Passwords – are they safe..?

Passwords – are they safe..?

Many people think of passwords simply as a nuisance, a barrier between us and trying to access the websites and services we need.

On the other hand, some go the extra mile in creating passwords that are as strong as possible. This can be done by utilising a range of features to keep the accounts safe and secure for us to use for both business or otherwise.

One approach is definitely better than the other…

Understanding what makes a strong password is essential to protect our data. They are the first line of defence against unauthorised access. However, research clearly shows we don’t always use secure ones.

Reasons for this vary. Many think a short or straightforward password is easier to remember, and having that same password for a range of sites and services can save time.

They are, and they can, but from a security point of view, doing so is a risk that is not worth taking…

Here are some top tips to help you stay secure:

Switch on password protection or other authentication method

If your device has the capability, please use it.

Passcodes and passwords are the first line of defence for stolen or lost devices. Biometrics have made this process even easier, with features such as fingerprints and facial recognition. It is a fast and highly secure way to unlock your device.

Use two-way authentication

Multi-factor authentication is a method in which the user is only given access to a website or service after presenting two (or sometimes more) pieces of evidence that they are who they claim to be.

So, for example, after entering a password and username, you might be sent a text message to your registered mobile device, email address or other authentication app or token. That message will be a code to be entered at the next stage to guarantee you are you!

Password management

Many are tempted to avoid longer alpha-numeric passwords, as they are difficult to remember and time-consuming to enter.

Password management applications solve that issue by storing the passwords securely for you (they can even create them, too) and entering them on your behalf when you need to.

This feature is baked into IOS devices, Google Chrome and Microsoft’s Authenticator app. There are also password managers such as LastPass, which store encrypted passwords online.

Don’t be ‘password predictable’

This is by far one of the most significant challenges to overall security online. Scammers, hackers and other cybercriminals are well aware of this fact. It doesn’t always take computing power, just a little background information.

Birthdays, favourite places and pet’s names can all be easily ascertained via social media profiles. When you add in the usual common passwords some of us tend to choose, it isn’t difficult to see why anyone looking to trick their way into your accounts can have a massive range of password options to try.

Many cyber criminals instead use computing power in what are known as ‘brute force’ attacks to guess passwords with the help of automated software repeatedly. It is simple for the cybercriminal but potentially devastating for you or your business.

Here are some ways to avoid being ‘password predictable’:

  • Always avoid using predictable passwords
  • Try choosing three random words, but swap out certain letters for symbols, so for example Troutclocklight could be tr0utCl0ckl1&ht
  • Have your own rule for what letters you take out, what you replace them with and what you capitalise

1t 15n’t t00 d1ff1cU7t, and it is A LOT more secure…

If you need help or advice on making your business be data savvy, why not get in touch? It might just save you time, stress and money in the future!

The Rights of an Individual

The Rights of an Individual

Data protection is all about the rights of an individual and the systems you need to have in place to comply with the requests that, sooner or later, you will be faced with from the people whose data you may hold or process.

Knowing what those individual rights are will help you to recognise a request when you encounter one. It will also be a big help when putting the policies in place to deal with them within the required time. Familiarity with these eight key rights will also help you record the requests you receive and recognise the importance of handling and transmitting the data safely and securely.

Here is a breakdown of the rights of an individual regarding data:

The right to be informed

The collection of a person’s data and its subsequent use are things they have a right to be informed about. It’s important to provide the following things:

  • The reasons why you are processing their data
  • How long you intend to retain it and who you will share it with. (This is privacy information, which has to be provided when you collect the data itself)
  • The inform you provide must be transparent, easy to understand and no longer or complex than it needs to be

The right of access

Everyone has the right to access their personal data and other supplementary information by making a ‘subject access request’ (SAR). This request can be made to you verbally or in writing by the person themselves or a third party acting on their behalf.

