Aug 23 2022

ITG is offering bestselling implementation guides free with each toolkit purchase

Category: GDPR,Information Security,ISO 27kDISC @ 4:12 pm
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*

All the pre-written policies and procedures you’ll ever need.

Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.

Reviewed throughout the year to ensure you’re always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.

Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.

GDPR Documentation Toolkit

GDPR Toolkit

Receive a free copy of EU General Data Protection Regulation (GDPR) – An implementation and compliance guide
Code: GDPR-DK-NEW-0822

ISO 27001 Toolkit

ISO 27001 Toolkit

Receive a free copy of ISO 27001 controls – A guide to implementing and auditing
Code: ISO27001-DK-NEW-0822

Tags: gdpr, iso 27001

Mar 10 2022

Build your DPO career with self-paced online learning

Category: GDPR,Information Privacy,Security and privacy LawDISC @ 10:15 am

Are you planning a career as a DPO (data protection officer)?

Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course
Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.

Delivered by an experienced data privacy consultant, the Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course provides the knowledge to implement and maintain GDPR compliance and fulfil the DPO role.

Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.

The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.

Don’t Panic! I’m A Professional Data Protection Officer – 2023 Diary: Funny 2023 Planner Gift For A Hard Working Data Protection Officer

Tags: data protection officer, DPO, DPO (data protection officer)

Feb 10 2022

French data protection authority says Google Analytics is in violation of GDPR

Category: data security,GDPRDISC @ 10:28 pm
French data protection authority says Google Analytics is in violation of GDPR

French data protection authority says Google Analytics is in violation of GDPR

The French national data protection authority, CNIL, issued a formal notice to managers of an unnamed local website today arguing that its use of Google Analytics is in violation of the European Union’s General Data Protection Regulation, following a similar decision by Austria last month

The root of the issue stems from the website’s use of Google Analytics, which functions as a tool for managers to track content performance and page visits. CNIL said the tool’s use and transfer of personal data to the U.S. fails to abide by landmark European regulations because the U.S. was deemed to not have equivalent privacy protections.

European regulators including CNIL have been investigating such complaints over the last two years, following a decision by the EU’s top court that invalidated the U.S.’s “Privacy Shield” agreement on data transfers. NOYB, the European Center for Digital Rights, reported 101 complaints in 27 member states of the EU and 3 states in the European Economic Area against data controllers who conduct the transatlantic transfers.  

Privacy Shield, which went into effect in August of 2016, was a “self-certification mechanism for companies established in the United States of America,” according to CNIL. 

Originally, the Privacy Shield was considered by the European Commission to be a sufficient safeguard for transferring personal data from European entities to the United States. However, in 2020 the adequacy decision was reversed due to no longer meeting standards. 

An equivalency test was used to compare European and U.S. regulations which immediately established the U.S.’s failure to protect the data of non-U.S. citizens. European citizens would remain unaware that their data is being used and how it is being used, and they cannot be compensated for any misuse of data, CNIL found. 

CNIL concluded that Google Analytics does not provide adequate supervision or regulation, and the risks for French users of the tool are too great.

“Indeed, if Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data,” CNIL said. 

The unnamed site manager has been given a month to update its operations to be in compliance with GDPR. If the tool cannot meet regulations, CNIL suggests transitioning away from the current state of Google Analytics and replacing it with a different tool that does not transmit the data. 

The privacy watchdog does not call for a ban of Google Analytics, but rather suggests revisions that follow the guidelines. “Concerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produce anonymous statistical data, thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers,” the watchdog said. 

source: https://


GDPR Practitioner Guide

Tags: French data protection authority, gdpr, GDPR Practitioner Guide, Google Analytics

May 24 2021

GDPR compliance without the complexity

Category: GDPRDISC @ 12:53 pm
GDPR Toolkit

Most management systems, compliance, and certification projects require documented policies, procedures, and work instructions. GDPR compliance is no exception. Documentation of policies and processes are vital to achieve compliance.

ITG GDPR Documentation Toolkit gives you a complete set of easily customizable GDPR-compliant documentation templates to help you demonstrate your compliance with the GDPR’s requirements quickly, easily, and affordably.

