The Information Commissioner’s Office levied fines against British Airways and Marriott International for violating the GDPR.

Source: ‘2019 is the year of enforcement’: GDPR fines have begun – Digiday

British Airways faces $230 million fine over GDPR breach

Marriott Faces GDPR Fines: A DPO and CISO Discussion

Steps to GDPR Compliance

Archived GDPR posts

Subscribe to DISC InfoSec blog by Email

After the ICO issues $450 million of GDPR fines in a week, be sure you’re not next.

Source: 5 ways to avoid a GDPR fine

GDPR For Consultants – Training Webinar

What You Need to Know about General Data Protection Regulation

DISC InfoSec – Previous articles in GDPR category

Discover how to write a GDPR data breach notification procedure to help you with your GDPR compliance. Including a free template example. Read now

Source: How to write a GDPR data breach notification procedure – with template example – IT Governance Blog

Personal data breach notification procedures under the GDPR

Organizations must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.

Help with creating a data breach notification template

The picture above is an example of what a data breach notification might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken by the organization to communicate the breach from:

• Data processor to data controller;
• Data controller to supervisory authority; and
• Data controller to data subject.

A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.

Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. These are more detailed and specific than in the UK Data Protection Act 1998 (DPA).

The GDPR says that the information you provide must be:

• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and
• Free of charge.

Help with creating a privacy notice template

The privacy notice should address the following to sufficiently inform the data subject:

• Who is collecting the data?
• What data is being collected?
• What is the legal basis for processing the data?
• Will the data be shared with any third parties?
• How will the information be used?
• How long will the data be stored for?
• What rights does the data subject have?
• How can the data subject raise a complaint?

Below is an example of a customisable privacy notice template, available from IT Governance here.

If you are looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:

• A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
• Helpful dashboards and project tools to ensure complete GDPR coverage;
• Direction and guidance from expert GDPR practitioners; and
• Two licences for the GDPR Staff Awareness E-learning Course.

With the advent of the European Union (EU) deadline for General Data Protection Regulation (GDPR) (EU 2016/679 regulation) coming up on 25 May 2018, many organizations are addressing their data gathering, protection and retention needs concerning the privacy of their data for EU citizens and residents. This regulation has many parts, as ISACA has described in many of its recent publications and events, but all of the efforts revolve around the protection and retention of the EU participants’ personal information. The 6 main areas for data protection defined in this regulation are:

1. Data security controls need to be, by default, active at all times. Allowing security controls to be optional is not recommended or even suggested. “Always on” is the mantra for protection.
2. These controls and the protection they provide must be embedded inside all applications. The GDPR view is that privacy is an essential part of functionality, the security of the system and its processing activities.
3. Along with embedding the data protection controls in applications, the system must maintain data privacy across the entire processing effort for the affected data. This end-to-end need for protection includes collection efforts, retention requirements and even the new “right to be forgotten” requirement, wherein the customer has the right to request removal of their data from an organization’s storage.
4. Complete data protection and privacy adds full-functional security and business requirements to any processing system in this framework for data privacy. It provides that business requirements and data protection requirements be equally important during the business process.
5. The primary requirement for protection within the GDPR framework demands the security and privacy controls implemented are proactive rather than reactive. As its principal goal, the system needs to prevent issues, releases and successful attacks. The system is to keep privacy events from occurring in the first place.
6. With all of these areas needed under GDPR, the most important point for organizations to understand about GDPR is transparency. The EU wants full disclosure of an organization’s efforts, documentation, reviews, assessments and results available for independent third-party review at any point. The goal is to ensure privacy managed by these companies is not dependent upon technology or business practices. It needs to be provable to outside parties and, therefore, acceptable. The EU has purposely placed some strong fine structures and responses into this regulation to ensure compliance.