  • A business usually cannot charge a fee for dealing with a SAR request
  • They have to be dealt with in a timely way, usually within one month of receiving the request (this can be extended if the request is considered complex)
  • The data must be disclosed in a secure way

The right to rectification

Sometimes, data held are inaccurate or incomplete; an individual has the right to have it rectified.

  • This can be done verbally or in writing
  • Similarly to a SAR request, this must be undertaken in a timely fashion, within one calendar month

The right to erasure

The right to be forgotten is one that everyone has, although there are certain extenuating circumstances when not all data can be deleted. This might be as a result of other legal regulations and reasons.

The right to restrict processing

Whether restricted or suppressed, in certain circumstances, an individual does have the right to allow you to store personal data but not to use it.

The right to data portability

As the name implies, data portability gives a person the right to obtain the personal data you hold about them and reuse it for a different service. That might help them find a better bank, a different GP or a cheaper energy supplier.

The right to data portability applies only to information that has been given to a controller.

The right to object

Everyone has the right to voice objections to their data being used for direct marketing. However, under certain circumstances, companies can continue processing data if a compelling reason to do so can be proven.

  • You have to inform an individual about their right to object
  • You can refuse an objection but you need to be aware of the information you have to provide in doing so

Rights around automated decision making and profiling

Automated decision making and profiling eradicates the human element from decision making and evaluating certain things relating to an individual and their data.

  • Businesses can only carry out automated decision making and profiling under certain contractual, legal and explicitly consensual conditions
  • The facility to challenge a decision or request human intervention must be in place
  • Systems must be audited regularly to ensure they are working as they are meant to

For more detailed information relating to the individual’s rights and how you and your business can be fully compliant, visit The Information Commissioner’s Office website, where there is a dedicated breakdown and checklist for each.

Alternatively, reach out via my site for the help and advice of a GDPR specialist.

The Six Principles Underpinning GDPR

The Six Principles Underpinning GDPR

We know that GDPR is unavoidable for businesses of every size and scope. We also know that the requirements are considerable, and at times they can even feel overwhelming.

Don’t worry. Help is out there in the battle to understand exactly how you and your business will navigate a smooth path towards compliance.

The underpinning principles of GDPR are an excellent starting point.

Each of the principles is worthy of a deep dive in its own right, but for now, let’s have a brief look at each. What they involve and how they can help you to process data safely, securely and legally.

Remember, these are set out at the start of the legislation itself to help organisations and the people who run them to make the decisions. They will also enable you to put the practices in place that will embody the spirit of good GDPR practices.

Processing data in a lawful, fair and transparent way

This principle may seem self-explanatory; it basically requires that the practices you use to collect data don’t break laws. This requires a sound working knowledge of GDPR to adhere to, though, to achieve the principle’s intended goals of ensuring nothing is hidden from data subjects, stating the type of data collected in your privacy policy and the reasons for its collection.

Purpose limitation

Data has to be collected for a pre-defined and specific purpose and only for as long as necessary for that same purpose.

Data minimisation

When it comes to personal data, only process that which you need.

Data accuracy

GDPR expects that every reasonable step is taken to ensure the accuracy of data. If that isn’t the case and processed data is inaccurate, then erasure or prompt rectification is vital. Individuals have the right to request it.

Storage limitation

Another important aspect of GDPR compliance relates to safely and securely delete data that is no longer needed. How do you know when that is the case?

When does a customer stop being a customer? When is data relating to a former employee, business partner or freelancer considered obsolete?

These are complex questions, and the answer will vary depending on an individual’s industry and the reasons for the data itself. To be sure, and allay any doubts, consult a professional.

Security

Data must be processed in a way that guarantees its confidentiality and integrity. That includes things such as accidental loss, theft or partial destruction. This principle is intentionally vague to allow for changing technologies and evolving methods of best practice.

Many organisations look towards encryption, cloud-based services and staff training to fulfil these criteria.

All these principles should lay the foundation for the general data protection regime and always inform a solid GDPR policy.

As a certified Data Protection Officer, I can offer the help and support you need to ensure you and your business follow the principles underpinning GDPR compliance. You can send me a message, live chat or request a call any time. I’d love to help!