“Having recently kicked off a GDPR project with a large international organisation I was tasked with creating their Privacy Compliance Framework. The GDPR toolkit provided by IT Governance proved to be invaluable providing the project with a well organised framework of template documents covering all elements of the PIMS framework. It covers areas such as Subject Access Request Procedure, Retention of Records Procedure and Data Protection Impact Assessment Procedure helping you to put in practice policies and procedures to enable the effective management of personal information on individuals. For anyone seeking some support with their GDPR plans the toolkit is well work consideration.”

– Chris Prantl

Tags: #GDPR #DataBreachNotification, gdpr compliance, GDPR implementation, GDPR toolkit

Feb 19 2021

66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home

Category: GDPRDISC @ 10:27 pm

Two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home, according to a new study from Go Shred.

The confidential shredding and records management company discovered that 66% of home workers have printed work-related documents since they began working from home, averaging five documents every week. Such documents include meeting notes/agendas (42%), internal documents including procedure manuals (32%), contracts and commercial documents (30%) and receipts/expense forms (27%).

Furthermore, 20% of home workers admitted to printing confidential employee information including payroll, addresses and medical information, with 13% having printed CVs or application forms.

The issue is that, to comply with the GDPR, all companies that store or process personal information about EU citizens within EU states are required to have an effective, documented, auditable process in place for the collection, storage and destruction of personal information.

However, when asked whether they have disposed of any printed documents since working from home, 24% of respondents said they haven’t disposed of them yet as they plan to take them back to the office and a further 24% said they used a home shredding machine but disposed of the documents in their own waste. This method of disposal is not recommended due to personal waste bins not providing enough security for confidential waste and therefore still leaving employers open to a data breach and potential fines, Go Shred pointed out.

Most concerning of all, 8% of those polled said they have no plans to dispose of the work-related documents they have printed at home, with 7% saying they haven’t done so because they do not know how to.

Source: 66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home via Infosecurity Magazine

Tags: GDPR by Printing

Feb 02 2021

5 key privacy trends for 2021

No alt text provided for this image

Source: 5 key privacy trends for 2021

As organisations become increasingly reliant on the use of personal data, the risks they face grow exponentially.

We saw last year a record number of data breachesand a surge in penalties for regulatory violations, but 2021 is set to be even more perilous as the public demand for data privacy grows, COVID-19 scams continue and data protection laws get more complex following Brexit.

Here are our five key data privacy trends for this year.

1. There will be more public awareness of privacy rights

This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.

All of this information is helping consumers become more aware of their rights.

Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.

The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.

There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.

Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.

2. Brexit will continue to cause headaches

Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.

For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.

Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.

3. We shouldn’t expect an adequacy decision imminently

Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.

For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.

But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.

Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.

In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.

The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.

4. GDPR enforcement will be more consistent

In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.

In some cases, the fines were miniscule, but in others the penalties were large.

It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.

We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.

Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.

5. Cookie laws will come under greater scrutiny

From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.

This is evident in the £91 million fine levied against Google for its ad tracking practices, as well as the recent actions from Max Schrems and his organisation NOYB.

So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.

Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.

Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.

Meet your data privacy requirements with IT Governance

You can find out more about data privacy and the steps you must take to protect the information you process with our Privacy by Design Foundation Training Course.

One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.

Nov 22 2020

How does the Schrems II ruling affect your organization?

Category: GDPRDISC @ 5:01 pm

GDPR compliance got even more complicated this summer when the CJEU (European Court of Justice) ruled the EU–US Privacy Shield invalid.

Organizations that had relied on the framework for transatlantic data transfers have been scrambling for a solution – with even some multinationals unsure how to proceed.

If you’re among those trying to understand how the ruling affects your data transfer processes, then ITGP updated books can help.

