for obtaining it will need to be unambiguous and employers will need to have an easily accessible audit trail. HR systems and procedures will likely need to be reviewed and updated accordingly.
Is there anything else?
Individual rights are significantly strengthened under the GDPR. Employers should be aware that if they seek to rely on consent, individuals will have greater rights where data is processed on the basis of consent.
For example, the right of data portability (which we will cover in a forthcoming article) attaches to data processed by consent but does not attach if the legitimate interests processing condition is relied upon.
Employers should be aware that this is an aspect of data protection compliance which could fuel group and union action. If an employee can show that an employer does not have an identifiable legal basis for processing data or is not complying with the rights that attach to the processing condition relied on, the door may be opened for other employees to pursue this.
Employers therefore need to understand which processing conditions they currently rely on and whether they will continue to rely on them (and are indeed able to) under the GDPR. There will need to be a clearly identified legal basis for each processing of personal data and this will need to be evidenced.
It is likely to be difficult for employers, particularly those who have grown rapidly, to evidence that all ongoing processing was legally justified in the past. The GDPR wants employers to think carefully about what data they process and why.
What's the alternative?
It is likely that the 'legitimate interests' processing condition will be relied on more by employers under the GDPR. While this will require more preparatory work (in order to conduct the proper balancing exercise between the rights of individuals and the legitimate interests of the employer) ultimately, it is likely to be the most user friendly for employers. As mentioned above, this may also be preferable because data processed on the basis of legitimate interests also carries less individual rights.
What next for employers?
Employers are running out of time to get their houses in order before May 2018 and need to act now, if they haven't already.
-
Review current employment contracts and HR policies to understand where your current consent wording is located and what it says.
-
Audit HR data to identify the legal basis for processing it and the processing conditions which are currently relied upon.
-
Decide what processing conditions under the GDPR you will rely upon for employee data after May 2018.
Published: 22 May 2017
Author: Pamela Tatlock
Applies to: UK wide
Saturday, May 13, 2017
Friday's cyber attack on the NHS is a wake up call for us all
Friday’s large scale cyber attack on the NHS brought it to its knees and heralded a state of emergency. Healthcare is now so reliant on technology – and the NHS is such a complex organisation – that it was really only a matter of time before a sustained attack managed to find a weak point.
The NHS declared a major incident after its computer systems were believed to have been hit by a ransomware cyber attack using malware called “Wanna Decryptor”. Ransomware is software that locks a computer and demands payment before allowing access again and is one of the world's biggest growing cyber-threats. The cyber incident is believed to be part of a wider international attack hitting 74 countries, including the UK, the US, Russia, Ukraine, Spain and India.
Europol, the European Union’s police agency, said the onslaught was at "an unprecedented level and will require a complex international investigation to identify the culprits".
It is a chilling reminder of how one of the core pillars of our national infrastructure can so easily be the victim of unscrupulous cyber criminals. The attack has highlighted just how important it is for organisations to remain ever vigilant to what is now regarded as one of the biggest threats to UK businesses.
Absolutely everything is hackable. All you need is the right knowledge, time and unwavering persistence. Businesses large and small need to realise that cyber attacks are only going to become more frequent and more sophisticated. Even organisations with teams of cyber professionals are vulnerable, as we have seen with the recent data beaches TalkTalk, Yahoo and Sony.
As the EU GDPR (General Data Protection Regulation) comes into force in May 2018, cyber attacks which lead to a data breach will cost businesses, organisations and public authorities millions of pounds. Under current legislation, the Information Commissioners Office can only set a maximum fine of £500,000 for a data breach. However, from May next year, the ICO will have hugely increased powers and can impose fines of €20,000,000 or more, depending on turnover.
The recent attack on the NHS is a much needed reminder to us all that cyber security and business continuity need to be at the top of every organisation’s agenda. From SMEs to large public institutions, there is simply nowhere to hide from cyber crime.
Thursday, April 27, 2017
GDPR - Why Businesses Need to Act Now
It is just over a year until the new GDPR (the General Data Protection Regulation of the EU) comes into force, yet many organisations are woefully unprepared and time is running out to become compliant in time. The typical time for most businesses to reach compliance is around 8-10 months and it is now widely recognised that there is likely to be a shortage of GDPR practitioners towards the end of the year meaning businesses should start the compliance process now.
