Yes, There’s Still Time to Protect your Data Under GDPR

Recent suggests that almost half of UK businesses are preparing to receive non-compliance penalties, with many owners having already set aside funds in anticipation of a fine.

The research (conducted by data privacy firm, Ensighten) highlights a worrying amount of unpreparedness surrounding the new legislation and the additional responsibilities it will bring for organisations who wish to process and store personal data. CEO of Ensighten, Ian Woolley, comments that business owners are ‘aware, but still uncertain’ about GDPR, with 61% of survey respondents indicating they would like an extension of the deadline if one became available.

At What Cost?

A lot has been made of the potential penalties for non-compliance with GDPR. The shock value of The Information Commissioner’s Office (ICO)’s power to fine up to £17m, or 4% of annual turnover (whichever is higher) makes for eye-catching news articles indeed. However, organisations would do well to maintain a level-head on the matter and remember that their compliance efforts and behaviour will be taken into consideration when it comes to any fines incurred.

In this sense, it is important for companies to work on implementing a culture of data protection as standard – and as an ongoing commitment – rather than viewing GDPR as simply a box-ticking exercise with a ticking time-bomb attached.

How can VinciWorks Help?

The good news is that organisations still have time to educate their employees about the new legislation and what it will mean for data processors, subjects, and controllers at a practical, day-to-day level.

As firm believers that prevention is better than the cure, VinciWorks offer a range of GDPR eLearning courses, spanning from introductory modules to more comprehensive courses, and also includes microlearning courses to cover specific GDPR clauses that your employees may find tricky.

Specially developed to get organisations GDPR-ready, our comprehensive eLearning course, Protecting Data, offers a detailed yet accessible approach to GDPR legislation. Developed alongside subject experts, the course gives particular focus to the principles, rights, and obligations of GDPR, and offers learners the opportunity to test their knowledge by asking them to deal with realistic potential data-breaches.

To find out more, simply get in touch via the form below. It’s never too late to start your compliance journey.

Social Media Data Scandal: Who’s in Control of your Data?

Facebook and Cambridge Analytica recently found themselves at the centre of a sensational dispute over the collection and use of personal data (in this case, information about users’ political alignment; data that’s known as ‘sensitive’ personal data under new GDPR legislation).

It all began with a ‘Personality Quiz’ app designed – and one can assume, approved – for use on the social networking site as a fun way to pass the time and connect with friends. As was common at the time, the app was also developed to harvest personal data of the user and, if reports are true, that of their unconsenting friends’ list.

According to reports, the personal data was then sold to Cambridge Analytica and used to psychologically profile users so that targeted advertisements and political spin/smear campaigns could be delivered straight to their profile pages and newsfeeds. A shocking allegation of invasion of privacy and political bias that has authorities on both sides of the pond enraged.

It’s worth noting that Facebook has since changed the amount of data that app-developers can scrape in this way and removed the app, demanding all its information be deleted.

Cambridge Analytica claims that it never used the data, and deleted it when Facebook told it to.

So, what can we take from the events?

It’s true that most users of social networking sites have no idea how much the platform actually knows about them (and their list of contacts). Remember, advertisers buying space on such networks are paying for your attention, and that attention is intensely targeted by the personal and sensitive data we’re almost all guilty of over-sharing online. The question left in the aftermath of such a scandal is this: with whom does the burden of data protection lie, the user or the platform?

Whilst admitting that mistakes were made and listing the more stringent measures he would implement to protect users’ data, Zuckerberg’s proposed solutions include a tool to empower users to control their own data on the site, e.g., which apps they allow to access their profile information and for how long.

Indeed, if we were to find a silver-lining here, it would be the empowerment and the raised level of awareness amongst social network users who have been following the story. Knowledge, as ever, is the key to prevention.

As GDPR legislation came into force in May 2018, individuals will have ever-more control over their personal data as well as increased access to it, a directive which is highlighted in Zuckerberg’s promise to ‘provide an easy way to revoke’ data-access permissions.

