GDPR: 34% Planning to Exercise Right to be Forgotten

Research by media agency the7stars has found widespread interest in the new ‘right to be forgotten’ provision of the General Data Protection Regulation (GDPR). More than a third of respondents (34%) say they will exercise this right. With GDPR coming into force in May, this news may cause alarm among businesses who may not have any established processes for handling deletion requests from individuals.

But what exactly is the right to be forgotten, and how might this impact organisations in the UK?

The right to erasure

This provision exists so that people have the right to object to organisations holding their personal data. In simple terms, if you wanted your favourite supermarket to stop sending you emails, you have the right to request that they delete your email address and any other personal information they may hold.

There are exceptions to this right – so if an organisation has a need or a compelling reason to retain your data, then your request can be denied.

When the right to erasure applies

As an individual, you can usually request the deletion of your data when:

  • Your personal data is no longer required for the purpose it was collected for
  • You withdraw consent
  • You object to having your data processed (assuming there is no overriding legitimate reason for processing)
  • Your data was unlawfully processed
  • Your data must be erased to comply with a legal obligation.

When organisations can decline requests

There are a number of occasions when organisations can refuse to comply with deletion requests. If your organisation has a valid reason for retaining personal information, you may be protected under one of these provisions.

Legitimate reasons for refusing to comply:

  • To protect the public interest, or in the interest of public health
  • To exercise your right of freedom of expression
  • Archiving for public interest, historical, scientific or statistical purposes
  • Exercising or defending legal claims
  • To comply with a legal obligation, exercising official authority or to perform a public interest task.

Deleting third-party data

While it might be relatively easy to delete the data you hold on a particular person, GDPR also requires that you notify any other organisations that you have shared the data with. This might include marketing partners, data processors and other suppliers.

The challenges of complying with this part of the legislation may encourage organisations to reassess how personal data is managed and shared. Organisations may find it preferable to limit the spread of data so that it can be more easily identified – and deleted when required.

GDPR training from VinciWorks

If your organisation needs help getting ready for GDPR, our suite of eLearning programmes can help. Because our training is online, it can be delivered efficiently, at any time. As part of our GDPR eLearning offering, we have both comprehensive and short-courses available. These cover topics including: Protecting Data, Preparing for GDPR, Privacy Impact Assessments, Accountability and The Right to be Forgotten.

Equifax: A Tale of Caution about Bad Information Security and Compliance Practices

US credit agency, Equifax, have landed in serious hot water recently after a spate of information security and alleged compliance breaches that were uncovered by cyber security researchers, technology news sites, and – potentially – The Federal Trade Commission.

The initial breach, which saw 143 million Americans’ sensitive personal data and financial information potentially compromised, was a result of the company’s failure to ‘patch’ (that is, download the update and fix) a two-month old bug in Apache Struts (the organisation’s web application framework where database libraries and other web development activities are managed). Despite many reports of the bug being exploited for malevolent purposes, Equifax failed to secure the social security numbers, driving licence details, and other personal financial information of millions of Americans – the breach also revealed the names, dates of birth, email addresses and telephone numbers of approximately 400,000 UK consumers.

An update which patched the vulnerability, known as: Apache Struts CVE-2017-5638, was issued on 6th March 2017, however the agency’s website was breached via the same vulnerability in mid-May of the same year. For this reason, Equifax is accused of gross negligence for failing to protect their customers and knowingly leaving their data vulnerable to cyber-attacks.

Sadly, Equifax’s history of imprudence doesn’t end here. At its Argentinian base, a computerised system holding similarly sensitive data about South American customers, was configured to allow privileged access and control with the laughably easy-to-crack username and password combination: ‘admin/admin’. The site, which is actually an online tool used by employees of the company, was temporarily shut down following the public exposure of its weak credentials, and the following statement released:

“We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.

We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region.”

