In the last couple of years, how we work has changed immensely. We now want to work in a more hybrid way or work from home more often. Virtual working is in high demand, which means data protection and privacy need to be a high priority.
There are some things that organisations need to implement for the safety of the business and their clients.
Working from Home
As working from home becomes increasingly common, it is essential to ensure that proper data protection measures are in place. Team members must take steps to secure confidential and sensitive information. This will include using secure networks and passwords, encrypting data, and limiting access to work devices. That means work devices should only be used for work purposes by the appropriate person. A work-issued machine should not be shared with others in the house.
Businesses should also provide clear policies on data protection and train their employees on best practices. Regularly backing up data and conducting security audits can also help mitigate data breach risks while working remotely.
Co-working offices have become increasingly popular over recent years way to working virtually. They offer individuals and small businesses the opportunity to work from a shared workspace. However, with this trend comes unique challenges related to data protection. Co-working spaces often involve using common areas, such as shared printers and wifi networks. This can potentially expose sensitive information to unauthorised parties.
This may account for the results of a survey by Veritas Technologies which stated that 74% of companies experienced data breaches at co-working spaces.
We are not saying co-working spaces are unsafe and should not be used. They are a great place to work. But, it is essential when working in a co-working space to implement additional data protection measures, such as encrypted networks. The easiest way to do this is to use a VPN on your device.
In fact, with VPNs, I would use one whenever using an external wifi source to protect your data and access from others.
In addition, users of co-working spaces need to be conscious of the work they are working on and what can be seen by others. You are in a public area, and someone could look at your screen over your shoulder.
Additionally, co-working space users need to be diligent in protecting their data, such as using strong passwords and avoiding public wifi networks. With proper measures, co-working spaces can protect their users’ data.
Bring your own device
In today’s digital age, Bring Your Own Device (BYOD) policies are becoming increasingly common in workplaces, which can pose a challenge to data protection.
As team members use their personal devices, it cannot be easy to ensure that sensitive information is not compromised. To address this issue, organisations can implement security measures such as encryption, multi-factor authentication, and remote wiping capabilities to protect data on personal devices. It is also important for team members to receive training on data security and for clear guidelines to be set regarding using personal devices for work purposes. By taking these steps, organisations can better protect their sensitive information and reduce the risk of data breaches.
There is a theme running through each of these sections: cyber security, which is not limited to the above.
As more people are working remotely, cyber security has become increasingly important. Working virtually can leave individuals vulnerable to cyber attacks. As a result, it is important to have secure connections and to use strong passwords to protect sensitive information.
The first thing that needs to be checked/verified is that the set password for the router has been amended, as has the login to the router. They may look like a unique password on the base of the equipment, but they still need changing.
Additionally, when working from home, caution should be given when clicking on links or downloading attachments from unfamiliar sources. Training should be sourced and provided to employees. If you work with freelancers or sub-contractors that access your systems, you must ensure they have completed training.
Where possible, resources and lessons learned should be shared to ensure their remote employees are aware of potential threats and are taking the necessary precautions to keep company information safe.
If you have any questions about supporting your business and team to work safely and compliantly virtually, or if you would like support applying for Cyber Essentials, why not book a free 30-minute call to see what we can do?
Privacy, data protection and confidentiality are interconnecting terms. Are they the same or different?
They can sometimes be viewed as the same thing. But there are differences. Let’s unpick them and see how they are essential in your business.
Excuse me for not writing an update to the proposed data protection bill changes earlier. The Government published the Data Protection and Digital Information (No. 2) Bill earlier this month. This is the second version of its proposal for data protection legislation;
Read more: Data Protection and Digital Information (2) Bill – unpacked
- Data Protection Act 2018
- UK GDPR
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
The first thing to note is that this is not new legislation but a bill that amends current legislation. It makes reading the new bill ‘interesting’ as you need all three documents to see the proposed changes.
- For businesses that have already implemented GDPR and data protection, there will be fundamental changes that you need to implement.
- If you are working with the EU, you will still have to abide by their FULL regulations.
- The legislation changes offer ‘marginal’ or ‘slight’ flexibility.
