Close

0131 510 1234

Archive for category: GDPR

Eliminate the insider threat.
by

Eliminate the insider threat.

In our rapidly evolving technology landscape, the insider threat is a growing problem. Collaboration tools, cloud and mobile computing have significantly increased the risks faced by organisations. A report by Cybersecurity Insiders and CA Technologies recently stated that ninety percent of organisations feel vulnerable to insider attacks.

Not all insider threats are malicious, though. Accidental data breaches caused by careless employees or negligence account for more than 50% of all data loss incidents from inside the network. Organisations storing or accessing confidential data must take action to reduce the risks of losing data from within the confines of company systems.

So, what can you as a business leader do to protect your most important information? The short answer is you need to take a holistic approach to information security. The soon-to-be-implemented GDPR will force organisations to get their data protection house in order, presenting opportunities to do better business.

We are gearing up to attend Scotland’s largest Cyber Security event, ScotSecure at Edinburgh’s Dynamic Earth next week. Two of Scotland’s security software powerhouses, Zonefox and My1Login will be joining us as we aim to help business leaders protect their networks from the inside and the outside.

About Zonefox and My1Login
In case you have been out of the country with no access to the Internet for the past few years, Zonefox and My1login are two of Scotland’s leading lights in the cybersecurity software space.

Protect your network with Zonefox

Zonefox has developed award-winning insider threat protection software that provides a 360-degree view of your network by monitoring every endpoint and every user 24/7. So, whether your employees are working remotely or third parties are accessing and sharing information they shouldn’t be, you will know about it.

Zonefox’s Augmented Intelligence automatically detects when a users’ behaviour changes and it can quickly spot when compromised user accounts are being used to harvest valuable IP and confidential data.

With Zonefox, network administrators have access to detailed forensics, enabling them to answer critical questions about an incident: Where did the incident take place? Who was the perpetrator? What did they take? Where did the data go?

Having answers to these questions not only helps find a quick resolution to data loss incidents, but it also helps organisations comply with data breach notifications – a significant element of GDPR obligations.

Protect your applications with My1Login

Glasgow-based My1Login is a European leader in Identity and Access Management (IAM) and Single Sign-On (SSO) solutions.

The security software provider has won multiple awards, including Identity and Access Management Solution of the Year at the recent Computing Security Awards. They are also an approved UK Government Supplier through G-Cloud 9.

My1Login is the UK’s most secure and most widely-compatible IAM solution that enables organisations to mitigate password-related cyber-security risks, strengthen identity assurance and meet critical compliance obligations such as GDPR. Its Single Sign-On solution integrates with all app types – web apps, mobile apps, flash apps, virtualised apps, and even legacy, thick-client apps and mainframes. Passwords can be updated automatically without revealing credentials, and the IT department can provision new users and manage My1Login via Active Directory (AD), simplifying user management at a stroke.

My1Login SSO also integrates with multi-factor authentication services, further securing employees’ access to corporate applications.

Heading to Scot-secure 2018?

If you are planning to visit Scot-secure 2018 next week, come over and chat with us about a comprehensive approach to network protection. The lovely folks from Zonefox and My1Login will happily take you through a demo of their innovative products.

GDPR – Four small letters. One massive impact.
by

GDPR – Four small letters. One massive impact.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (the 1998 Act) when it comes into effect on May 25th this year.  The GDPR has been designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.

Consideration has been given to new technologies, business processes and data usage that have become part of the digital economy in recent years.

Principles of the GPDR

Under the GDPR, the data protection principles set out the primary responsibilities for organisations. Personal data must be:

“processed lawfully, fairly and in a transparent manner in relation to individuals.”

“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

LEARN MORE ABOUT GDPR

Download your free copy of our GDPR e-book

Lawful basis for processing under the GDPR

Although not new, the lawful basis for processing under the GDPR places more emphasis on accountability and transparency relating to how your organisation processes data.

The six lawful bases are similar to the old conditions for processing, although there are some differences – the ICO website contains more information on lawful processing.

Individual rights

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right of rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision making and profiling

You can read more about individuals rights on the ICO website.

Time to report a data breach

Under the 1998 Act, organisations have one month to report a data breach but once GDPR is enforceable, this period will reduce dramatically. Once a data breach has been detected, organisations will have 72 hours to investigate the violation, let the regulator know what’s happened, figure out if personally identifiable information (pii) has been compromised and have a plan to manage the threat.

Unless there are technical controls and a robust information security policy in place to mitigate the threat of a data breach, many organisations will struggle to meet these demands.