However, Hold Security (the cyber security firm responsible for uncovering the admin username and password) have more to add. They report that, using the original admin log-in, they were able to download more than 100 username/password combinations belonging to the organisation’s Argentinian employees – most of which were also matching words made up of the workers’ forename or surname. Additionally, from the main page of the portal, Hold Security report being able to access 715 pages worth of customer complaints and credit report disputes, all of which list the Argentinian equivalent of the customers’ social security number.

As if to add insult to injury, thirty-six US senators have recently called for a federal investigation into how three of Equifax’s senior executives came to sell nearly $2m worth of shares just days after the company’s initial data breach was uncovered – and before the incident was publicly reported.

News of the sales has drawn worldwide criticism, although the company’s official statement is that the three executives ‘had no knowledge that an intrusion had occurred’ at the time the shares were sold.

Whilst this may seem improbable, in order to prove insider trading took place, prosecutors would have to show that the executives knew about the scandal when they decided to sell their stock – a tough task to prove in court according to the experts. Nevertheless, as Brandon L. Garrett, a professor at the University of Virginia School of Law, suggests, this is ‘the type of conduct that a company should not tolerate in its executives. It sends a terrible message to the public and to customers.’

VinciWorks is a leading provider of compliance education and risk management solutions. We have a comprehensive suite of cyber-security and compliance eLearning courses, supported with brand-on-demand posters, communication tools, and much more.

GDPR: is your organisation ignoring the challenge?

With just a few months to go until GDPR comes into force, there are signs that not every company is prepared to meet the new, tighter data regulations.

In fact, research from Trend Micro shows an alarming degree of under-preparedness from a large number of organisations.

GDPR may build on existing data regulations, but the new law goes further to protect individuals, and includes provisions for larger penalties for organisations that fail to protect user data.

This means that organisations cannot simply sleepwalk into the GDPR regime and hope their existing data management practices are adequate. Maximum fines have ballooned from £50,000 under the DPA (the current legislation) to €20m or 4% of a group’s worldwide turnover (whichever is greater). If the old fines were troubling, the new fines are potentially crippling – enough to sink many organisations in a heartbeat.

Complacency towards GDPR may suddenly change if an organisation is hit with a record-breaking fine. This may be the case, but no organisation can afford to be the example that sets everyone straight.

“As often happens with regulation, it’s going to take a whipping boy to understand the gravity of the situation for most organisations. One high-profile case of a company handing money over for non-compliance under the GDPR will be the required wake-up call the rest of the industry needs to get their act together.” – Rik Ferguson, Trend Micro

Time is slipping away, but it’s not too late to start preparing for GDPR! The first step, of course, is to understand what is required from you. You will also need to know exactly what data you hold, and why you have the right to keep it. You will also need to be able to explain how you acquired the data, how you process it, who has access, and how you keep it secure.

You must consider how data enters your organisation and how it exits, and the security implications of every interaction. You are also responsible for third parties that help you manage, process, or use data, so you will need to review your contracts to ensure that data security responsibilities are clearly defined for all parties.

Another cornerstone of GDPR is the duty to declare data breaches within 72 hours of discovery. Everyone in your organisation needs to know this, and they need to understand the protocol for reporting suspected breaches.

GDPR also requires organisations to have sufficient security technology in place, relative to the risks faced. The more data you hold, and the more sensitive its nature, the greater your security practices should be. Are you prepared to demonstrate how you deter/detect intruders on your network? Or how you identify unusual activity or downloads? Is your encryption infrastructure up-to-date?

Shockingly, Trend Micro’s survey revealed a surprising lack of awareness about what ‘data’ even means in the context of GDPR:

  • 56% of businesses didn’t know that email marketing data is personal information
  • 79% didn’t think that a customer’s date of birth is personal information
  • 29% didn’t know they need to protect a customer’s postal address

If this many organisations don’t know what personal data means, how can they be protecting it adequately?

Perhaps some organisations are hoping that GDPR will fall by the wayside as Brexit bites. This is an unlikely scenario, because even if the UK government had any appetite for scrapping GDPR, any organisation that trades with the EU would still need to meet the GDPR’s standards. Additionally, Britain was one of the great driving forces behind the new legislation and is unlikely to alter course on this.