Legitimate Interest conditions
The Bill sets out a list of recognised legitimate interests where the balancing test does not need to be undertaken. This list started in the first Bill and is an uncontroversial list. It lists the reasons why processing personal data is essential. For example, in the context of safeguarding national security and preventing crime).
Types of processing that may be “processing that is necessary for the purposes of a legitimate interest” have been added. Also, note that the balancing test will still need to be undertaken. This includes processing necessary for direct marketing, the transmission of personal data for internal administrative purposes and ensuring the security of network and information systems.
The inclusion of “direct marketing” in this list has not been accompanied by a significant change to PECR, meaning that all of the rules that currently apply to electronic marketing under PECR, including the obligation to obtain consent or rely on soft opt-in consent for email marketing, will still apply.
Except for a notable change around permission to send direct marketing from political parties, charities and other non-profits IF they have an existing supporter relationship with the recipient (an extension of the so-called ‘soft opt-in’)
One other significant change is around fines; the Bill proposes to increase the fines for infringement from the current maximum of £500,000 to UK GDPR levels, up to £17.5m of 4% of global annual turnover (whichever is higher).
Cookies have been a big focus. The significant changes would be can only be used to store or access information on end-user terminal equipment without express consent where it is ‘strictly necessary’ – for example, website security or proper functioning of the site. The Bill proposes allowing cookies to be used without consent for web analytics and to install automatic software updates.
Records of Processing Activities (ROPA) and DPIAs.
The Bill removes the requirements for data protection impact assessments and records of processing. Instead, it proposes being replaced with new requirements around risk assessment of high-risk processing and streamlined record keeping. These new provisions will allow greater flexibility and for businesses to make decisions on risk assessment and be accountable for their own operation.
Proposes the change and structure of the Information Commissioner to the Information Commission, in line with other regulatory bodies. This will mean it moves to be a corporate body with a CEO (presumably John Edwards, the current commissioner). It looks more like a modernising rather than a fundamental shift.
Decision-making is likely to be more collegiate and will bring in more continuity.
The interesting point is complaints will need to be made to the data controller first to resolve, rather than the commission.
Ok, this is going going to be in 2 parts
- if you are dealing with the EU, regardless of the changes to this legislation, you are going to have to follow the EU GDPR, and currently, there is an adequacy decision between the UK and the EU for data flows between the 2. This is due to expire in 2025 if not renewed, so technically no changes need to be made – including cookies.
- Regarding other international transfers, the changes look to be more proportionate and risk-based. It comes in the form of a ‘data protection test’ which sets out the transfers of personal data to a third country. This moves away from the adequacy test to consider whether data protection in the third country is ‘not materially lower’ than that under the UK GDPR. The test focuses on looking at protection as a whole and allows for greater flexibility when assessing a third country, e.g. judicial or non-judicial redress for data subjects is now considered.
When you look at the 260+ pages of the Bill, you would expect there to be lots of changes to UK data protection law. The changes can be seen as an evolution of the current legislation. There are some tweaks and added slight flexibility, but the core framework of the UK GDPR has been kept.
In essence, if you are already doing GDPR, then based on the current Bill, there will be no major changes to be made.
One last point, this blog will be updated as and when amendments and changes are made. Currently, this is the Bill after its first reading. it has a long way to go to become law.
Privacy management can be a contentious issue. Isn’t it the business’s data when I have it? The data is out there, so why can’t I use it? Why should businesses care about the management of data and privacy?
The Universal Declaration of Human Rights in 1948, has one of the earliest statements towards the right to an individual’s privacy.
That was over 70 years ago, and the rights of an individual, in relation to privacy, are still being defined and redefined; 1973 and the first Data Act, in Sweden. The 1998 Data Protection Act in the UK and then, subsequently, the 2018 General Data Protection Regulations (GDPR), led to countries around Europe updating their own data protection laws.
Businesses have adapted and changed in 70 years, especially with the advancement and speed in technology. Hence the changes and updates in legislation, especially in relation to information sharing.