Having reviewed various organizational efforts in preparation for GDPR implementation, it has been found that it is good practice to look at these 6 areas for all the collected and retained data, not just EU-based data. This zero-tolerance approach to data breaches is purposely designed to be stringent and strong. Good luck to all in meeting and maintaining the data privacy and security requirements of GDPR.

Steps to EU GDPR compliance

By Julia Dutton

Organizations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).

Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

Managing people, processes and technology

ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisation’s culture and strategy, and which is constantly monitored, updated and reviewed.  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes – both in the environment and inside the organisation – to continually identify and reduce risks.

What does the GDPR say?

The GDPR states clearly in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Let’s look at these items separately:

Encryption of data is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

One of ISO 27001’s core tenets is the importance of ensuring the ongoing confidentiality, integrity and availability of information.  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

Risk assessment

ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

Business continuity

ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

Testing and assessments

Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the company’s information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

The requirements to achieve compliance with ISO 27001 of course do not stop there.  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

Related articles:

Read more about ISO 27001 and the GDPR >>>>

GDPR Documentation Toolkit and gap assessment tool >>>>

Understanding the GDPR: General Data Protection Regulation >>>>

The GDPR will replace these with a pan-European regulatory framework effective from 25 May 2018.  The GDPR applies to all EU organizations – whether commercial business or public authority – that collect, store or process the personal data (PII) of EU individuals.

Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the new European rules and adhere to the same level of protection of personal data. This potentially includes organizations everywhere in the world, regardless of how difficult it may be to enforce the Regulation. Compliance consultant must know the following 9 tenants of the GDPR.

• Supervisory Authority – A one-stop shop provision means that organizations will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU.

• Breach Disclosure – Organizations must disclose and document the causes of breaches, effects of breaches, and actions taken to address them.

• Processor must be able to provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure that processing will comply with the GDPR and that data subjects’ rights are protected. This requirement flows down the supply chain, so a processor cannot subcontract work to a second processor without the controller’s explicit authorization. If requested by subject you must cease processing and using his or her data for some limited period of time.

• Data Consent – The Regulation imposes stricter requirements on obtaining valid consent from individuals to justify the processing of their personal data. Consent must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. The organization must also keep records so it can demonstrate that consent has been given by the relevant individual. Data can only be used for the purposes that data subject originally explicitly consented. You must obtain and document consent for only one specific purpose at a time.

• Right to be forgotten – Individuals have a right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. If requested by subject, you must erase their data on premises, in apps and on devices.

• Data portability – Individuals will have the right to transfer personal data from one data controller to another where processing is based on consent or necessity for the performance of a contract, or where processing is carried out by automated means

• Documentation – The Regulation requires quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (especially including proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.

• Fines – Major noncompliance of the law will be punishable by fines of up to either 4% or €20 million of group annual worldwide turnover.

Data protection by design – Organization must ensure data security and data privacy across cloud and endpoints as well as design their system and processes that protects from unauthorized data access and malware.  Specifically, organizations must take appropriate technical and organizational measures before data processing begin to ensure that it meets the requirements of the Regulation. Data privacy risks must be properly assessed, and controllers may use adherence to approved codes of conduct or management system certifications, such as ISO 27001, to demonstrate their compliance.

How to improve information security under the GDPR

Although many businesses understand the importance of implementing the right procedures for detection, report and investigate a data breach, but not many are aware of how to go about this effectively, especially during implementation phase.

Seven steps that can help you prevent a data breach:

1. Find out where your personal information resides and prioritize your data.
2. Identify all the risks that could cause a breach of your personal data.
3. Apply the most appropriate measures (controls) to mitigate those risks.
4. Implement the necessary policies and procedures to support the controls.
5. Conduct regular tests and audits to make sure the controls are working as intended.
6. Review, report and update your plans regularly.
7. Implement comprehensive and robust ISMS.

ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too. To achieve GDPR compliance, feel free to contact us for more detail on implementation.