EU General Data Protection Regulation (GDPR) – An implementation and compliance guide

This comprehensive guide covers:

  • DPO (data protection officer) requirements, including which organizations need a DPO and what DPOs do;
  • When organizations must conduct DPIAs (data protection impact assessments);
  • GDPR implementation FAQs;
  • Guidance on how to create data protection processes that are in line with best practices; and
  • An index of the GDPR.
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition

       Buy now

EU GDPR – An international guide to compliance

Ideal for those trying to understand the essentials of GDPR compliance, EU GDPR – An international guide to compliance:

  • Explains the terms and definitions used in the GDPR;
  • Sets out the circumstances under which organizations may receive fines;
  • Shows how to meet your compliance requirements; and
  • Provides guidance on the technologies and documentation you can use to protect the personal data that you process.
EU GDPR – An international guide to compliance

       Buy now

Tags: gdpr, Schrems II

Aug 18 2020

Privacy eLearning – Staff InfoSec & Compliance Awareness

Privacy eLearning & Staff Awareness

  • Access staff awareness e-learning programs and train staff on best practice processes
  • Ensure staff can spot and respond to cybersecurity and privacy risks
  • Comply with data protection and information security legislation and standards
  • Test learner knowledge to prove compliance for auditing purposes
  • Train staff under one, manageable contract with these cost-effective annual licenses
  • Developed by industry experts our programs are updated every three months to ensure the content remains relevant
  • Gain access to any new content ITG release throughout your year-long contract
  • Customize the courses by adding links to company documents, policies, and procedures
  • Fast deployment with instant access to all of the courses
  • Reinforce awareness with monthly security updates, which include the latest news and tips

1) Complete Staff Awareness E-learning Suite
Complete Staff Awareness E-learning Suite

2) GDPR Challenge E-learning Game
This short and punchy ten-minute game will test your employees’ knowledge on real-life GDPR-relevant scenarios across different industries.

3) GDPR Staff Awareness E-learning Course
GDPR Staff Awareness eLearning Course

4) GDPR: Email Misuse Staff Awareness E-Learning Course
GDPR: Email Misuse Staff Awareness E-Learning Course

5) Information Security & ISO 27001 Staff Awareness E-Learning Course
ITG eLearning Course: Information Security & ISO27001 Staff Awareness

6) PCI DSS Staff Awareness E-Learning Course
PCI DSS Online Staff Awareness eLearning Course

7) Information Security Staff Awareness E-Learning Course
Information Security | eLearning Course

8) Phishing Staff Awareness E-Learning Course
Phishing Staff Awareness E-Learning Course

9) Data Protection Awareness Posters
Data Protection Awareness Posters

10) Phishing Awareness Posters
Phishing Awareness Posters

11) The ISMS Card Game
The ISMS Card Game

Tags: GRC eLearning, information security awareness, InfoSec eLearning, security awareness training

Dec 19 2019

ISO/IEC 27701 2019 Standard and Toolkit

Category: GDPR,Information Privacy,ISO 27kDISC @ 12:35 pm

ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).

Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.


Key features:

* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data

ISO 27701 Gap Analysis Tool

Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).

It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.

What does the tool do?

  • Contains a set of sample audit questions
  • Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
  • Provides a clear, colour-coded report on the state of compliance
  • The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.

  • The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.

    ISO 27701 The New Privacy Extension for ISO 27001

    Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard

    General Data Protection Regulation (GDPR) | The California Consumer Privacy Act (CCPA)

    Subscribe to DISC InfoSec blog by Email

    Tags: CCPA, gdpr, iso 27001, iso 27002, ISO 27701, ISO27701, PIMS

    Aug 22 2019

    ‘2019 is the year of enforcement’: GDPR fines have begun

    Category: GDPRDISC @ 2:57 pm

    The Information Commissioner’s Office levied fines against British Airways and Marriott International for violating the GDPR.

    Source: ‘2019 is the year of enforcement’: GDPR fines have begun – Digiday

    British Airways faces $230 million fine over GDPR breach

    Marriott Faces GDPR Fines: A DPO and CISO Discussion

    Steps to GDPR Compliance

    Archived GDPR posts

    Subscribe to DISC InfoSec blog by Email

    Jul 30 2019

    How to become a data protection officer

    Category: GDPR,Information PrivacyDISC @ 3:28 pm

    As you might have expected, the GDPR (General Data Protection Regulation) has created a spike in demand for data protection and privacy experts. Organisations are desperate to hire people who can guide them towards regulatory compliance and avoid large fines. In this latest blog discover what a DPO’s tasks are and how to become one.