Looking to raise awareness about using social media, data protection, or GDPR? Visit our Compliance page to see our full range of courses.

GDPR: 34% Planning to Exercise Right to be Forgotten

Research by media agency the7stars has found widespread interest in the new ‘right to be forgotten’ provision of the General Data Protection Regulation (GDPR). More than a third of respondents (34%) say they will exercise this right. With GDPR coming into force in May, this news may cause alarm among businesses who may not have any established processes for handling deletion requests from individuals.

But what exactly is the right to be forgotten, and how might this impact organisations in the UK?

The right to erasure

This provision exists so that people have the right to object to organisations holding their personal data. In simple terms, if you wanted your favourite supermarket to stop sending you emails, you have the right to request that they delete your email address and any other personal information they may hold.

There are exceptions to this right – so if an organisation has a need or a compelling reason to retain your data, then your request can be denied.

When the right to erasure applies

As an individual, you can usually request the deletion of your data when:

  • Your personal data is no longer required for the purpose it was collected for
  • You withdraw consent
  • You object to having your data processed (assuming there is no overriding legitimate reason for processing)
  • Your data was unlawfully processed
  • Your data must be erased to comply with a legal obligation.

When organisations can decline requests

There are a number of occasions when organisations can refuse to comply with deletion requests. If your organisation has a valid reason for retaining personal information, you may be protected under one of these provisions.

Legitimate reasons for refusing to comply:

  • To protect the public interest, or in the interest of public health
  • To exercise your right of freedom of expression
  • Archiving for public interest, historical, scientific or statistical purposes
  • Exercising or defending legal claims
  • To comply with a legal obligation, exercising official authority or to perform a public interest task.

Deleting third-party data

While it might be relatively easy to delete the data you hold on a particular person, GDPR also requires that you notify any other organisations that you have shared the data with. This might include marketing partners, data processors and other suppliers.

The challenges of complying with this part of the legislation may encourage organisations to reassess how personal data is managed and shared. Organisations may find it preferable to limit the spread of data so that it can be more easily identified – and deleted when required.

GDPR training from VinciWorks

If your organisation needs help getting ready for GDPR, our suite of eLearning programmes can help. Because our training is online, it can be delivered efficiently, at any time. As part of our GDPR eLearning offering, we have both comprehensive and short-courses available. These cover topics including: Protecting Data, Preparing for GDPR, Privacy Impact Assessments, Accountability and The Right to be Forgotten.

Equifax: A Tale of Caution about Bad Information Security and Compliance Practices

US credit agency, Equifax, have landed in serious hot water recently after a spate of information security and alleged compliance breaches that were uncovered by cyber security researchers, technology news sites, and – potentially – The Federal Trade Commission.

The initial breach, which saw 143 million Americans’ sensitive personal data and financial information potentially compromised, was a result of the company’s failure to ‘patch’ (that is, download the update and fix) a two-month old bug in Apache Struts (the organisation’s web application framework where database libraries and other web development activities are managed). Despite many reports of the bug being exploited for malevolent purposes, Equifax failed to secure the social security numbers, driving licence details, and other personal financial information of millions of Americans – the breach also revealed the names, dates of birth, email addresses and telephone numbers of approximately 400,000 UK consumers.

An update which patched the vulnerability, known as: Apache Struts CVE-2017-5638, was issued on 6th March 2017, however the agency’s website was breached via the same vulnerability in mid-May of the same year. For this reason, Equifax is accused of gross negligence for failing to protect their customers and knowingly leaving their data vulnerable to cyber-attacks.

Sadly, Equifax’s history of imprudence doesn’t end here. At its Argentinian base, a computerised system holding similarly sensitive data about South American customers, was configured to allow privileged access and control with the laughably easy-to-crack username and password combination: ‘admin/admin’. The site, which is actually an online tool used by employees of the company, was temporarily shut down following the public exposure of its weak credentials, and the following statement released:

“We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.

We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region.”

