CISO

GDPR: 10 key issues facing UK higher education

The world of higher education is about to be turned on its head. This is due to the imminent enactment of the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018. It marks a new era in the world of personal data protection with accountability at its centre. Although the updating of data protection law is overdue and welcomed by consumers, it does put demanding responsibilities onto the shoulders of Chief Information Security Officers (CISOs) in higher education institutions across the UK.

True expertise in GDPR compliance is a rare commodity and few resident CISOs have had time to acquire the required skill set. For this reason, many are using the additional resource and support of specialists to ensure the compliance requirements are met and resilient strategies put in place. SRM’s GDPR team has operated in the information security environment for many years and our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification. As such they are uniquely well–placed to advise on the strategic implementation of GDPR. Here, they identify the key issues facing the higher education sector.

1. Awareness

It is important that everyone is aware of the changes that GDPR will bring. Vice Chancellors, executive boards, deans, academics and lecturers will all need to be aware of how the changes in data protection legislation will affect them. The mantle of data protection usually falls to the Chief Information Security Officer (CISO) who is likely to take on or oversee the role of Data Protection Officer (DPO), which is a requirement of GDPR. To ensure this is done effectively, the CISO will need to have senior-level influence, with the relevant knowledge and authority to manage the process or be given the financial resource to secure additional support and expertise from an industry professional or Virtual CISO service.

2. Information life cycle audit

Institutions will be held more accountable for the data they hold. In addition to keeping records about what personal data exists with the organisation’s systems, GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who has access to it. Data will include everything from phone records to employment details. Some information will be categorised as sensitive and some as non-sensitive and all this information needs to be mapped.

3. Incident Response

Keeping information secure is a primary requirement and there will be new obligations to report security breaches to the Information Commissioner’s Office (ICO) within 72 hours where it creates a risk to the affected individuals. This is likely to occur, for example, in cases of identity theft or financial loss and organisations will also be required to inform the individuals affected. Incident Response which outlines protocols to detect, investigate and respond to personal data breaches is an important element of this process.

4. Data Protection by Design

GDPR introduces new obligations on information-handling processes and the systems that are developed. Data protection should be built in with data privacy settings being the default. It is anticipated that GDPR will require ‘data protection by design’ to be extended to existing systems within three years. Formal data protection impact assessments should be undertaken as part of the design process.

5. Demonstration of consent

Not all data processing requires explicit consent, but where it is applicable, institutions need to be able to demonstrate that consent is ‘freely given, specific, informed and unambiguous’. This means individuals will need to specifically opt in, rather than simply fail to opt out.

6. Considering the necessity of data collection

Continuing with the concept of consent, institutions will be required to consider whether the collection of data and its processing is actually necessary. Recognised legal bases include contract, legal obligation, vital interest, public interest or legitimate interest of the organisation. If these apply then processes must meet the requirements of GDPR.

7. Reviewing privacy notices

When accessing individual’s personal data, these individuals must be informed of the legal basis for processing their data, the retention period and the individual’s rights to complain to the ICO if they consider there to be an issue. This will typically be in the form of a privacy notice.

8. Increased consumer expectations

High profile breaches have brought damaging publicity to a number of higher education institutions. With this heightened awareness comes an increased knowledge of the individual’s rights to data privacy. Those using an institution’s systems will expect to have their data protected and may challenge where this is not obviously being promoted. Communication about GDPR compliance will be a necessary aspect of the DPO role.

9. Ensuring an individual’s rights can be upheld

Under GDPR the rights of individuals have been enhanced. They include the right to subject access, having inaccuracies corrected, having information erased, data portability and the right to be excluded from direct marketing or automated decision-making and profiling.

10. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Higher Education istitutions therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness in-house training for staff is a vital element of this process. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.

 

SRM’s GDPR team provides a business-focused service to organisations and higher education institutions of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses and higher education institutions operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our GDPR page or our Virtual CISO service page.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

How does GDPR differ from the UK Data Protection Bill?

How a CISO can exert influence at board level

 

Cyber Security Breaches Survey 2018 – shows that size matters and that numbers never lie

As with any statistical report, the numbers in the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 provide a dizzying variety of analytical options. However, given that the report, published last month, is subtitled ‘Preparations for the new Data Protection Act’ there are two sets of numbers which stand out.

The first relates to the fact that, when it comes to awareness, size does matter. Larger organisations are significantly more aware of General Data Protection Regulation (GDPR) and its UK counterpart the Data Protection Act (DPA). The second is that when asked about what steps had been taken to change procedures and policies, across the survey group as a whole, only 4 per cent had taken any practical steps to improve levels of compliance.