Related articles on GDPR and ISO 27k

The GDPR and Personal Data…HELP! from Cloud Security Alliance

As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

1. Understand the information flow

An information flow is a transfer of information from one location to another, for example:

• From inside to outside the European Union; or
• From suppliers and sub-suppliers through to customers.

2. Describe the information flow

• Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
• Make sure the people who will be using the information are consulted on the practical implications.
• Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

Data items

• What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?

Formats

• In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

Transfer method

• How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?

Location

• What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?

Accountability

• Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.

Access

• Who has access to the data in question?

The key challenges of data mapping

• Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
• Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
• Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

Data flow mapping

To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.

Order Today

Data Protection / EU GDPR Toolkits

Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:

EU General Data Protection Regulation (GDPR) Documentation Toolkit

By Chloe Biscoe

The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.

Who needs to comply with the GDPR?

The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.

Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.

Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.

What do US organizations need to do to comply with the GDPR?

The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.

For US organizations, the most significant change concerns the territorial reach of the GDPR.

The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.

Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.

Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield

August’s book of the month is the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR and the EU–US Privacy Shield.

Alan Calder’s EU GDPR & EU-US Privacy Shield – A Pocket Guide explains in simple terms:

• The terms and definitions used within the GDPR and the EU-US Privacy Shield
• The key requirements
• How to comply with the Regulation

Data Protection / EU GDPR Toolkits

Big news is coming when NIST takes the wraps off a new privacy framework. Thanks to the General Data Privacy Regulation (GDPR) of the European Union, which took full effect in May 2018, privacy is at center stage worldwide. Penalties are being meted out for violations, and organizations of all kinds need to understand and comply with the law. In addition, the California Consumer Privacy Act (CCPA) was enacted in June 2018, with many other states working on similar bills.

Source: What the New NIST Privacy Framework Means to You

Developing the NIST Privacy Framework – Part 1


Developing the NIST Privacy Framework – Part 2


Developing the NIST Privacy Framework – Part 3


NIST Privacy Framework: An Enterprise Risk Management Tool

photo courtesy of Unsplash

By Jasmine Dyoco

Another day, another data breach. Lately, it seems like we can’t go more than a few days without hearing about another cyber attack. Data breaches have recently occurred at health insurance providers like Anthem, banks like Capital One, and even the Equifax credit bureau. If there’s anything these recent hacks have shown us, it’s that no industry is safe.
Social Security numbers, credit cards, and passwords are just some of the types of compromised data. Given the number of recent attacks, Bloomberg reports that some cybersecurity professionals now make millions of dollars per year.
Massive amounts of information have been stolen. According to The Week, “virtually everyone in the U.S. has been affected by a data breach in some way — even those who never go online.” If you’re worried a hacker might have your data, here’s how you can protect yourself and your family:

Malware and Viruses

Malware and computer viruses are common ways that scammers get sensitive information. Contrary to popular belief, Macs (and smartphones and tablets) can get viruses. Whether you use Mac, Windows, Linux, or an iPad, protecting your computer against viruses also protects your information.

According to Secure Data Recovery, proactive actions can help keep hackers and viruses from accessing your data. Use strong passwords that are hard to guess. A sentence or phrase is stronger than a single word, for example. You should also install a firewall and antivirus software. Save backups of your files to a device like an external hard drive. Alternatively, you could also save data to the cloud using Google Drive or similar.

Security and Compliance

Cyber threats are continually evolving. By having an information security (InfoSec) plan in place, you can protect data from falling into the wrong hands. InfoSec helps organizations maintain confidentiality while complying with industry regulations.  DISC help the organization to succeed in infosec and Privacy program by building and assessing Information Security Management System (ISMS) and Privacy Information Management System (PIMS) based on various standards and regulations.