Data Protection Officer

In some circumstances, organisations must appoint a Data Protection Office (DPO). You must appoint a DPO if you:

  • are a public authority (except courts acting in a judicial capacity)
  • carry out large-scale systematic monitoring of individuals (e.g. behaviour tracking)
  • carry our large-scale processing of special categories of data or data relating to criminal convictions or offences – at this time, there is no numerical definition of “large-scale processing.”

You may appoint a data protection officer to act for a group of companies or a group of public authorities – depending upon size and data processing requirements.

Any organisation can appoint a DPO. Our Technical Director, Neil Douglas is a qualified GDPR Data Protection Officer and is always free to chat regarding your DPO or GDPR requirements.

Penalties

The maximum penalty for suffering a severe data breach under the Data Protection Act 1988 is £500,000. Mobile telecoms company, Talk Talk received a £400,000 fine for failing to prevent a serious data breach back in 2015. –

Penalties under the GDPR are far more severe. A maximum fine of €20 million or 4% of global annual turnover for the most severe data breaches is on the cards. However, we don’t expect the Information Commissioners Office (ICO), the UK’s governing body to impose the maximum fine as it hasn’t done so under the existing regulations – that’s not to say they won’t impose sizeable penalties.

Subscribe to the Network ROI blog

  • We'd love to keep in touch with you by email with offers, news and new product information. We treat all personal data with respect, and we promise NEVER to sell your details to third parties for marketing purposes.
7 Important GDPR Data Privacy Changes to be Aware of
by

7 Important GDPR Data Privacy Changes to be Aware of

May 25th, 2018 will herald the start of a new age in data privacy when the General Data Protection Regulation (GDPR) is introduced. The GDPR is a new piece of legislation designed to protect the data privacy of EU citizens. It will replace the Data Protection Act 1998 (DPA) in the UK when it becomes law next year.

A lot has changed since 1998, desktop computers and laptops have become mainstream. Mobile devices, email marketing, cloud computing and a vast array of connected devices have also transformed our lives. The GDPR aims to protect individuals’ data in the digital age.

You are probably familiar with the principles of the DPA and may be wondering what will change when the GDPR comes into force. In this article, we will highlight some of the changes to help you make the best data privacy decisions for your business.

Brexit and the GDPR

Although Britain voted to leave the EU, UK-based organisations need to comply with the GDPR when it becomes enforceable in 2018. Also, many UK organisations process EU citizens’ data and will continue to do so after the UK is expected to officially leave in 2019.

1. Enforcement

DPA – Enforced by the Information Commissioner’s Office (ICO).
GDPR – A Supervisory Authority (SA) will monitor and enforce the GDPR in the UK. Similar SAs will be responsible for monitoring and reporting in other EU countries.

Free GDPR e-book:

Preparing for General Data Protection Regulation: 12 steps SMEs should take right now

2. Reach

DPA – Applies only in the UK.
GDPR – Applies to the whole of the EU and any company (globally) that holds data belonging to EU citizens.

3. Penalties

DPA – Failure to comply with the DPA can result in fines of up to £500,000 or 1% of annual turnover.
GDPR – Penalties for non-compliance of GDPR regulations are expected to reach $20m or 4% of global turnover – a significant increase.

4. The right to be forgotten

DPA – There is currently no legal requirement for companies to remove the data they hold on an individual.
GDPR – Individuals can exercise their ‘right to be forgotten’ which involves permanently deleting all personal data from company systems.

5. Data Protection Officers (DPO)

DPA – There is currently no obligation for a company to employ a dedicated DPO.
GDPR – Organisations employing 250 employees or more must appoint a Data Protection Officer.

6. Opting in

DPA – Under the current legislation, businesses do not require an opt-in when collecting data.
GDPR – Consent underpins the new regulations. When collecting data, the reasons for collecting personal data and its uses must be outlined at the point of collection and in the company Privacy Policy.

7. Reporting a data breach

DPA – Under the current regulations, there is no legal obligation for a data controller to report a breach to the ICO or to individuals whose information has been lost or stolen.
GDPR – Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. Organisations are also obliged to report a data breach to the relevant supervisory authority (ICO) within 72 hours of becoming aware of it.

Summary

The points above are not exhaustive; they illustrate some of the key differences between the current legislation and the GDPR.

The GDPR is extensive and will require lots of preparation. We recommend you start planning your GDPR journey now to ensure your organisation achieves compliance.

We are ready to assist with information and technology protection requirements your business may have to ensure complete compliance when the GDPR becomes law next year.

For more information on data privacy reform and the GDPR, visit the ICO website.

VISIT THE NETWORK ROI BLOG
EMAIL SERVICEDESK HOW TO GET SUPPORT YOUR PORTAL QUICK SUPPORT CHAT SUPPORT