However, Hold Security (the cyber security firm responsible for uncovering the admin username and password) have more to add. They report that, using the original admin log-in, they were able to download more than 100 username/password combinations belonging to the organisation’s Argentinian employees – most of which were also matching words made up of the workers’ forename or surname. Additionally, from the main page of the portal, Hold Security report being able to access 715 pages worth of customer complaints and credit report disputes, all of which list the Argentinian equivalent of the customers’ social security number.

As if to add insult to injury, thirty-six US senators have recently called for a federal investigation into how three of Equifax’s senior executives came to sell nearly $2m worth of shares just days after the company’s initial data breach was uncovered – and before the incident was publicly reported.

News of the sales has drawn worldwide criticism, although the company’s official statement is that the three executives ‘had no knowledge that an intrusion had occurred’ at the time the shares were sold.

Whilst this may seem improbable, in order to prove insider trading took place, prosecutors would have to show that the executives knew about the scandal when they decided to sell their stock – a tough task to prove in court according to the experts. Nevertheless, as Brandon L. Garrett, a professor at the University of Virginia School of Law, suggests, this is ‘the type of conduct that a company should not tolerate in its executives. It sends a terrible message to the public and to customers.’

VinciWorks is a leading provider of compliance education and risk management solutions. We have a comprehensive suite of cyber-security and compliance eLearning courses, supported with brand-on-demand posters, communication tools, and much more.

GDPR: is your organisation ignoring the challenge?

With just a few months to go until GDPR comes into force, there are signs that not every company is prepared to meet the new, tighter data regulations.

In fact, research from Trend Micro shows an alarming degree of under-preparedness from a large number of organisations.

GDPR may build on existing data regulations, but the new law goes further to protect individuals, and includes provisions for larger penalties for organisations that fail to protect user data.

This means that organisations cannot simply sleepwalk into the GDPR regime and hope their existing data management practices are adequate. Maximum fines have ballooned from £50,000 under the DPA (the current legislation) to €20m or 4% of a group’s worldwide turnover (whichever is greater). If the old fines were troubling, the new fines are potentially crippling – enough to sink many organisations in a heartbeat.

Complacency towards GDPR may suddenly change if an organisation is hit with a record-breaking fine. This may be the case, but no organisation can afford to be the example that sets everyone straight.

“As often happens with regulation, it’s going to take a whipping boy to understand the gravity of the situation for most organisations. One high-profile case of a company handing money over for non-compliance under the GDPR will be the required wake-up call the rest of the industry needs to get their act together.” – Rik Ferguson, Trend Micro

Time is slipping away, but it’s not too late to start preparing for GDPR! The first step, of course, is to understand what is required from you. You will also need to know exactly what data you hold, and why you have the right to keep it. You will also need to be able to explain how you acquired the data, how you process it, who has access, and how you keep it secure.

You must consider how data enters your organisation and how it exits, and the security implications of every interaction. You are also responsible for third parties that help you manage, process, or use data, so you will need to review your contracts to ensure that data security responsibilities are clearly defined for all parties.

Another cornerstone of GDPR is the duty to declare data breaches within 72 hours of discovery. Everyone in your organisation needs to know this, and they need to understand the protocol for reporting suspected breaches.

GDPR also requires organisations to have sufficient security technology in place, relative to the risks faced. The more data you hold, and the more sensitive its nature, the greater your security practices should be. Are you prepared to demonstrate how you deter/detect intruders on your network? Or how you identify unusual activity or downloads? Is your encryption infrastructure up-to-date?

Shockingly, Trend Micro’s survey revealed a surprising lack of awareness about what ‘data’ even means in the context of GDPR:

  • 56% of businesses didn’t know that email marketing data is personal information
  • 79% didn’t think that a customer’s date of birth is personal information
  • 29% didn’t know they need to protect a customer’s postal address

If this many organisations don’t know what personal data means, how can they be protecting it adequately?