Building your data inventory

Building your data inventory

It is always worth bearing in mind that, whether we are aware of the fact or not, the data which our businesses rely on builds up over time. It becomes a sort of inventory even if we don’t plan for it so that inventory has to be organised.

We don’t just do this to achieve GDPR compliance. There’s a whole range of other tangible benefits, too; a good data policy also aids productivity and efficiency, earns customer trust, and allows you to market your services and products in much more focused and effective ways.

It might seem counterintuitive, but those end goals are also an ideal starting point. If you begin building any new data inventory with those goals in mind, it will allow you to form the important questions you need to ask to get it right. Similarly, if you are data mapping existing processes where you feel improvement is needed, it can really help too.

A useful, if unusual guide…

The ‘five bums and a rugby post’ method, despite the unusual name, is a great formula for helping you ask the big questions when it comes to data, and if nothing else, it will certainly stick in your mind.

Imagine five rugby players sitting on the bar of a Rugby post. That’s five ‘w’ shapes and one large ‘H’. Those bums represent five important questions;  Who, What, Where, When and Why?

The rugby post itself (the large ‘H’) represents the final question; How.

How does this apply to data inventory? Let’s look a little closer…

Who?

In the context of GDPR, this simply asks whose data you process. It might be clients, patients, employees, and business partners; it’s an important and logical first step.

What data to include in the inventory?

You guessed it, what kinds of data do you hold; is it personal data, for example, or is it sensitive data, it might be anything from information on a fitness device, and search engine queries to bank details and medical records, each is different, and those differences are vital.

Where?

Where is your data stored? It might be remotely, you might not realise it could even be outside the EU, or it could be held in email inboxes, filing cabinets or local hard drives. Is it structured in a database, or is it harder to locate?

When?

This is time-based; ask yourself when you or your business collects data, how long you can hold it for, and the time constraints you must work to when dealing with data-related requests.

Why?

Why do you hold the data you do? For some, this will be to pay employees and contractors. It will be for marketing, and others, it will be to comply with the law. It may even be a mixed answer.

The answers to all these questions will help you to establish HOW to build and maintain a structured and compliant data inventory, and I can help.

As a Certified Data Protection Officer, I help organisations of every siz0e and scope to achieve compliance, improve efficiency and enjoy the many other benefits of a good data inventory practice. These are the questions that inform important aspects of my work with them.

If you would like to learn more, get in touch, or book a quick chat here.

Processing Your Data In A Lawful Way

Processing Your Data In A Lawful Way

When it comes to GDPR, even a short title such as the one above can provoke a range of questions…

What is the definition of processing?

What are the lawful ways of processing?

How can I make sure I’m complying with them?

What data does this even apply to..?

Relax and take a breath, if you’re concerned, then that shows you care and on your journey towards compliance and GDPR best practice, you certainly aren’t alone. I deliver help and support to businesses of every shape, size and flavour weekly, to help them process their data lawfully.

Breaking it down

There has to be a lawful basis for processing personal data, the good news is there are just six to choose from and we will look at each a little more closely to help you understand the basis on which you process yours.

But first:  What on earth constitutes processing?

From a GDPR point of view, processing refers to any single operation (or set of operations) that are performed on personal data.

If you do any of the following, then you are processing data:

  • Collecting or recording it
  • Organising or structuring it
  • Adapting or altering it
  • Storing or retrieving it
  • Restricting, erasing or destroying it

As a rule of thumb, if you are unsure, assume that you are processing personal data, because 99.9 times out of a hundred, you always are.

And if you are, then you need a lawful reason to do so, this is one of the most important principles which underpin data protection.

The six lawful bases for processing data

While no single one of the lawful bases for processing data is better or worse than the other five, the one that applies to you or your business will be informed by your purpose and the relationship you have with the person or people with who data you process. It is important to identify which applies to you.