Rather than resist the inevitable, it’s time to get on board with GDPR. To start building products, services and companies that offer the famous ‘privacy by design’ ethos, rather than as an afterthought or nagging concern.

We’re here to help you understand precisely what GDPR means for you and your organisation, and how to build an accountability culture where everybody understands their responsibilities when it comes to processing and storing personal data in-line with the law.

Our brand new course, ‘Protecting Data’, will help companies based in the EU, and those that deal with the data of individuals based in the EU, comply with GDPR. The course covers three topics: data and the new law, the principles, rights, and obligations of GDPR; and GDPR breaches. Learners can test their knowledge at the end of these three modules to see what they have learnt about GDPR and their responsibilities.

How GDPR-ready is your organisation?

Facebook Data Breach Prompts Eye-Watering Fine

A Data Protection Authority (DPA) in Europe has recently issued Facebook with a significant €1.2 million fine for two ‘serious’ and one ‘very serious’ breaches of data protection law.

The investigation, which formed part of a joint initiative by Data Protection authorities across Belgium, France, Hamburg, and The Netherlands, revealed that Facebook users’ personal data, e.g. political views, religious beliefs, location, and other personal preferences had been collected without the users’ informed consent. Data subjects were also left unaware as to the purpose of sharing their information with Facebook (and other third-party web pages), and the use of it thereafter.

The breach equating to ‘very serious’ in the eyes of the DPA, which amounted to €600,000 of the total fine, was the discovery that Facebook did not ‘obtain unequivocal consent, specific and informed’ from its users before processing types of data (known as ‘special categories’ of data in legislative speak) for marketing purposes.

When issuing the fine, the DPA also took into consideration that users are not informed about how their data is collected via use of cookies on the site, some of which the social network categorised as ‘secret’. Webpages which are not affiliated with Facebook, yet contain a ‘like’ button for the network all the same, were also shown to be in breach – some of them collecting data exclusively for marketing purposes without providing clear information to the user about what data will be collected and how it will be processed.

Additionally, it was shown that Facebook’s privacy policy was below par in terms of transparency, containing general formulations and statements that would be unclear to the average user and which required readers to click through a multitude of links in order to access the policy in its entirety.

Finally, The DPA were able to prove that Facebook did not, in fact, delete personal data upon user request (e.g. termination of account), but instead retained the data via cookies for up to seventeen months – a time period which extends way beyond the original purpose for collecting it in the first place.

Is your organisation fully aware of Data Protection directives and the right to be forgotten legislation?

For more information on VinciWork’s Data protection, GDPR, and Information Security courses and microlearning courses, please don’t hesitate to get in touch.

How Secure is your Data? Seven tips for creating strong passwords

How Secure is your Data? Seven tips for creating strong passwords

Are your passwords as secure as an open door? While many IT security experts are focused on patching software, closing weaknesses, and implementing expensive security software, your employees could be using simple passwords like ‘password’ and ‘abc123’. Weak passwords remain one of the easiest ways to hack into a system, and there are many millions of weak passwords in existence (what’s more, these ineffective passwords are often re-used by employees across multiple sites, making it even easier for hackers to gain access). Leaked databases of email addresses and password pairs exceed the hundreds of millions, and these exposed passwords may still be in use by your employees – all a hacker has to do is check.

It’s not hard to see why people use simple passwords. These days we all need to remember so many combinations of usernames, email addresses and passwords that it’s tempting to reduce this mental overload by recycling one or two memorable passwords.

This is why organisations must constantly remind employees of the importance of strong passwords. A weak password isn’t just a threat to the individual and their information. A weak password is an open door to the entire organisation, meaning that it’s more than a matter of personal preference: it’s an existential threat.

Here are seven tips for creating and maintaining secure passwords:

Keep passwords secret

This may sound obvious, but many people share their passwords with friends, colleagues, or family members at one time or another, but never go back and change their password afterwards. Remind employees to keep passwords to themselves, and never enter or create a password when someone else is watching.