Perhaps some organisations are hoping that GDPR will fall by the wayside as Brexit bites. This is an unlikely scenario, because even if the UK government had any appetite for scrapping GDPR, any organisation that trades with the EU would still need to meet the GDPR’s standards. Additionally, Britain was one of the great driving forces behind the new legislation and is unlikely to alter course on this.

Rather than resist the inevitable, it’s time to get on board with GDPR. To start building products, services and companies that offer the famous ‘privacy by design’ ethos, rather than as an afterthought or nagging concern.

We’re here to help you understand precisely what GDPR means for you and your organisation, and how to build an accountability culture where everybody understands their responsibilities when it comes to processing and storing personal data in-line with the law.

Our brand new course, ‘Protecting Data’, will help companies based in the EU, and those that deal with the data of individuals based in the EU, comply with GDPR. The course covers three topics: data and the new law, the principles, rights, and obligations of GDPR; and GDPR breaches. Learners can test their knowledge at the end of these three modules to see what they have learnt about GDPR and their responsibilities.

How GDPR-ready is your organisation?

How Secure is your Data? Seven tips for creating strong passwords

How Secure is your Data? Seven tips for creating strong passwords

Are your passwords as secure as an open door? While many IT security experts are focused on patching software, closing weaknesses, and implementing expensive security software, your employees could be using simple passwords like ‘password’ and ‘abc123’. Weak passwords remain one of the easiest ways to hack into a system, and there are many millions of weak passwords in existence (what’s more, these ineffective passwords are often re-used by employees across multiple sites, making it even easier for hackers to gain access). Leaked databases of email addresses and password pairs exceed the hundreds of millions, and these exposed passwords may still be in use by your employees – all a hacker has to do is check.

It’s not hard to see why people use simple passwords. These days we all need to remember so many combinations of usernames, email addresses and passwords that it’s tempting to reduce this mental overload by recycling one or two memorable passwords.

This is why organisations must constantly remind employees of the importance of strong passwords. A weak password isn’t just a threat to the individual and their information. A weak password is an open door to the entire organisation, meaning that it’s more than a matter of personal preference: it’s an existential threat.

Here are seven tips for creating and maintaining secure passwords:

Keep passwords secret

This may sound obvious, but many people share their passwords with friends, colleagues, or family members at one time or another, but never go back and change their password afterwards. Remind employees to keep passwords to themselves, and never enter or create a password when someone else is watching.

Don’t recycle passwords

Enormous databases of passwords are circulated widely online. These contain hundreds of millions of stolen passwords – which your employees could still be using to gain access to your systems. Remind people to use unique passwords for every service. Password managers can help generate and store complex passwords securely.

Avoid using personal information

Your children’s or pet’s names may spring to mind when you try to create a password, but these details are often available to anyone who cares to scan our social media profiles. Avoid such easy-to-find details and choose something harder to guess.

Don’t use dictionary words

A single word from the dictionary is quick and easy to crack. Even if you replace some of the letters with numbers and characters, you’re making life too easy for the hackers.

… Unless you use six unrelated words

Putting six random words together in a string that makes no sense can be a viable password strategy. For example:

  • PerplexBravadoMonkeyRivalsAttentionSponge is a long, secure password that would make life difficult for hackers and their password-cracking software.

Turn phrases into random strings of letters/numbers

Turn a phrase into a password – i.e. ‘I loved eating ice cream in Venice in 2016’ becomes IleiciVi2016 – or ‘I went camping and lost £20 in my sleeping bag’ becomes Iwcal£20imsb. This tactic can create impenetrable passwords that are also easy to remember, particularly if the phrase relates to a fond memory or a happy occasion.

Change passwords regularly

However good your password, there’s a chance that it could be circulating online. By changing your password every year, you limit the risk of hacking considerably.

Does your organisation enforce strong passwords? Do you have a method for helping employees manage multiple passwords?

VinciWorks offer a suite of cyber security training courses, including one that is dedicated to setting a secure password.