    For many organizations, this isn’t just a wish; they are legally required to find such a person and appoint them as DPO (data protection officer). 

    The demand for DPOs makes it an ideal job role for those looking to advance their careerYou need plenty of experience, as well as demonstrable soft skills, but it provides an opportunity with plenty of room for growth. Let’s take a look at how you can get started. 


    It’s worth summarising exactly what a DPO’s tasks are because you’ll see that they are responsible for more than simply reviewing GDPR compliance. 

    Yes, they are broadly tasked with advising organizations on how to comply with their legal requirements concerning data protection. But that doesn’t just include things like monitoring policies and looking into the need for DPIAs (data protection impact assessments). 

    It also involves helping staff understand their data protection obligations and serving as a point of contact for individuals who contact the organization with data protection and privacy queries. 

    This means that DPOs will be regularly discussing the GDPR to people who aren’t technically minded. As such, they must have strong communication skills and be capable of explaining complex issues without using jargon. 

    It’s much harder to teach skills like that than to train someone on the ins and outs of the GDPR, but still eminently possible. 



    If you’re interested in becoming a DPO, you will benefit massively from taking a training course dedicated to the roleIt will help you understand the technical requirements of the GDPR and how they apply to each part of your job role and give you practical experience of the tasks you’re responsible for. 

    For example, you can understand exactly what’s required when performing, say, a DPIA, but you need to be aware of your boundaries. DPOs must operate independently and without any conflict of interest. Taking too active a role in tasks like this jeopardize your status as an advisor and violate the GDPR’s requirements. 

    Certified Data Protection Officer (C-DPO) Masterclass Training CourseIT Governance’s Certified Data Protection Officer (C-DPO) Masterclass Training Course gives you the technical and spatial expertise you need to become a DPO. 

    Over four days, our expert trainers will help you hone your knowledge of the GDPR and show you how to use that knowledge appropriately while fulfilling your tasks as a DPO. 



    Certified Data Protection Officer (C-DPO) Upgrade Training Course

    If you already have a strong understanding of the GDPR, you might prefer our Certified Data Protection Officer (C-DPO) Upgrade Training Course. 

    This two-day course builds on the knowledge you would have gained from passing the GDPR Practitioner exam, focusing on the practical application of the Regulation in the workplace.


    Source: How to become a data protection officer


    GDPR Training

    Enter your email address:

    Delivered by FeedBurner

    Tags: data protection officer, DPO, GDPR Privacy

    Jul 29 2019

    5 ways to avoid a GDPR fine

    Category: GDPRDISC @ 10:04 am

    After the ICO issues $450 million of GDPR fines in a week, be sure you’re not next.
    Source: 5 ways to avoid a GDPR fine

    GDPR For Consultants – Training Webinar


    What You Need to Know about General Data Protection Regulation

    DISC InfoSec – Previous articles in GDPR category

    Enter your email address:

    Delivered by FeedBurner

    Tags: #GDPR #DataBreachNotification, gdpr compliance, GDPR Privacy

    Jul 26 2019

    How to write a GDPR data breach notification procedure – with template example

    Category: Data Breach,GDPR,Information PrivacyDISC @ 2:05 pm

    Discover how to write a GDPR data breach notification procedure to help you with your GDPR compliance. Including a free template example. Read now

    Source: How to write a GDPR data breach notification procedure – with template example – IT Governance Blog

    Personal data breach notification procedures under the GDPR

    Organizations must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject.

    Help with creating a data breach notification template

    The picture above is an example of what a data breach notification might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken by the organization to communicate the breach from:

    • Data processor to data controller;
    • Data controller to supervisory authority; and
    • Data controller to data subject.