Addressing the first issue. It is perhaps not surprising that the larger the organisation, the greater the level of awareness. Of the 1,519 businesses surveyed, awareness of GDPR and the DPA was highest among large organisations (80 per cent) and lowest among micro businesses (31 per cent). Of the 569 charities surveyed, those managing over £5 million a year annual turnover had higher awareness levels (90 per cent) than those managing less than £10k (36 per cent).

As for the second issue of procedures and policies, this is where the numbers show the real picture. By the time the survey conducted by Ipsos MORI had drilled down to asking about what practical changes had been made by December 2017 to address compliance, of the original 1,519 businesses and 569 charities questioned, only 174 businesses and 70 charities were still in the survey. The rest had fallen by the wayside following questions on general awareness GDPR and the new DPA 2018.

The DPA 2018 is the UK’s solution to data protection and will replace the current UK DPA 1998.  Whilst organisations will still have to comply with GDPR, one element of the DPA 2018 is the details of how GDPR will apply in the UK, the processing that does not fall within UK law and also the EU’s Law Enforcement Directive.

Of those who remained in the survey only 36 per cent had made changes to their policies or procedures. That means that of the original total number of businesses and charities questioned only 4 per cent had made any changes in response to the forthcoming legislation. The figures are even lower for the question regarding additional staff training around the DPA and GDPR.

Clearly there is a huge amount of work to be done to bring UK businesses and charities closer to compliance. The worrying fact is that time is not on our side. From 25th May 2018 GDPR will become law and the new DPA is due to be enacted at the same time, with significantly higher fines issued to those who do not comply. Those already adhering to the existing Data Protection Act will be some way toward compliance. With awareness levels so low, however, there are many businesses which require guidance as to what the GDPR and new DPA involves and what steps need to be taken.

SRM has developed a helpful Self-Assessment Questionnaire which maps out the areas which need to be addressed and provides a practical interpretation of what these mean to organisations. Whether a large corporate or a small charity, the questionnaire highlights the areas that need to be considered.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.

 

SRM’s step by step self-assessment guide to GDPR readiness

For full details of the HM Government survey report see the Cyber Security Breaches Survey 2018.

 

Or see our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

After GDPR, what will happen to ICO notification fees?

 

GDPR: the world will not stand still on 25th May 2018

The 25th May 2018 is not an end date. Far from it. It marks the beginning of a new era in data protection but one that will continue to evolve as our online world continues to develop. So, although organisations will be required to be compliant with the General Data Protection Regulation (GDPR) from that date, it is an ongoing process, not Armageddon.

In the words of the ICO’s Information Commissioner Elizabeth Denham: ‘It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.’

For organisations with GDPR firmly on their radar it seems primary focus is on reaching a level of compliance come GDPR Day 1, but about Day 2 and beyond? Those who are fully compliant by 25th May will need to work hard to remain compliant. Those who are not yet completely ready will need to work even harder to reach and maintain compliance or risk substantial fines. The key factor to remember, however, is that it will be nigh on impossible to achieve perfect maintenance of absolute compliance. So, take comfort from the fact that the ICO has stated that those who are able to demonstrate that appropriate systems and thinking are in place will find that the ICO takes this into account when they consider any regulatory action.

So, while absolute compliance may be an intended aim, what organisations really need to focus on is the fact that they can demonstrate the thinking and the steps they have taken to be compliant. That is not to say that anyone will get ‘A’ for effort if no practical steps have been taken.

As Elizabeth Denham explains, there is no excuse when it comes to GDPR: ‘’There will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date…We all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there…

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.

VirtualCISOtm is proving a popular option for businesses which require broad levels of expertise to complement existing skill sets and roles in a flexible manner.

To find out where you are in terms of GDPR readiness, complete our free online GDPR Self Assessment Questionnaire.

To find out more about what SRM’s GDPR can do for you, contact Mark Nordstrom (mark.nordstrom@srm-solutions.com) or 03450 21 21 5https://blog.srm-solutions.com/are-you-ready-for-gdpr/1 or check out our website.

 

Or read our blog:

GDPR: a question of confidence

GDPR has been developed to protect us from breaches like Uber

After GDPR what will happen to ICO notification fees?

 

 

Shipping news: how to manage a ransomware attack

Disproving the idea that there is no such thing as bad publicity, the shipping company Clarksons is doing its level best to limit the PR damage caused by a recent ransomware attack. They have so far done an admirable job, demonstrating that transparency is key in the early days of a breach.