GDPR has been years in the planning and is a comprehensive response to the fact that the value of
data – both to businesses and to criminals – has never been greater. In 2016, the Business Continuity Institute described cyber crime as the biggest threat to business. The UK Government’s National Security Strategy categorises cyber attacks as a Tier One threat to Britain’s national security alongside terrorism.
The impact of cyber crime on UK businesses is growing astronomically. Recent research indicates that almost 3 million British companies were affected by some form of cyber crime during 2016, at a total cost of £29.1 billion.
When GDPR comes into force on 25th May 2018, it will replace the outdated Data Protection Act. GDPR positions the protection of user information at the heart of every organisation and the responsibility for doing very firmly with the Board.
Many organisations may question whether GDPR is relevant to them. If any business you own or work for holds any Personally Identifiable information at all about EU citizens – such as email addresses, landline or mobile numbers - then the answer is yes. Regardless of Brexit, the UK government has confirmed that it will adhere to the EU GDPR, so it is important that businesses understand the new legal framework and are ready to adhere to it from day one.
What are the costs of failing to comply with GDPR? The fine for a data breach has been set at
4% of global turnover or 20million Euros, whichever is greater - this is per incident. There is a fine of 2% of turnover simply for not having records in order. Make no mistake, GDPR will be ruthlessly enforced by the ICO - Information Commissioner's Office and failing to adhere to the regulations will have brand, business and career-ending implications. There are also serious implications for shareholder value in the event of a cyber incident.
Such is the complexity of the new Regulations that it is important work starts now to ensure that businesses are up to speed with their GDPR requirements and have all the processes needed in place for May next year. With the shortage of GDPR practitioners, data experts are already suggesting that organisations are running out of time to be GDPR ready.
GDPR compliance presents a range of difficulties for organisations of all sizes, primarily to do with understanding what responsibilities it brings to the business and what GDPR will mean in terms of processes, timescales and the costs of becoming compliant.
It is important that businesses take action now and get the advice they need from a certificated GDPR practitioner who will be able to take the organisation through the compliance process.
Rosberg's Verji SMC Joins the MobileIron Stable
Rosberg AS has been approved as a MobileIron partner, with its Verji SMC app now available in the MobileIron marketplace.
MobileIron was awarded Fastest Growing Tech Company in the World 2014 (Deloitte Technology Fast 500). The company 's mission is to enable modern enterprises to secure and manage information as it moves to mobile and to the cloud, while preserving end-user privacy and trust. The MobileIron Enterprise Mobility Management (EMM) solution is a mobile security platform that secures data-at-rest on mobile devices, in applications and in cloud storage, as well as data-in-motion as it moves between corporate networks, devices, and storage repositories.
MobileIron offers a layered security model that supports integrated Mobile Device Management (MDM), Mobile Application Management (MAM) and Mobile Content Management (MCM).
The Verji SMC app, developed by Norwegian based Rosberg AS, is available in the UK and Ireland through distributors The Security Circle. Verji encrypts mobile communication and protects against hacking attacks with End-to-End Encrypted Speech, Messaging and File Sharing.
Wednesday, November 23, 2016
GSMA Chairman Joins Rosberg as Strategic Advisor
Jon Fredrik Baksaas, the current chairman of the GSM Association (the GSMA) until the end of 2016, has joined Rosberg as a Strategic Advisor. The GSMA is the trade body that represents the interests of mobile operators worldwide.
He will be working with the management team and with the board on positioning Rosberg as a leading player within Secure Mobile Communications Solutions. Rosberg's Verji SMC app won Best ICT Security Innovation at the European Cyber Security & Privacy Innovation Awards 2014.
Jon Fredrik Baksaas was the President and CEO of Telenor Group for 13 years and worked for Telenor for a total of 26 years. During this period, Telenor developed from being a monopoly fixed line player to become one of the largest mobile operators in the world, with operations in 13 countries in Europe and Asia now reaching out to more than 200 million users.
Before joining Telenor, Baksaas worked with Aker ASA, Stolt-Nielsen Seaway AS and
Det Norske Veritas in finance and financial control related functions. He is also a member of the Board of Svenska Handelsbanken.
Monday, November 07, 2016
Security Circle Views Expansion with New Offices in Zurich and Dublin
The Security Circle is delighted to announce further expansion with the opening of new offices in Zurich and Dublin.
Our Zurich office is headed up by former Cite Investments Board Director Martin Schramm and provides the perfect base for developing The Security Circle's services across mainland Europe.