Businesses need data to run their businesses. Ideally, many businesses would say, they need to gather information to contact prospective clients and use that data as they want within their business. Look at the big tech companies, like Meta, Google and Amazon, who rely on the collection and ‘reusing/distributing’ of data as a fundamental cornerstone of their business. The selling of data can be a considerable income stream.
It is no wonder that businesses, no matter how big or small, have difficulties with privacy; especially when you have to balance the needs of the business with the needs of the individual. The individual has rights!
And there is the conflict. Many businesses argue either the information is out there or that the person has given it to them, so why can’t I use it the way they want to?
Good data management is good for business. Having everything in place can mean that things run smoother, and ore importantly, it can help reduce costs (especially in relation to software).
Who’s data is it?
GDPR set out to clarify the importance of privacy and data security. More importantly, it determines who the owner of the data is. The individual owns the data, and not the business. Businesses are, in effect, custodians of the information held by a living person. As a result, they have to follow the principles of the regulations.
- Lawfulness, Fairness and Transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
In short, that means that businesses need to
- Identify the legal reason for collecting and storing the information AND have a way of informing the individuals.
- Ensure individuals’ rights are protected and acted upon.
- Only use the information for the purpose it was collected. This means we can not collect information and then use it for whatever reason we want, regardless of it being in the public domain.
- Only collect and store the bare minimum we need for the minimum amount of time we need to store it
- Ensure that the information we keep is accurate and if not correct it
- Ensure that the data is not lost or destroyed
- Being able to show compliance with the legislation.
Saying we are data protection compliant is not enough. Businesses need to prove it. Some key areas to look at are
- Know your data
- Map out what data you collect, save and keep; for what reason, and where it is.
- Only use it for the purpose collected
- One example of this is, networking contacts can not be added to your email marketing or send sales emails. They consented for you to have their details; they did not consent for you to add them to your email marketing
- Keep it up-to-date and accurate
- Account status, contact information, and payment history.
- Assess, review, and update
- Assess what documentation you have and need
- Review for updates and changes in practice
- Look at trends in data security
- Secure it
- Ensure that physical material is locked away securely
- Ensure digital devices are secure and backed-up
- Train your staff on what is data protection, and IT security
- Have policies and processes in place, so they know what to do
- Keep records
- log incidents and lessons learned
- keep records of equipment, software
- risk assessments and DPIAs
It doesn’t need to be complicated. Help is at hand. As a data protection specialist, I am here to support and assist with your data protection woes. Why not get in touch?
If GDPR and compliance are a concern for you or your organisation, don’t worry. Taking all the different aspects in at once can (and probably has) caused everyone to feel a little overwhelmed at some point. But it doesn’t need to. Here are the five tips to know about and why they matter.
When it comes to GDPR, transparency is a fundamental principle. The reason why that’s the case is simple. It gives individuals as much control over their data as possible and facilitates their rights.
Control and rights are both fundamental underpinning principles of GDPR.
How does a company demonstrate transparency? The content of privacy notices is a good start. Good, compliant examples include
- the contact details of the company;
- if required, the Data Protection Officer,
- the purpose and lawful bases for processing the data
- and the categories of personal data you hold to name a few.
Mapping your data
Data mapping confuses some, but its principle is relatively easy. Mapping your data means establishing what information you hold and exactly how it flows through your company. This type of audit (also known as a mapping exercise) should be performed regularly by assigned individuals.
Doing so ensures it is maintained and amended as needed by a person or persons who are aware of their responsibilities.
Breaches can unfortunately happen, and on a long enough timescale, something similar to the list below probably will.
Data breaches can take many forms, such as:
- Device loss or theft
- Phishing scams
- Lost or stolen external USB drives
Breaches can also result from carelessness or lack of awareness, such as unattended computers and, especially recently, working from home on unauthorised personal devices and unprotected networks.
Reporting breaches of personal data have been mandatory since before the GDPR came into force. It just became more visible,, and the assessment for reporting changed. The Information Commissioner’s Office has a dedicated section for more information about breach reporting.
Knowing your subject’s rights
Data subjects have a wide range of rights relating to the data you hold about them, making it essential to know why you are processing the information you hold about them.
