Subject Access Request module screenshot
GDPR mandates certain procedures when dealing with subject access requests

VinciWorks has added a new module to its data protection course, Data Protection: Privacy at Work. The new module on subject access requests explains what a subject access request is and how to respond to one. The module is the latest addition to the course, following the global data protection guide that was recently added.

Continue reading

Season’s greetings and a happy, healthy and prosperous new year from the team at VinciWorks!

Festive fox

View card

VinciWorks by the numbers: 2017 in review

2017 has been yet another busy and successful year for VinciWorks. Learn more about our many achievements here.

Our support office will remain open throughout the holiday season.

We look forward to working with you in 2018!

Warmest regards,

The VinciWorks team

2017 was an exciting year at VinciWorks. Our technology team broke new ground integrating next-generation web technologies into our e-learning products, making them more customisable and more mobile friendly than ever. Our content team produced an ever greater number of courses, guides, policies and compliance updates, shedding new light and delving ever deeper into the most complex compliance topics of the day. Our risk management and product teams continued to enhance our suite of risk and compliance products, innovating and improving them with new features and applications, with many more to come in 2018.

Here are some highlights from the past year at VinciWorks.

170,000 course completions

Course completions on the VinciWorks LMS have increased by over 20,000 this year. Many organisations are choosing to use the VinciWorks LMS in addition to their in-house LMS due to its robust automation and improved  reporting and compliance features.

1038 individually tailored courses

In 2017 VinciWorks reimagined the meaning of ‘course’. We focused on developing new learning products individually tailored and specifically customised to the needs of each learner. We embedded ‘gamification’ elements and personalised features to create higher levels of engagement and attainment. Some of our course highlights from this year include:

Continue reading

US credit agency, Equifax, have landed in serious hot water recently after a spate of information security and alleged compliance breaches that were uncovered by cyber security researchers, technology news sites, and – potentially – The Federal Trade Commission.

The initial breach, which saw 143 million Americans’ sensitive personal data and financial information potentially compromised, was a result of the company’s failure to ‘patch’ (that is, download the update and fix) a two-month old bug in Apache Struts (the organisation’s web application framework where database libraries and other web development activities are managed). Despite many reports of the bug being exploited for malevolent purposes, Equifax failed to secure the social security numbers, driving licence details, and other personal financial information of millions of Americans – the breach also revealed the names, dates of birth, email addresses and telephone numbers of approximately 400,000 UK consumers.

An update which patched the vulnerability, known as: Apache Struts CVE-2017-5638, was issued on 6th March 2017, however the agency’s website was breached via the same vulnerability in mid-May of the same year. For this reason, Equifax is accused of gross negligence for failing to protect their customers and knowingly leaving their data vulnerable to cyber-attacks.

Sadly, Equifax’s history of imprudence doesn’t end here. At its Argentinian base, a computerised system holding similarly sensitive data about South American customers, was configured to allow privileged access and control with the laughably easy-to-crack username and password combination: ‘admin/admin’. The site, which is actually an online tool used by employees of the company, was temporarily shut down following the public exposure of its weak credentials, and the following statement released:

“We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.

We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region.”

However, Hold Security (the cyber security firm responsible for uncovering the admin username and password) have more to add. They report that, using the original admin log-in, they were able to download more than 100 username/password combinations belonging to the organisation’s Argentinian employees – most of which were also matching words made up of the workers’ forename or surname. Additionally, from the main page of the portal, Hold Security report being able to access 715 pages worth of customer complaints and credit report disputes, all of which list the Argentinian equivalent of the customers’ social security number.

As if to add insult to injury, thirty-six US senators have recently called for a federal investigation into how three of Equifax’s senior executives came to sell nearly $2m worth of shares just days after the company’s initial data breach was uncovered – and before the incident was publicly reported.

News of the sales has drawn worldwide criticism, although the company’s official statement is that the three executives ‘had no knowledge that an intrusion had occurred’ at the time the shares were sold.

Whilst this may seem improbable, in order to prove insider trading took place, prosecutors would have to show that the executives knew about the scandal when they decided to sell their stock – a tough task to prove in court according to the experts. Nevertheless, as Brandon L. Garrett, a professor at the University of Virginia School of Law, suggests, this is ‘the type of conduct that a company should not tolerate in its executives. It sends a terrible message to the public and to customers.’

VinciWorks is a leading provider of compliance education and risk management solutions. We have a comprehensive suite of cyber-security and compliance eLearning courses, supported with brand-on-demand posters, communication tools, and much more.