Employing a culture of security and training, and then testing this knowledge on a regular basis, is the most effective way to safeguard against data security threats and eliminate user errors. eLearning is a great way to foster a culture in which everyone understands and respects data security protocols, and wherein cyber-security risks are kept to an absolute minimum.

Man in the Middle Hacks: is Your Organisation Vulnerable?

Man in the Middle Hacks: is Your Organisation Vulnerable?

Everywhere you look, hacking seems to be on the rise, and it’s true that many of these attacks are opportunistic. However, some hackers are more calculating than this, conducting attacks over time so they can harvest the data they value. One such approach is the ‘man in the middle’ (MITM) attack. This involves hackers gaining access to your network, or intercepting your communications so that they can eavesdrop, collect data, and interfere with your own transmissions.

As you can imagine, once a hacker can get between you and the people or systems you communicate with, they have the power to cause immense harm. They can easily gather valuable information such as payment card information, legal documents, and company secrets. But it’s hackers’ ability to amend and corrupt this information that makes MITM attacks so potentially damaging. Instead of simply harvesting data, hackers can, in fact, change your information to suit themselves. With a few taps of the keyboard they can alter your bank details so that payments land in their accounts, not yours … and you may not notice until months later. This is not a hypothetical threat; hackers have even amended mortgage documents sent from a private home buyer to a solicitor so that hundreds of thousands of pounds were unwittingly redirected into their accounts.

So how do MITM attacks occur? They typically involve two different kinds of interception: either between you and your peers on your company network, or between you and an internet access point – usually over WiFi. The threat from open WiFi networks is particularly dangerous – and another reason why sensitive information should never be sent or received over an open wireless network.

We may imagine that our company networks and intranets are more secure, because we know who can gain access, but there may be a temptation for employees to use their privileges for nefarious purposes – particularly disgruntled employees who decide to gather valuable information before they leave the company. Employees may also be persuaded by a third party to create an access point for external hackers. Given the high value of this kind of access, companies must consider the great lengths that criminals may go to for this kind of fraud. And, as we’ve discussed in previous articles, employees can easily give hackers access without intent or awareness.

The question is, then, what can your organisation do to limit the risks of MITM attacks? As always, there is an educational component; employees need to understand their role in maintaining a secure network. Employees should never work on company laptops (or phones) from unsecured, public Wi-Fi networks. Employees also need to understand how to spot unsecured websites, and to look for websites using the ‘https’ rather than ‘http’ protocol, particularly when sharing sensitive data or making payments online.

From a company IT perspective, using HTTPS on all web and intranet sites is essential for preventing these attacks. An Intrusion Detection System (IDS) can alert you to problems – and help prevent an attack from turning into a costly loss of data, reputation or cash.

Is your organisation protected against MITM attacks? Or is it time to shore up your defences?

VinciWorks offer a suite of cyber-security training courses designed to deliver effective cyber security training in an easily digestible, highly motivating format. Each course highlights a particular learning objective (e.g. phishing attackssetting a secure password, using email and browsing the internet) and can be completed in approximately five minutes in order to maximise knowledge retention and keep engagement levels up.

Additionally, we also offer more holistic, longer information security and preventing a data breach courses that address physical as well as digital security threats, as well as courses on the new EU-wide GDPR legislation, with its increased focus on internet security and affirmative consent.