Martin has previously held a variety of executive positions with Zurich Insurance in the UK and Switzerland, most recently Executive Director of Zurich Global Corporate Russia in Moscow (AO Zurich Reliable). With his extensive experience and specific knowledge in general insurance - including crime, cyber and business interruption risks - he helps to create strong relationships between our cyber security auditing team and insurance underwriters, brokers and other organisations operating in this field.
The Security Circle’s Dublin office is headed up by Noel Daly, who brings a wealth of expertise in Strategic Planning, Government, Change Management and the Healthcare sector to the business.
Having worked with various government bodies as well as acting as Consultant with WHO (the World Health Organisation), Noel has extensive commercial experience and significant Government connections in both the Republic of Ireland and Northern Ireland. The depth and breadth of experience he has developed from his public and private sector work across the international stage allows him to develop The Security Circle’s business streams across a range of sectors.
Wednesday, September 14, 2016
PassFort On-Boards Our Client Portfolio
The Security Circle is delighted to announce its engagement with PassFort to assist with the strategic development of the business. Avril Miller, who specialises in the financial services sector for The Security Circle, has been seconded to Passfort in a Non-Executive Director capacity.
PassFort is the first company to develop Client Lifecycle Management (CLM) software in the cloud that regulatedbusinesses of all sizes can use to automate, measure & improve customer onboarding and risk assessment processes. We empower compliance teams by enabling them to spend less time information handling and more time decision-making.
Tuesday, September 13, 2016
Security Circle to exhibit at the INTERPOL IP Crime Conference 19-20th September
We were delighted to be asked by the City of London Police to exhibit at this year's IP Crime Conference.
This 10th annual event will feature two days of plenary and panel sessions along with substantial opportunities for networking throughout the entire Conference. For this Conference we will be celebrating a decade of success and looking forward to building stronger partnerships and best practices moving into the future.
The Security Circle will have Bowater Holographics and Rosberg exhibiting on the stand.
Bowater Holographics will be presenting to the market their ground-breaking new Secure Identity Card and their impressive existing range of brand protection and Anti-Counterfeiting products.
Rosberg will have demos of Verji the Secure Mobile Communication App, the only app available that protects mobiles phones from IMSI Catcher and Man-in-the-Middle Attacks.
Wednesday, September 14, 2016
Apple recently released an emergency patch for the iOS system, designed to resolve three zero day vulnerabilities. The fact that Apple actually released this patch in between their regular updates demonstrates just how serious the threat is.
The most interesting of these vulnerabilities is the CVE-2016-4657. This is a memory corruption bug in the Safari WebKit, allowing an attacker to compromise the device when a user clicks on a link.
Read the full article at:
Monday, June 06, 2016
Aberdeen businesses at Global Cyber Summit warned that mobile devices are now the weakest security link
NORWEGIAN based Rosberg System AS outlined the true cyber security threat posed to businesses at the recent Global Security & Cyber Security Summit which took place in Aberdeen.
Representatives from businesses throughout the region gathered at Ardoe House to hear from a wide range of security and cyber experts. Odd Helge Rosberg, Chief Technology Officer at Rosberg System AS took to the stage to outline the security risks posed by smartphones and the development of VERJI SMC, the world’s first hardware agnostic smartphone security solution.
Conference delegates at the Global Security & Cyber Summit heard about how the VERJI SMC app uses end to end encryption on speech, attachments and messages, in addition to protecting against SMS based attacks and fake cell towers.
Odd Helge Rosberg said “We know that smartphones are now the leading security risk for businesses.[i]
“Businesses need to be aware that until they address the issue of smartphone security, they’re effectively leaving the doors and windows to their network wide open for cyber criminals to access.”
Monday, November 09, 2015
Bio ID Security in the Intellectual Property League Table 2015
Congratulations to Bio Id Security who have come in at number 15 in the the UK's Top 100 IP League Table
Monday, November 09, 2015
Emotional Sciences in the Intellectual Property League Table 2015
Congratulations to Emotional Science who have come in at number 50 in the the UK's Top 100 IP League Table
Friday, October 30, 2015
Merfyn Lloyd Joins the Team
We are delighted to welcome Merfyn Lloyd OBE to The Security Circle. Merfyn has an impressive track record in the Defence and Security Sectors and will join our team of Consultants. Please read Merfyn's biography on our Team Page.