A group of people being kept as modern slaves, including a mother with a baby

2017 marks the first year that all companies (with revenues of at least £36m) must provide a Modern Slavery Act disclosure. Many companies are now preparing their second statement and are seeking guidance on how to amend their statement and how to address ongoing training requirements.

Useful resources

Continue reading

The Cyber Governance Health Check Report revealed that only 6% of FTSE 350 companies are properly prepared for the changes to the General Data Protection Regulation (GDPR), including GDPR training.

All businesses in the UK need to adhere to the EU’s updated GDPR legal framework when it comes to data they hold and how it’s used. The deadline date is 25 May 2018, which may seem like plenty of time to prepare. However, it’s such a complex topic with some hefty penalties, that it’s important to start to understand what the changes entail and be well equipped for ahead of the deadline – and this includes GDPR training all employees.

If businesses fail to recognise the regulations and comply, they face penalties of up to 4% of a company’s global annual turnover or £17 million, so it is something all organisations should take seriously, as this size of fine could end a business.

When determining whether a company needs to prepare for the changes to data protection coming from GDPR, there are several quick and simple ways to find out. Firstly, determine whether your company handles or processes personal data. If the answer is yes, and the company is based in the EU, GDPR applies and you should provide GDPR training.

If your company is located outside the EU but undertakes any form of trade with customers within the EU, then GDPR rules will apply to you if you store, process or share EU citizens’ personal data.

The ICO (Independent Commissioner’s Office) has devised a set of 12 steps to help organisations prepare for the changes, which is a useful checklist for those requiring the basic information on GDPR and how to prepare.

So now you know that your organisation needs to be GDPR compliant ­­and you know the basic requirements – what’s next? In our experience, we’ve recognised some key hurdles that companies tend to fall at. But no need to panic – there are often some quick and simple solutions.

Lack of awareness of basic data protection

According to accountancy and advisory company Moore Stephens, “Organisations need to ensure that they fully understand GDPR so that they effectively identify what is required for the organisation to comply. The common theme that we are seeing is a significant lack of awareness of the regulation and this is throughout the organisation from top to bottom. Very often, the lack of awareness is not just related to the incoming GDPR but, more worryingly, concerns the basic data protection principles that the organisation should be on top of and fully compliant with already.

“Our experience to date has suggested that there are major underlying issues within organisations of all sizes in respect of them being a long way away from complying with the current regulation, let alone thinking about what the GDPR will be asking of the organisation. In this scenario, it suggests a lack of knowledge and resource within an organisation to address any data protection issues and it would be recommended that a third party should be engaged to make organisations aware of what is fully required under GDPR and to assist them on the GDPR journey to guide the organisation through to compliance before the enforcement date in May 2018.”

In a recent Webinar, we polled over 100 key decision makers responsible for GDPR compliance about their GDPR training.

  • Only 21% of organisations had rolled out GDPR training.
  • 40% had tackled basic cyber security training
  • However, 82% had provided guidance on the use of Social Media

This reflects the position many of our customers are in. The recent hacking attacks on the NHS and the impending threat of stiff penalties for non-compliance with GDPR mean that organisations are taking Cyber Security much more seriously. They have to, if you have not successfully addressed the basics then the chances of achieving GDPR compliance are negligible.

To address these fundamental issues within a company, it’s imperative that everyone in the company understands the basic principles of GDPR training, while those directly handling data require more extensive GDPR training.

Knowing your responsibilities

While it may seem obvious to some, being aware of the way that personal data is classified is the first action to take when determining a company’s responsibilities. Personal data is any data that can be used to identify the person, such as a name, ID number, location, IP addresses etc. Any personal data a company holds should have appropriate and explicit consent given by the owner for the desired use. The consent must be informed, specific and unambiguous.

The data processing principles are outlined in the GDPR framework. This includes a new accountability principle for data controllers and processers whereby they must be able to demonstrate compliance.

Anyone handling data of EU citizens are segmented into:

  • Controllers – a person, public authority, agency or business that determines the purposes and manner for processing data.
  • Processors – a person, agency or public authority or company processing data either solely or via third parties on behalf of a controller.

Some of the decision making is automatic – it should be apparent if data is held. But communicating the responsibilities of a company requires more time to set clear guidelines and goals for each team. When providing GDPR training to staff, it’s important to trickle down the responsibility to each employee, as anyone working with personal data of any kind needs to be compliant with the changes coming into effect. Another poll reflected this with 73% of organisations preparing everyone for GDPR, however 27% still had a view that the responsibility was siloed in the IT, Finance or legal departments.