    GDPR Implementation Bundle


    Enter your email address:

    Delivered by FeedBurner

    Tags: #GDPR #DataBreachNotification

    May 06 2019

    Unsecured SkyMed Database Exposed PII Data Of 137K Individuals

    Category: data security,GDPR,Security BreachDISC @ 9:29 pm

    Unsecured SkyMed Database Exposed PII Data Of 137K Individuals

    Reportedly, the unsecured SkyMed database exposed huge records having medical and personal information of US citizens online.

    Source: Unsecured SkyMed Database Exposed PII Data Of 137K Individuals

    ISO/IEC 27018:2014, 1st Edition: Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

    NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

     Subscribe in a reader

    Sep 25 2018

    Privacy notice under the GDPR

    Category: GDPRDISC @ 8:58 pm


    A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.

    Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. These are more detailed and specific than in the UK Data Protection Act 1998 (DPA).

    The GDPR says that the information you provide must be:

    • Concise, transparent, intelligible and easily accessible;
    • Written in clear and plain language, particularly if addressed to a child; and
    • Free of charge.

    Help with creating a privacy notice template

    The privacy notice should address the following to sufficiently inform the data subject:

    • Who is collecting the data?
    • What data is being collected?
    • What is the legal basis for processing the data?
    • Will the data be shared with any third parties?
    • How will the information be used?
    • How long will the data be stored for?
    • What rights does the data subject have?
    • How can the data subject raise a complaint?

    Below is an example of a customisable privacy notice template, available from IT Governance here.

    GDPR Privacy Notice Template - Example from the EU GDPR Documentation Toolkit

    Example of the privacy notice template available to purchase from IT Governance

    If you are looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:

    • A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
    • Helpful dashboards and project tools to ensure complete GDPR coverage;
    • Direction and guidance from expert GDPR practitioners; and
    • Two licences for the GDPR Staff Awareness E-learning Course.

    Tags: GDPR Privacy, GDPR Privacy Notice

    Sep 24 2018

    Why your organisation should consider outsourcing its DPO

    Category: GDPRDISC @ 2:47 pm

    Why your organisation should consider outsourcing its DPO

    By Laura Downes

    Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation. 

    Your organisation will need to appoint a DPO if it:  

    • Is a public authority or body; 
    • Regularly and systematically monitors data subjects; or 
    • Processes special categories of data on a large scale. 

    The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.  

    Why you should consider outsourcing your DPO 

    Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities. 

    An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach. 

    DPO as a service (GDPR) 

    IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will: 

    Find out more >> 

    Sep 20 2018

    Equifax fined by ICO over data breach that hit Britons

    Category: Cyber Insurance,data security,GDPR,Security BreachDISC @ 10:02 am


    Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

    A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

    The compromised systems were also US-based.

    But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

    It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

    Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

    A further 14.5 million British records exposed would not have put people at risk, the company added last October.

    The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

    • 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
    • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
    • Up to 15 million UK data subjects had names and dates of birth exposed


    Guard let down

    Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

    And appropriate steps to fix the vulnerability were not taken, according to the ICO.

    Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

    And the fine of £500,000 is the highest possible under that law.

    “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

    “This is compounded when the company is a global firm whose business relies on personal data.”

    An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

    “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

    “The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”


    Aug 30 2018

    4 bad things happening every minute on the Internet

    Category: GDPRDISC @ 11:46 am

    4 bad things happening every minute on the Internet

    Risk IQ’s Evil Internet Minute infographic tells you the bad things happening every minute on the Internet:

    • 5 successful ransomware attacks
    • 9 phishing attacks
    • 1,274 new malware variants
    • 5,518 records compromised

    Any data you look at shows that the scale of ‘Internet evil’ increases every year. The economic impact of cyber crime now exceeds $1.1 million per minute. This is a major corporate risk, irrespective of organisational size, and cyber insurance is an inadequate response – insurers will not pay out where you have been negligent.

    The EU’s GDPR (General Data Protection Regulation) makes the tests for negligence pretty clear: absence of accountability, insufficient corporate governance and countermeasures that do not adequately respond to the frequency and virulence of today’s attacks.