For instance, Deura Information Security Consulting (DISC) can perform a risk assessment to identify the security risks. Based on those gaps, they’ll help you create a “safe, secure, and resilient cyber environment.” Additionally, they’ll help your organization comply with regional cyber laws. Those laws include Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

Protect Your Teens 

Nobody is safe from online attacks. Unfortunately, that includes children and teenagers. Some scams specifically target teens and young adults. One example is phishing, which tricks teens into revealing their social media passwords. Teens are also susceptible to phishing scams that include “urgent” subject lines. These scams often trick people into clicking a link to avoid missing a once-in-a-lifetime opportunity.

To protect your children, the InfoSec Institute advises telling them to keep their login information private and to never click on social media links via email. Teach them red flags, like email scams claiming they’ve won money or website URLs that have misspellings or extra letters. Your whole family can learn what to look for by practicing with a phishing simulator.

Credit Freezes and Monitoring

Many people believe cybercriminals only steal money. The reality is that many of them are interested in stealing data, identities, or intellectual property. In the event that you do experience data loss, whether due to a virus, malware, or online scam, it’s essential to take action.

According to the IRS, you should report identity theft to the FTC, your bank, and each of the credit bureaus. You might want to freeze your credit and place a one-year alert on your credit report. Credit monitoring companies can help you protect your credit score by alerting you of any fraudulent activity. If you follow the tips listed above, you can recover your data and protect yourself from future attacks.

12 desirable reasons why an organization should carry out a penetration test:

1.  Assess potential business and operational impacts of successful attacks and determine the feasibility of a particular set of attack vectors.
2.  Identify higher-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular way.
3. To comply with security regulations or standards, e.g. ISO 27001, NIST CSF, NIST 800-171, HIPAA, PCI DSS or the EU GDPR.
4. To ensure the security of new applications or significant changes to business processes.
5. To manage the risks of using a greater number and variety of outsourced services.
6. To assess the risk of critical data or systems being compromised by an incident.
7. In preparation for any upcoming external audits, such as FFIEC audits performed by third-party providers.
8. To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls.
9. Save Remediation Costs and Reduces Network Downtime.
10. To develop Efficient Security Measures.
11. Provide evidence to support increased investments in security personnel and technology.
12. At the end of the day, it’s basic due diligence, to find out about the vulnerability before someone else does.

I’ll Let Myself In: Tactics of Physical Pen Testers

#SANS Pen Test HackFest Summit

DISC InfoSec Recommended Pen Testing Titles

Penetration Testing Services Procurement Guide

Contact DISC InfoSec to discuss your information security assessment (pen test) requirements

As you might have expected, the GDPR (General Data Protection Regulation) has created a spike in demand for data protection and privacy experts. Organisations are desperate to hire people who can guide them towards regulatory compliance and avoid large fines. In this latest blog discover what a DPO’s tasks are and how to become one.

For many organizations, this isn’t just a wish; they are legally required to find such a person and appoint them as a DPO (data protection officer). 

The demand for DPOs makes it an ideal job role for those looking to advance their career. You need plenty of experience, as well as demonstrable soft skills, but it provides an opportunity with plenty of room for growth. Let’s take a look at how you can get started. 

WHAT A DPO DOES 

It’s worth summarising exactly what a DPO’s tasks are because you’ll see that they are responsible for more than simply reviewing GDPR compliance. 

Yes, they are broadly tasked with advising organizations on how to comply with their legal requirements concerning data protection. But that doesn’t just include things like monitoring policies and looking into the need for DPIAs (data protection impact assessments). 

It also involves helping staff understand their data protection obligations and serving as a point of contact for individuals who contact the organization with data protection and privacy queries. 

This means that DPOs will be regularly discussing the GDPR to people who aren’t technically minded. As such, they must have strong communication skills and be capable of explaining complex issues without using jargon. 

It’s much harder to teach skills like that than to train someone on the ins and outs of the GDPR, but still eminently possible. 

