The threats to your personal and professional cyber security are ever-growing, with the needs of each organisation and employee varying. VinciWorks has therefore added a further six apps to it’s bank of available customisations.

Acceptable Use

What constitutes acceptable use of company resources? Review the do’s and don’ts of the fair and proper use of business equipment and protect it from unauthorised access.

Information Classification

Top tips and need-to-know’s on keeping company information in the right hands and away from the wrong eyes.
Continue reading

The UK government has published its proposal to implement GDPR into UK law in a new Data Protection Bill. While GDPR will automatically come into force in the UK in 2018, the Bill is designed to ensure a smooth transition to a new data protection landscape regardless of Brexit, as well as implement key UK derogations.

Set to be introduced in September, the legislation will enshrine the fundamental principles of GDPR, including:

• The right to be forgotten
• Expanded definition of personal and sensitive personal data
• Expanded rights to access personal data
• Tighter rules on gaining consent
• New criminal offences to protect people from being identified by anonymous data and from having their data altered
• New powers for the Information Commissioner’s Office to fine companies £17m or 4% of global turnover

Continue reading

Ransomware attacks computers in 150 countries

On Friday hundreds of thousands of computers were held to digital ransom as a cyber security attack spread around the world. The cyber weapon, allegedly stolen from the US National Security Agency (NSA), even locked NHS staff out of their systems, forcing hundreds of critical operations to be cancelled and staff having to turn away sick patients at the door. The attack spread quickly and installed malware onto over 200,000 computers, demanding payments of up to $600 in return for the data. With cyber security experts expecting more attacks imminently, this latest attack shows everyone needs to understand cyber security and make it a top priority.

The cyber attack that began with spam emails

The attack began with targeted phishing emails appearing to contain job offers, security warnings and invoices, as well as people’s own personal files. Once the files were unassumingly downloaded, the ransomware was able to spread across large networks. This makes understanding how to protect against cyber attacks more important than ever, with the opening of phishing emails often having the ability to affect computers across a whole network.
Continue reading

Register for our GDPR email updates

The UK Data Protection Act

The United Kingdom (UK) Data Protection Act (DPA) sets out rules for how your personal information can be used by organisations, businesses or the government.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

The DPA 2018, which came into effect on 25 May 2018, updates and replaces the Data Protection Act 1998. Post Brexit, the act was further amended in January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.

The Data Protection Act 1998

The Data Protection Act 1998 was a UK Act of Parliament designed to protect personal data stored on computers or in organised paper filing systems. It replaced the 1984 Data Protection Act, which had barely mentioned digital media and computers. 

The 1998 Act, which enacted provisions from the EU Data Protection Directive 1995, was based on 8 principles that were used by organisations to design their own data protection policies. The eight principles related to the protection, processing, and movement of data, and mostly did not apply to domestic use. The eight guiding principles of the act were as follows:

• Principle 1 – Fair and Lawful
• Principle 2 – Purposes
• Principle 3 – Adequacy
• Principle 4 – Accuracy
• Principle 5 – Retention
• Principle 6 – Rights
• Principle 7 – Security
• Principle 8 – International transfers

Data Protection Act 2003

The Data Protection (Amendment) Act, 2003 implemented the European Data Protection Directive 95/46/EC. Together with the Data Protection Act 1998, these acts regulated how employers collect, store and use personal data about their employees (past, prospective, and current) that is held by them. The Acts stated that anyone responsible for holding or using data followed the ‘data protection principles’, and they must make sure that the information they collect is used fairly and lawfully, for limited, specifically stated purposes, in a way that is adequate relevant, is accurate, is handled according to people’s data protection rights, and is kept safe and secure.

What is the Data Protection Act 2018?

The Data Protection Act 2018 is a United Kingdom Act of Parliament that replaced the Data Protection Act 1998. The 2018 Act served to update data protection laws in the UK, and it is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR). The Act sets out rules for the processing of personal data, and implements the parts of GDPR that “are to be determined by member state law” and sets out its own similar framework for the processing of personal data that is not subject to GDPR, such as intelligence services processing, immigration services processing, and the processing of personal data held in unstructured form by public authorities.

The main differences between the 2018 Act as opposed to the 1998 Act are in the right to reassure, inclusions of exemptions from the Data Protection Act, the fact that the Act works in tandem with GDPR, and a revision that allows law makers to erase data if an individual chooses to, which is based on the individual’s right to privacy.