Don’t recycle passwords

Enormous databases of passwords are circulated widely online. These contain hundreds of millions of stolen passwords – which your employees could still be using to gain access to your systems. Remind people to use unique passwords for every service. Password managers can help generate and store complex passwords securely.

Avoid using personal information

Your children’s or pet’s names may spring to mind when you try to create a password, but these details are often available to anyone who cares to scan our social media profiles. Avoid such easy-to-find details and choose something harder to guess.

Don’t use dictionary words

A single word from the dictionary is quick and easy to crack. Even if you replace some of the letters with numbers and characters, you’re making life too easy for the hackers.

… Unless you use six unrelated words

Putting six random words together in a string that makes no sense can be a viable password strategy. For example:

  • PerplexBravadoMonkeyRivalsAttentionSponge is a long, secure password that would make life difficult for hackers and their password-cracking software.

Turn phrases into random strings of letters/numbers

Turn a phrase into a password – i.e. ‘I loved eating ice cream in Venice in 2016’ becomes IleiciVi2016 – or ‘I went camping and lost £20 in my sleeping bag’ becomes Iwcal£20imsb. This tactic can create impenetrable passwords that are also easy to remember, particularly if the phrase relates to a fond memory or a happy occasion.

Change passwords regularly

However good your password, there’s a chance that it could be circulating online. By changing your password every year, you limit the risk of hacking considerably.

Does your organisation enforce strong passwords? Do you have a method for helping employees manage multiple passwords?

VinciWorks offer a suite of cyber security training courses, including one that is dedicated to setting a secure password.

Employing a culture of security and training, and then testing this knowledge on a regular basis, is the most effective way to safeguard against data security threats and eliminate user errors. eLearning is a great way to foster a culture in which everyone understands and respects data security protocols, and wherein cyber-security risks are kept to an absolute minimum.

Bupa data breach: 108,000 personal details leaked

Bupa data breach: 108,000 personal details leaked

Related Courses

Bupa, the global health insurance company, admitted recently to a massive data breach affecting their international customers. A rogue employee copied and distributed the details of 108,000 customers. The data did not include financial or health information, but did include names, dates of birth, nationalities and some contact information. Whilst this information may not be enough to defraud Bupa customers, the data could be used by hackers to create more convincing phishing attacks to fool unsuspecting members of the public.
Security expert Marco Cova said to The Register: “Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. Data breaches provide a distribution hub for malware for years to come.”
Bupa quickly admitted to the data breach and explained that the employee has been fired, and the matter was being investigated by the police. The Financial Conduct Authority and other relevant regulators were also notified and Bupa contacted all the customers affected to provide advice on how to spot any fraudulent emails and scams that may come their way. Following the breach, Bupa has also reported plans to review its security procedures.
While Bupa has responded rapidly and openly to this incident, many will question how a company that handles so much sensitive personal information could fall victim to this kind of attack – particularly from inside their own walls. Presumably they have a Data Loss Prevention system configured to stop employees from downloading or copying data without authorisation. So how could one employee harvest 108,000 records?
The Bupa attack is another example of cyber-crime that doesn’t fit the common misconception. This was not a carefully planned operation by a hardened criminal; it was an opportunistic theft by a trusted member of staff. This kind of crime is difficult to prevent, particularly when organisations are striving to remove barriers to innovation and enable employees to do great work efficiently.
Has your organisation struck the balance between security and digital freedom? Or do you need to do more to secure your data and systems against internal threats?
eLearning can help warn against potential repercussions for data theft and educate employees on the laws and regulations in place to deter cyber-crime. VinciWorks offer a suite of cyber-security eLearning courses, as well as short courses on the upcoming GDPR legislation with its increased focus on digital security.

Related Courses

The Skills Gap Threatening GDPR: How eLearning can Help

The Skills Gap Threatening GDPR: How eLearning can Help

A skills gap refers to the space between what employers want or need their employees to be able to achieve, and what employees actually have the know-how and experience to do. At the moment, there seems to be unrest in the UK regarding the General Data Protection Regulation (GDPR) and the amount of cyber-security and data-handling professionals that are available to help organisations comply by the deadline in May 2018.