Firstly, the world’s largest ship broker has admitted to the fact that the breach has taken place and that data is soon to be released. Secondly the company has clearly setting out the steps they are taking to minimise the potential damage. They have announced that they have taken immediate steps to manage the incident and are working with specialist police and data security experts. The initial investigation has shown that unauthorised access was gained via a single and isolated user account which has now been disabled.

At the moment, the exact extent of the data stolen is unknown but, having refused to pay a ransom to the hacker who carried out a criminal attack on the company’s computer systems, a large scale leakage of private data is to be expected.

In the short term, the company has been hit by the announcement. Shares in Clarksons fell by more than 2 per cent, despite the company’s insistence that the hack would not affect its ability to do business. In the longer term, however, their diligent and principled stance should stand them in good stead. Hiding a breach from the media and even more importantly, those who have potentially been affected, is much more damaging in the longer term. Consider Uber’s recent exposure for having tried to cover up a large scale breach.

Issues of cybersecurity are now at the forefront of most board agendas. The imminent enactment of the EU General Data Protection Regulation (GDPR) in May is bringing the issue into even sharper focus. Under the terms of GDPR and the proposed UK Data Protection Bill, fines will be significantly higher if an organisation is considered to have been negligent in the event of a breach. Investments in providing support and resource to Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is now considered a cost-effective investment.

Yet in today’s digital and commercial landscape even the best-resourced companies will be prey to this type of criminal attack. The most important thing is to recognise this probability and ensure that a proactive approach is taken to both defence and, in the event of an attack, incident response.

A robust defence will include an expert scoping of the system which identifies gaps in compliance and security. This is likely to include advanced penetration testing as well as retained forensics. Having a cyber security specialist involved in the correct mapping and identification of data means that, in the event of an unforeseen attack, they have the knowledge and capability to minimise and mitigate the effect of the incident swiftly. As the Clarksons incident demonstrates, the ability to deploy an immediate response is an important element of damage limitation.

For more information:

Retained forensics

GDPR

Disaster recovery

Or see some of our blogs:

What is Red Team engagement?

It’s not a question of if, but when

US statistics warn of new trends in cybercrime: how retained PFI can mitigate the risks

Law practices are prime targets for criminals

PWC’s 25th Annual Law Firms Survey found that 73 per cent of respondents had suffered a security incident in 2016. These ranged from insider threats to the phishing of login credentials and ransomware. Routinely keeping large amounts of extremely sensitive data on file for long periods of time, law firms need to be particularly vigilant. Yet awareness, training and a top-of-the range technology solutions will only go some way in providing a defence. Given the ingenuity of hackers, they are unlikely to be sufficient in the long term.

The good news is that the solution is not about buying lots of additional products or simply throwing money at the problem. A strategic approach will provide a more robust and more cost-effective solution.  The effective scoping of the risks and vulnerabilities to which an individual firm is exposed means that defences are maximised using only precisely-targeted and relevant services.

When the EU General Data Protection Regulation (GDPR) becomes effective in May 2018 the regulatory obligations of any organisation which holds data on EU citizens becomes even stricter. The new legislation will not just apply to those with European customers. The current UK Data Protection Bill, which is also due to be enacted in May, enshrines the principles of GDPR into UK law. In addition to new reporting requirements, there will be a greater emphasis on mapping data, knowing exactly what information is held and where.

A specialist consultancy has the experience and expertise to ensure that top level security is provided in the most cost-effective way possible. From advanced penetration testing to compliance and regulatory issues; from data mapping to ensuring there are no gaps anywhere in the system; it is important to have an overall strategic and correctly scoped plan.

While Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) take on the day-to-day responsibility, every member of the board or partnership is also responsible for compliance. To ensure that the ever-changing cyber threat landscape is fully understood, additional support and resource is required. Just as a finance director receives support from accountants, a consultancy which operates at all levels of the cyber security spectrum will be able to provide additional expert guidance to DPOs, CISOs, boards and partners. The reputational and financial consequences of a breach can have devastating effect on the whole firm. Board or partner level support for information security and compliance is therefore essential.

SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.

Our eDiscovery team is also on hand to provide technical expertise and resource for all aspects of eDiscovery, from the reduction and redaction of data to the presentation of evidence in a legally acceptable manner. SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.

For a no obligation chat, contact Mark Nordstrom or call 0345 21 21 51

Find out more:

GDPR

Test and exercise

Read our other blogs:

eDiscovery: the issues facing law firms

Client files on home computers must be encrypted

The technology gap which leaves organisations vulnerable to attack

 

SRM Blog