It has to be determined and documented before you process anything, The Information Commissioner’s Office has this handy online tool to help with that.

The six lawful bases are as follows:

Legitimate interest:

If the processing of data is necessary for the legitimate interests of you or a third party then this basis will apply.  Remember though, if there is a good reason to protect an individual’s data then that may override those legitimate interests.

Public Interest:

This basis applies if the data processing is vital for a task that is clearly in the public interest or part of an official function with a clear and present basis in law.

Vital Interest:

The basis that really means what it says, vital interest revolves around processing data that is necessary in order to protect someone’s life.

Legal Obligation:

Some forms of data processing are necessary for you or your business to comply with the law; if that is the case then your basis is one of legal obligation.

Contract:

If data processing is necessary due to a contract that exists between you and an individual, or they have asked you to undertake specific steps prior to entering into a contract, this is a lawful basis for processing their data.

Consent:

If you have clear consent from an individual, to process their data for a specific purpose, then consent is your lawful basis for doing so.

Sometimes, your own lawful basis for processing data may be obvious, but sometimes not and this is important to get right the first time and ensure it is demonstrable. You may have more than one purpose for example or your circumstances and reasons for processing data may change over time.

Those are the occasions when the services of a GDPR specialist can really make a difference, if you need help and advice around this, or any other aspect of GDPR compliance then get in touch.

Knowing your data and how to handle it.

Knowing your data and how to handle it.

It is a sobering thought that every one of us has a long, intricate trail of data out there in the wider world.

Personal data, in the form of email addresses, names, where we live, our families, friends, employment records, IP addresses… Each trail is specific to us; its contents can totally identify us.

However, another trail running parallel to the first with much more sensitive data that, in the wrong hands, could be used to target us, such as our medical histories, sexuality and our gender, race and religion.

-All that, and we haven’t even started to mention Social Media profiles…

Cutting through the confusion

Information about your clients, suppliers, employees and other associates or stakeholders is your responsibility. Knowing exactly what that data is, where it is held (off-site, in the cloud or the filing cabinet, for example,) and the lengths of time you are obliged to keep it for are all important legal requirements.

Michelle Molyneux, Data Protection Officer, Know Your data

If you run a business, you will handle data just like that listed above and doing so is more of a responsibility than ever before.

It’s a worthwhile task to undertake, for legal compliance obviously, but for other reasons too:

  • Upholding people’s rights
  • Acting fast to address issues such as data breeches and cyber crime
  • Plan more focused, effective marketing strategies
  • Your customer relationships and reputation will lift you above the competition
  • You get a secure, organised and data-accurate business

Those are just some of the benefits of handling data correctly, but how on earth do you get to that point?

Don’t panic! Help is out there

If you are confused or concerned by issues surrounding the data you hold, don’t worry. You are not the first, and you are certainly not alone in feeling that way.  The first step, the only step that really matters at the beginning of that journey towards data handling compliance and peace of mind, is this-

Establishing exactly what data you hold

I can’t stress this enough, every data audit and every conversation with a GDPR specialist such as myself begins with a long, careful look at exactly what data you handle. It is THE most important job on day one…

We can then follow the legal framework and guidelines to ensure it is handled in a safe and compliant way.

The Information Commissioner’s Office (ICO) is another valuable resource offering the help, and support businesses need to ensure data privacy. Their website offers simple to understand guides about data protection aimed at SME’s and even checklists and self-assessment tools such as this one.

If your business handles personal data, you should already be familiar with the ICO and the annual data protection fee, unless exempt. You can check if the fee applies to you here.

The ICO is a supervisory body and goes the extra mile to offer help and advice to individuals and organisations.

The excellent book ‘GDPR for Dummies’ by Suzanne Dibble cuts through much of the jargon with straightforward, easy to understand help and advice.

Lastly, but by no means least, there is me! As a certified Data Protection Officer, I can offer the help and support you need to ensure you ‘know your data’, and you’re handling it perfectly.

Why not send me a message, live chat or request a call any time? I’d love to help.