Since GDPR affects nearly every organisation in the EU (and all those who wish to do business with EU countries) – and with constant warnings and alarming headlines about large penalties for breaches of GDPR legislation (up to €20M) – it is perhaps understandable that UK organisations are feeling the pressure along with everyone else.

The question remains, though, how best to bring employees up to speed, particularly those who need a good understanding of the basic principles and directives of the GDPR, but who wouldn’t need as much expertise as, say, a dedicated Data Protection Officer (DPO). Even for organisations that employ a DPO, it makes sense to nurture and develop staff from within prior to the May 2018 deadline, if only to help mitigate the risk of said employees leaking customer data, storing it incorrectly, or otherwise inadvertently misusing it.

As part of your GDPR preparations, it makes sense for all staff to be aware of the GDPR, its implications, and what GDPR-compliance looks like compared to The Data Protection Act. Organisations will need to go into detail about what constitutes a breach from May 2018 onwards, as well as put in place policies about mobile-technology and data governance. It will also make sense to schedule regular, e.g. annual, refresher sessions in case anything changes and to really ensure compliance; and to arrange for new employees to undertake the same training as part of their induction.

How can VinciWorks Help?

We offer GDPR online training courses to bring your employees up to speed with the GDPR. All our courses are automatically updated and the amended versions made available to users should legislation change.

A quick summary of our most popular GDPR courses can be found below:

  • Preparing for GDPR
    This course offers organisations the chance to learn how to prepare for the upcoming GDPR in time for May 2018 as well as informing them what they’ll need to do differently after this time. It also looks to answer any queries your employees may have about staying compliant after GDPR legislation comes into place.
  • ‘Accountability’
    This course looks at the GDPR directive and the need for transparency within your organisation. Other areas covered include why the GDPR directive legislation is so important, how to demonstrate accountability and how to minimise the risk of a data breach.
  • ‘Erasure: The Right to be Forgotten’
    This is a user-friendly microlearning course which takes five minutes to complete. It offers a focussed look at “The Right to be Forgotten” as it’s such a fundamental consideration of the upcoming GDPR legislation. After purchasing this micro course, your employees can expect to learn what responsibilities and obligations they have when receiving a request to erase personal data from others.

All our eLearning courses can be accessed and re-accessed as many times as you require to ensure compliance and, together with our full compliance suite of eLearning courses, form an ideal base for employee learning and development.

Cyber Attacks: Why Prevention is Better than the Cure

Cyber Attacks: Why Prevention is Better than the Cure

The Cyber Governance Health Check assesses and reports levels of cyber security awareness and preparedness in FTSE 350 companies (i.e., the UK’s 350 largest firms). The report allows these leading organisations to compare how security risks are managed and helps them to identify and address their different vulnerabilities.

According to the latest figures from the Health Check, over half (54%) of FTSE 350 companies list the risk of cyber-attacks as their number one concern (compared with other business threats like economic uncertainty or the unease surrounding Brexit). This figure is up from 29% just three years ago.

It’s likely that the recent spate of ransomware attacks in the UK, and the devastation that followed instances such as the NHS’s WannaCry scare, is cause for the unrest amongst Britain’s market leaders. Whilst it is positive to see the new priority given to limiting cyber-security risks by these leading organisations, the report also highlights a less optimistic statistic: the fact that one in ten organisations currently operate without a response plan for cyber-attacks, and over two-thirds of employees have not received any training as to how handle an event such as this.

However, as Marco Cova, Senior Security Researcher at Lastline, suggests:

“If one was to find a silver lining, I would say that these ransomware attacks will probably do more to raise the security awareness of vendors and organisations than many security measures have in the past.”