SPECIALIST DPO TRAINING 

If you’re interested in becoming a DPO, you will benefit massively from taking a training course dedicated to the role. It will help you understand the technical requirements of the GDPR and how they apply to each part of your job role and give you practical experience of the tasks you’re responsible for. 

For example, you can understand exactly what’s required when performing, say, a DPIA, but you need to be aware of your boundaries. DPOs must operate independently and without any conflict of interest. Taking too active a role in tasks like this jeopardize your status as an advisor and violate the GDPR’s requirements. 

IT Governance’s Certified Data Protection Officer (C-DPO) Masterclass Training Course gives you the technical and spatial expertise you need to become a DPO. 

Over four days, our expert trainers will help you hone your knowledge of the GDPR and show you how to use that knowledge appropriately while fulfilling your tasks as a DPO. 

If you already have a strong understanding of the GDPR, you might prefer our Certified Data Protection Officer (C-DPO) Upgrade Training Course. 

This two-day course builds on the knowledge you would have gained from passing the GDPR Practitioner exam, focusing on the practical application of the Regulation in the workplace.

Source: How to become a data protection officer

GDPR Training

On the first anniversary of #GDPR, Microsoft calls for a similar privacy law in the US that puts the burden on the companies that collect and use sensitive data.

Europe’s privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.

Source: Microsoft wants a US privacy law that puts the burden on tech companies

 Subscribe in a reader

Computer security training courses – Online cyber security courses

Build your cyber security awareness and InfoSec career to keep your cyber security skills relevant. Learn how to protect your information assets against today’s cyber threats with best online cyber security training courses.

DISC InfoSec cyber security training curriculum includes specialized InfoSec training and general cyber security courses for all levels.

Security Penetration Testing (The Art of Hacking Series) LiveLessons

Linux Security and Hardening, The Practical Security Guide

CISSP LiveLessons

Red Hat Certified Engineer (RHCE) with Virtual Machines LiveLessons

Fundamentals of nerc cip

Cyber Security – Online Scams & How to Avoid Them

Disaster Recovery and Risk Management

Penetration Testing Kali Linux ISO27001 Python CISSP GDPR Linux Identity Theft Powershell Security Programming Courses Security Risk Management Planning a Security Incident Respose	AWS Security Azure Security Network Security Wireless Security RedHat Security InfoSec eLearning Social Engineering Essentials of CyberSecurity Azure Security & Compliance Cyber Security Training Courses Security Disaster Recovery Cloud Security Computing

• InfoSec books from Amazon
• InfoSec books from IT Governance
• InfoSec books from eBay
• InfoSec books from Wordery

 Subscribe in a reader

Why your organisation should consider outsourcing its DPO

By Laura Downes

Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation. 

Your organisation will need to appoint a DPO if it:  

• Is a public authority or body; 
• Regularly and systematically monitors data subjects; or 
• Processes special categories of data on a large scale. 

The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.  

Why you should consider outsourcing your DPO 

Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities. 

An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach. 

DPO as a service (GDPR) 

IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will: 

• Review and advise on policies, procedures and documentation relating to the processing of personal data; 
• Oversee the establishment and maintenance of the personal data processing register; 
• Advise on the necessity of DPIAs (data protection impact assessments) and the manner of their implementation and outcomes; 
• Provide guidance on data breach monitoring, management and reporting; 
• Serve as the contact point for data protection authorities for all data protection issues; 
• Provide advice and guidance on responses to privacy rights requests from individuals; and 
• Monitor compliance with the GDPR. 

Find out more >> 

Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

The compromised systems were also US-based.

But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

A further 14.5 million British records exposed would not have put people at risk, the company added last October.

The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

• 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
• 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
• Up to 15 million UK data subjects had names and dates of birth exposed

Guard let down

Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

And appropriate steps to fix the vulnerability were not taken, according to the ICO.

Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

And the fine of £500,000 is the highest possible under that law.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

“This is compounded when the company is a global firm whose business relies on personal data.”

An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

By BBC.com