    In an environment where four potentially vulnerable web components are discovered every minute, an annual penetration test is only slightly better than not bothering at all. We run penetration tests about once a month; you should be doing them at least quarterly. However, even if you do this, you need to recognise that purely technical responses have limited benefits. Staff are the weakest of your links, particularly as phishing and ransomware attacks get smarter every day. And your supply chain may increasingly be your attackers’ fastest route into what passes for your secure environment. Staff awareness training only every year or two would be desperately short-sighted.

    We’re going to see more and more organisations reporting data breaches – it’s now an offence to not report one, and you can be punished with significant fines. The costs don’t stop there. After you report a breach, and undergo investigation, fines and reputational damage, you still have to spend the money to get secure. It therefore probably works out less expensive in the long run to make comprehensive cyber security investments before you are breached (assuming that you haven’t already been breached, and you just don’t know it yet).

    Tags: gdpr

    Feb 28 2018

    What is ‘privacy by design’?

    Category: GDPR,Security and privacy LawDISC @ 9:50 am

    What is ‘privacy by design’?

    Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).

    The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:

    • Building new IT systems to store or access personal data;
    • Needing to comply to regulatory or contractual requirements;
    • Developing internal policies or strategies with privacy implications;
    • Collaborating with an external party that involves data sharing; or
    • Existing data is used for new purposes.

    Privacy by design and the GDPR

    The upcoming EU General Data Protection Regulation (GDPR) will supersede the DPA. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.

    Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.

    Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.

    Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.

    The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.

    IT Governance free green paper ‘Conducting a data flow mapping exercise under the GDPR’ will help you understand how to effectively map your data in compliance with the GDPR.

    Steps to GDPR Compliance

    Feb 21 2018

    Six Essential Data Protection and Privacy Requirements Under GDPR

    Category: GDPRDISC @ 10:17 am
    By Leighton Johnson, CISA, CISM, CIFI, CISSP

    With the advent of the European Union (EU) deadline for General Data Protection Regulation (GDPR) (EU 2016/679 regulation) coming up on 25 May 2018, many organizations are addressing their data gathering, protection and retention needs concerning the privacy of their data for EU citizens and residents. This regulation has many parts, as ISACA has described in many of its recent publications and events, but all of the efforts revolve around the protection and retention of the EU participants’ personal information. The 6 main areas for data protection defined in this regulation are:

    1. Data security controls need to be, by default, active at all times. Allowing security controls to be optional is not recommended or even suggested. “Always on” is the mantra for protection.
    2. These controls and the protection they provide must be embedded inside all applications. The GDPR view is that privacy is an essential part of functionality, the security of the system and its processing activities.
    3. Along with embedding the data protection controls in applications, the system must maintain data privacy across the entire processing effort for the affected data. This end-to-end need for protection includes collection efforts, retention requirements and even the new “right to be forgotten” requirement, wherein the customer has the right to request removal of their data from an organization’s storage.
    4. Complete data protection and privacy adds full-functional security and business requirements to any processing system in this framework for data privacy. It provides that business requirements and data protection requirements be equally important during the business process.
    5. The primary requirement for protection within the GDPR framework demands the security and privacy controls implemented are proactive rather than reactive. As its principal goal, the system needs to prevent issues, releases and successful attacks. The system is to keep privacy events from occurring in the first place.
    6. With all of these areas needed under GDPR, the most important point for organizations to understand about GDPR is transparency. The EU wants full disclosure of an organization’s efforts, documentation, reviews, assessments and results available for independent third-party review at any point. The goal is to ensure privacy managed by these companies is not dependent upon technology or business practices. It needs to be provable to outside parties and, therefore, acceptable. The EU has purposely placed some strong fine structures and responses into this regulation to ensure compliance.

    Having reviewed various organizational efforts in preparation for GDPR implementation, it has been found that it is good practice to look at these 6 areas for all the collected and retained data, not just EU-based data. This zero-tolerance approach to data breaches is purposely designed to be stringent and strong. Good luck to all in meeting and maintaining the data privacy and security requirements of GDPR.

    Steps to EU GDPR compliance


    Next Page »