Understanding individuals’ rights

The data owner has the right to obtain information from the data controller. They also have the right to know how and where their information is being used. If they do request to know more, the company must be prepared to provide it free of charge. Individuals will have enhanced rights to:

  • Access information;
  • Have inaccuracies corrected;
  • Have information erased;
  • Prevent direct marketing;
  • Prevent automated decision making and profiling;
  • Data portability.

If rights are infringed, individuals can take legal action against data controllers and data processors.

The process of supplying personal data back to the individual needs to be shared and understood by the team controlling the data. Equally, when obtaining personal data, privacy policies need to be reviewed to ensure they are more thorough when GDPR comes into force. Alongside GDPR, The Freedom of Information Act places additional burdens of disclosure on public sector organisations and employees in these institutions will again require additional training.

GDPR is a complicated subject, which is why it’s vital that businesses start to get to grips with the principles and practicalities well ahead of the deadline. It may seem daunting, but with the right GDPR training, organisations can be safe in the knowledge that all staff are educated, and the business is moving towards compliance.

VinciWorks has launched a number of courses aimed at employees of all levels to start their preparations for GDPR. The 50-minute GDPR training course is ideal for all employees to provide an understanding of GDPR so that they can apply the learning and be part of the organisations drive to achieve compliance. There are also eLearning courses covering Cyber Security and Freedom of Information.

For too long, compliance has been relegated to risk management. Now’s the time to think differently.

It’s true that for the majority of organisations, compliance with legislation is viewed as an exercise in risk mitigation. Sure, investing money in training and developing preventative processes is the best way to avoid expensive fines and protect your organisations’ reputation in the event of a compliance breach. But should this be the only motivation?

It’s more than likely you’ve already received emails and/or read news articles reporting on the punitive nature of the forthcoming GDPR legislation and its threat of hefty fines for non-compliance. This is a good example of the sort of thinking that positions compliance as no more than an expensive insurance policy… a necessary evil that takes up both time and budget.

Sadly, in many cases something has to go wrong before sufficient investment in compliance is forthcoming, and yet, by this time, the damage is usually done.

Revitalise your compliance efforts:

Yes, a good compliance programme will keep your internal and external auditors on side. It will also help to avoid expensive legislation and protect your reputation should the worst happen. However, have you considered the way compliance provides your organisation with a competitive advantage, allowing it to gain extra sales or increase revenues/profit margins?

Think about it, in an increasingly regulated world where evermore scrutiny is placed on supply chains and third parties, there is an opportunity to showcase your compliance efforts/achievements to achieve a competitive edge. In other words, compliance should be less about keeping your head ‘just above water’, and more a way of illustrating the value you place upon your company, its employees, and its customers. After all, being the organisation who is willing to go the extra mile to protect its customers could be a real selling point when it comes to securing new contracts or adjusting pricing structures – always good news for the C-suite.

Let’s look at a couple of examples:

It is not currently a legal requirement within the UK to monitor your supply chain for signs of modern slavery, but your organisation is probably required (under the UK Modern Slavery Act) to tell people what they are doing/not doing to combat modern slavery, i.e. you are required to publish a Modern Slavery Transparency Statement. To publicly state that ‘we are doing nothing’ tells the world that your organisation doesn’t care, or that it’s drastically out of touch with what’s going on in the business-world and society today. On the other hand, an organisation that can demonstrate how seriously it takes its moral and ethical responsibilities when it comes to preventing modern slavery, and also how much it has invested in ending the practice for the good of all people, has the advantage when it comes to pitching for new contracts.

We can apply the same logic to GDPR. Why not be proactive in reassuring your customers and clients how seriously you take the upcoming shift in legislation, and how you are preparing to protect their data in-line with the new laws? Rather than a chore, then, compliance can be a great reason to reiterate the trust between you and your customer-base and reassure them that your organisation is on the ball – over and above the competition.

Don’t forget, making room in the budget for compliance becomes much more achievable when senior management view the investment as it directly contributes to your bottom line through sales and profitability.

Positioning compliance as more than a box-ticking exercise, but instead as a strategic business partner (as well as risk mitigation) makes for a compelling case indeed.

The European Union’s Fourth Anti-Money Laundering Directive came into force on 26th June 2017.

The Directive includes some fundamental changes to the anti-money laundering procedures, including changes to CDD, a central register for beneficial owners and a focus on risk assessments. However, with proper preparation and training, the transition to the new regime should be seamless for most firms.

Continue reading