Changes to Data Protection Under GDPR

Data protection law in the UK is based on the 1998 Data Protection Act. However, with continued changes in technology, 20 years on that law looks outdated and not relevant to the data protection concerns we face today. In May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act and will impose many new responsibilities and sanctions on organisations. Despite all the noise around GDPR, the eight principles of data protection laid out in the 1998 Data Protection Act will remain relevant, with changes to some of the key principles. Below is an overview of the eight principles of data protection, with guidance on the changes and what they could mean for your business.

Editor’s note: the eight principles of data protection have now been amended to become the six principles of GDPR.

VinciWorks’ GDPR training suite

The Eight Principles of Data Protection

1. Fair and lawful

Your organisation must have legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect. Organisations are required to provide full transparency about how they wish to use the data, as well as ensure their data is only used in ways customers would expect. Detailing precisely what a consumer’s information is being used for allows them to make an informed decision as to whether to share certain pieces of personal information.

Changes under GDPR

Under GDPR, conducting criminal record checks on employees must be justified by law. For example, a school is far more likely to be permitted to carry out such checks on their teachers than a restaurant hiring kitchen staff.

Continue reading

How well do you really know data protection rules?

With the new General Data Protection Regulation (GDPR) coming into force in 2018, organisations are working hard to ensure they meet the new regulations. Companies processing over 5000 personal records per year or employing over 250 staff are now required to appoint a data protection officer, or DPO. Marketing teams will need to ensure they have consent from those they are marketing to and genetic and biometric information is now also considered sensitive data and GDPR.

Play the GDPR data protection game

Continue reading

The UK Government has announced nearly £2bn to upgrade Britain’s cyber security defences. The National Cyber Security Strategy seeks to make the UK the “safest place in the world to do business,” by protecting critical digital infrastructure in a world increasingly at the mercy of hackers, both state-sponsored and anonymous collectives.

“Our new strategy, underpinned by £1.9 billion of support over five years and excellent partnerships with industry and academia, will allow us to take even greater steps to defend ourselves in cyber-space and to strike back when we are attacked,” the Chancellor Philip Hammond said.

This comes on top of £265 million already earmarked for cybersecurity vulnerabilities just at the MoD. The strategy is a welcome recognition that interconnected networks are increasingly vulnerable, and new efforts are needed to ensure a strong, secure digital economy.

The announcement of the strategy comes a year after the government first started to seriously talk about national cyber security defence. “No longer the stuff of spy thrillers and action moves” declared Ben Gummer, the Cabinet Office Minister; “tech is the future of the UK economy” the Chancellor announced. Thankfully, Whitehall has finally installed a much needed upgrade; tech is not the future of the economy, it is the reality. Neither is cyber security a movie plot, it’s one of the most serious threats facing British business today.

A large scale cyber attack on any part of Britain’s digital infrastructure would be catastrophic.

Lockheed Martin simulated the effect of a cyber attack on the power distribution network in South-East England. Rouge hardware is installed in 65 vulnerable substations, quickly triggering rolling blackouts across the region in winter, shutting down London, with the impacts spreading out to all parts of the country.

In the best case scenario, full power is restored only after three weeks, in the worst case its three months. The economic impact on the country could reach up to £500bn, or 2.3% of GDP. In the immediate term, 9 million people lose power, 1 million train journeys and 150,000 flights have to be cancelled every day. Financial services, retail, real estate, and professional service industries are the most affected, losing billions of pounds and setting back growth for years.

But cyber attacks are not some future ‘what-if’, they are hitting UK plc now. A study by Oxford Economics found that 60% of businesses had experienced a cyber attack in the last 12 months, with the average loss estimated at nearly £3m per attack. Intellectual property loss, compromising commercially sensitive information, and a loss of competitive advantage were the most common results of cyber attacks, resulting in an increased cost of doing business and disrupting long-term investment. Not to mention the danger untrained employees and poor password practices can have in contributing to the threat of a nightmare cyber scenario.

If this is the day to day impact of the current level of cyber attacks against British business, it is a chilling thought to consider the damage a concerted attack would cause if carried out by a sophisticated organisation or nation-state actor. Now more than ever, it should be clear that Western countries are under digital bombardment for the purpose of causing mass disruption. Hacking an election was the latest trick, does business really want to wait and see what the next one will be?