Indeed, faced with the seemingly ever-present threat from cyber-criminals looking to steal data (or else hold it hostage) at the moment, it seems obvious that organisations ought to conduct their due diligence and prepare for the worst. More than this, though, and with new GDPR legislation on the horizon for 2018, companies are now more accountable than ever for keeping their clients’ data safe. This means that investments in technology and thorough cyber-security training that is preventative rather than reactive are imperative. This type of risk-mitigating training could mean the difference between keeping confidential data safe and compliant with GDPR, and having to fire-fight the aftermath (financial, reputational, or otherwise) of a data-breach.

It remains true that the biggest risk to any company’s digital security is its own employees. More often than not, users inadvertently create an entry-point for cyber-criminals to take advantage of – by visiting unauthorised websites, re-using weak passwords, or opening an attachment from an unknown sender, for example. This is why VinciWorks offer a range of information and cyber-security eLearning courses, all specifically designed to reduce the risk of a security breach.

Ensure your employees are aware of how to prevent a data breach with our Data Protection and Preventing a Data Breach eLearning courses. For added online security, we can also provide an off-the-shelf cyber-security bundle of courses, which includes full and short-course training to ensure your employees have a full awareness of cyber-security policies and best practices.

By Royal Decree: GDPR is still a Priority Confirms Queen’s Speech

By Royal Decree: GDPR is still a Priority Confirms Queen’s Speech

So important even Her Majesty the Queen focussed her attention to it the 2017 Queen’s Speech, interest in the GDPR legislation shows no signs of slowing down.

The Queen’s speech confirmed that the General Data Protection Regulation (GDPR) will still come into force in the UK on 25th May 2018 and will replace the Data Protection Act, which has governed data handling directives in the UK since 1998. The new GDPR legislation is designed to streamline data handling across the European Union, making it easier for members of the EU to share data safely and also introducing more stringent data protection regulations to suit an increasingly digital age.

So, why would the UK implement EU-wide legislation following the beginning of Brexit negotiations? Firstly, it’s important to understand that the UK was (and still is) a major influence behind the new European legislation, so it’s natural that it would still adopt the GDPR even with Brexit going ahead. Secondly, with UK/EU legislation lining-up following May 2018, the UK will maintain its ability to share data with other members of the EU – for example, police forces and other international authorities. Conserving this ability is imperative in the fight against terrorism and other cross-border crimes.

The GDPR will affect organisations across all industry sectors, and all must ensure they’re up to speed by its implementation next year. Whilst the new legislation will bring with it some welcome consistency for multi-national organisations and employees working across Europe, the legislative burden of new rights for individuals and fines of 2 – 4% global annual revenue for breaches are likely to take a toll.

For this reason, it is important that organisations avoid accidental breaches by ensuring that all employees are prepared and understand what they need to do to remain compliant with the GDPR. Human error (undoubtedly in the form of lack of understanding and knowledge) has proven to be the main cause of data breaches in years past, and so-thought ‘harmless’ mistakes still make-up a large percentage of security law violations and consequent fines.

Organisations need to act quickly to ensure they’re not caught out next May and can take advantage of VinciWorks GDPR eLearning courses to ensure they’re up to speed. We offer three GDPR training courses which together form a comprehensive package covering your preparation for the GDPR, what your organisation’s accountability under new GDPR legislation will be, and a microlearning course created to clarify the new legislation’s ‘right to be forgotten’ regulation.

The courses outline the UK’s Key Priorities for the GDPR, which are:

  1. Ensuring data protection rules are suitable for the digital age.
  2. Empowering individuals to have more control over their personal data.
  3. Giving people the right to be forgotten when they no longer wanted a company to process their data.
  4. Modernising data processing procedures for law enforcement agencies.
  5. Allowing police and the authorities to “continue to exchange information quickly and easily with international partners

Failing to prepare for the GDPR could have disastrous consequences for organisations; with punishments for non-compliance including fines of up to €20m or 4% of annual turnover, whichever is greater. It is not just the fine however that could be potentially damaging to organisations but the reputational damage suffered and adverse publicity.

Our GDPR training will help you to prepare for the GDPR in the correct manner and we will be adding to our portfolio of courses as more details come to light about exactly how the GDPR will affect organisations.