Bupa data breach: 108,000 personal details leaked

Bupa data breach: 108,000 personal details leaked

Related Courses

Bupa, the global health insurance company, admitted recently to a massive data breach affecting their international customers. A rogue employee copied and distributed the details of 108,000 customers. The data did not include financial or health information, but did include names, dates of birth, nationalities and some contact information. Whilst this information may not be enough to defraud Bupa customers, the data could be used by hackers to create more convincing phishing attacks to fool unsuspecting members of the public.
Security expert Marco Cova said to The Register: “Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. Data breaches provide a distribution hub for malware for years to come.”
Bupa quickly admitted to the data breach and explained that the employee has been fired, and the matter was being investigated by the police. The Financial Conduct Authority and other relevant regulators were also notified and Bupa contacted all the customers affected to provide advice on how to spot any fraudulent emails and scams that may come their way. Following the breach, Bupa has also reported plans to review its security procedures.
While Bupa has responded rapidly and openly to this incident, many will question how a company that handles so much sensitive personal information could fall victim to this kind of attack – particularly from inside their own walls. Presumably they have a Data Loss Prevention system configured to stop employees from downloading or copying data without authorisation. So how could one employee harvest 108,000 records?
The Bupa attack is another example of cyber-crime that doesn’t fit the common misconception. This was not a carefully planned operation by a hardened criminal; it was an opportunistic theft by a trusted member of staff. This kind of crime is difficult to prevent, particularly when organisations are striving to remove barriers to innovation and enable employees to do great work efficiently.
Has your organisation struck the balance between security and digital freedom? Or do you need to do more to secure your data and systems against internal threats?
eLearning can help warn against potential repercussions for data theft and educate employees on the laws and regulations in place to deter cyber-crime. VinciWorks offer a suite of cyber-security eLearning courses, as well as short courses on the upcoming GDPR legislation with its increased focus on digital security.

Related Courses

The Skills Gap Threatening GDPR: How eLearning can Help

The Skills Gap Threatening GDPR: How eLearning can Help

A skills gap refers to the space between what employers want or need their employees to be able to achieve, and what employees actually have the know-how and experience to do. At the moment, there seems to be unrest in the UK regarding the General Data Protection Regulation (GDPR) and the amount of cyber-security and data-handling professionals that are available to help organisations comply by the deadline in May 2018.

Since GDPR affects nearly every organisation in the EU (and all those who wish to do business with EU countries) – and with constant warnings and alarming headlines about large penalties for breaches of GDPR legislation (up to €20M) – it is perhaps understandable that UK organisations are feeling the pressure along with everyone else.

The question remains, though, how best to bring employees up to speed, particularly those who need a good understanding of the basic principles and directives of the GDPR, but who wouldn’t need as much expertise as, say, a dedicated Data Protection Officer (DPO). Even for organisations that employ a DPO, it makes sense to nurture and develop staff from within prior to the May 2018 deadline, if only to help mitigate the risk of said employees leaking customer data, storing it incorrectly, or otherwise inadvertently misusing it.

As part of your GDPR preparations, it makes sense for all staff to be aware of the GDPR, its implications, and what GDPR-compliance looks like compared to The Data Protection Act. Organisations will need to go into detail about what constitutes a breach from May 2018 onwards, as well as put in place policies about mobile-technology and data governance. It will also make sense to schedule regular, e.g. annual, refresher sessions in case anything changes and to really ensure compliance; and to arrange for new employees to undertake the same training as part of their induction.

How can VinciWorks Help?

We offer GDPR online training courses to bring your employees up to speed with the GDPR. All our courses are automatically updated and the amended versions made available to users should legislation change.

A quick summary of our most popular GDPR courses can be found below:

  • Preparing for GDPR
    This course offers organisations the chance to learn how to prepare for the upcoming GDPR in time for May 2018 as well as informing them what they’ll need to do differently after this time. It also looks to answer any queries your employees may have about staying compliant after GDPR legislation comes into place.
  • ‘Accountability’
    This course looks at the GDPR directive and the need for transparency within your organisation. Other areas covered include why the GDPR directive legislation is so important, how to demonstrate accountability and how to minimise the risk of a data breach.
  • ‘Erasure: The Right to be Forgotten’
    This is a user-friendly microlearning course which takes five minutes to complete. It offers a focussed look at “The Right to be Forgotten” as it’s such a fundamental consideration of the upcoming GDPR legislation. After purchasing this micro course, your employees can expect to learn what responsibilities and obligations they have when receiving a request to erase personal data from others.

All our eLearning courses can be accessed and re-accessed as many times as you require to ensure compliance and, together with our full compliance suite of eLearning courses, form an ideal base for employee learning and development.