Data subjects have some or all of the following rights:
The right to be informed (Including why you are processing their data, how long you intend to retain it and who you might share it with.)
A right of access (Typically referred to as a Subject Access Request or SAR which must be dealt with in a timely way.)
The right to rectification (If the subject feels their data is incomplete or inaccurate.)
A right to erasure (Also known as the right to be forgotten, sometimes for legal reasons this may not always apply)
The right to restrict processing (In certain circumstances, an individual as the right to store their data but to stop you using it.)
A right to portability (The right to obtain their data and reuse it for another purpose or service.)
For both controllers and processors, demonstrating compliance and putting measures in place to meet the requirements for accountability will mitigate the risk of enforcement action. Still, it will also build trust in your business and its services and raise you above the competition.
For help and advice around transparency, avoiding breaches, mapping the data you use, subject’s rights and accountability, get in touch today; I’d love to offer you help and advice in the field I specialise in.
Nine out of 10 businesses are working in a digitally way, and more and more are working virtually. We live online.
But we need to ensure that we are working safely online. The risk of a digital attack is high, and 39% of UK businesses have experienced a cyber security breach. This is according to a report published in March 2022 by the Department for Digital, Culture, Media and Sport.
There are several areas that a business needs to look at to ensure online (cyber) security.
Risk assessments can sometimes be seen negatively or be viewed with fear/disdain. They are a positive tool that can identify strengths and weaknesses in a particular area. Once you know an area that is not so great, an action plan can be created to improve it. Risk assessing raises A LOT of questions, and you will never get to risk-free. However, you can put things in place to reduce the risk.
Have a Bring Your Own Device Policy and Working from Home Policy
On average, 45% of businesses have staff that use their own devices. 84% of workers who had worked from home during the pandemic have said they plan to carry out a mix of home and office working in the future, according to an Office of National Statistics report published in May 2022.
This can raise risks around how secure the equipment or network is.
Having staff use their own devices can save costs, but it can mean less control over IT security.
Have IT support
Having an (external) IT support which provides a portfolio of IT services that are underpinned by a service level agreement. From a cyber security perspective, having someone there to help keep things safe, that can do back-ups and support when things go wrong, is a great unseen benefit to a business.
Having systems in place that can help detect incidents.
Awareness and training
Oh, I mentioned the T word – sorry.
Everyone needs to understand and know where the online risk can come from. Whether it be from phishing, vishing, smishing or pharming, can staff identify the risks, not act on the attack AND report it?
Ensuring there is a plan in place and it is actioned, staff are aware of online threats – not only for the business but also for their personal data.
Ensure you have access to up-to-date information
Cyber security is forever changing. How do we keep up to date with all the information? And how do we ensure it is accurate?
Something has gone wrong; what do you do?
An excellent place to start would be the NCSC or ICO or find an external cyber security consultant. If you have an external IT provider, they could also be a good source of information. Also, remember to check your business insurance.
Keep software updated
Whether it be the operating system or the actual software, updates are pushed out for a reason – they have security patches in them and update glitches or vulnerabilities. Yes, it can be a pain that they are updating, stopping you from working. But do you want your computer to be held captive and not work?
Record and Report
Recording when you have a cyber security attempt, even when they don’t get through, is a great way to assess the effectiveness of online safety.
Have a plan to respond to a cyber incident in advance and check to see if it would work.
Have records of possible attacks, and investigate actual incidents.
Remember that a cyber attack, phishing etc., should be reported to the NCSC. If personal data is lost, risk assess to see if it must also be reported to the ICO.
Secure that data
Securing that data comes in different ways
- Ensure that where the data is stored is secure – and data protection compliant.
- Only allowing people who need access to the data to access it.
- Securing access by using 2-factor authentication.
- Have secure passwords
Digital Due diligence
This comes back to risk assessing in a way – doing those checks to ensure everything is ok, but this time of prospective (and current) suppliers to establish any liabilities and evaluate potential.
Check suppliers – where are they, and what is their compliance like?
Check out the National Cyber Security Centre for more information about online security.
Or, if you would like support to implement better data protection and online security, why not book a power hour?