When it comes to GDPR, one of the most important aspects is creating or enhancing the culture of awareness and processes within your organisation. Our Cyber Wise program provides you with an easy to use, fully automated delivery platform to tackle the training and awareness requirements within your team. Our comprehensive reporting gives you complete visibility of your learning uptake, progress and completion, ensuring you can move forward with confidence.
General Data Protection Regulation (otherwise known as GDPR), is the European Union’s new legislation, designed to protect the data and privacy of EU citizens. It will reshape the way all organisations manage data governance. Much of the GDPR legislation is covered by the existing Data Protection Act (DPA), however, there are a number of additions and enhancements which mean that GDPR will have a profound impact on the business processes of all organisations, regardless of how well they comply with current data protection laws.
Our awareness process…
Step 1 - Review
Our comprehensive review of your current GDPR and Security awareness position gives us a great insight into your training needs. We start with an entry level, online interactive training course which provides your team with the knowledge they need to be able to identify data and security threats. We then move onto our entry level threat simulation, which tests the knowledge and skills gained through the introductory course. The results of your review are passed onto our Cyber Wise experts for full analysis.
Step 2 - Analyse
The results from your threat simulation help to create the right path for you and your team with key areas of improvement identified. Areas of knowledge that we test include Spamming, Social Engineering, Phishing, Malware & Ransomware. We also look for at habitual behaviors within your team that present challenges when planning for compliance with GDPR. We present our findings to you and your team and explain exactly why it is critical that knowledge improves in these areas.
Step 3 - Teach
Our interactive training program contains over 500 course modules that can be tailored to your specific requirements. Your Cyber Wise program contact will create your customised training schedule and liaise with you for start and end dates. Your contact will keep in touch with you over the lifetime of the course schedule providing updates on team participation, progress and completion. Results for each course, including individual team member score cards give you an excellent platform to measure your success.
Security and Data awareness isn’t just a one time exercise, with new threats emerging daily it is critical that you keep your team up to date. Cyber Wise enhances your security position by providing continuous training updates and timely cyber alerts and information. Our team are dedicated to keeping you safe meaning you can focus on what you are good at.
Our GDPR Cyber Wise Team
Lyndsey HayesIT Director
Lyndsey is one of our Cyber Wise experts and has completed extensive research into the GDPR and what it means for you. As a business owner herself Lyndsey is perfectly placed to help you understand your responsibilities under GDPR.
Matt works closely with Lyndsey and can help you with your data and security awareness as well as with your IT Compliance obligations. Matt has over 15 years experience helping our clients and their teams get the most from their IT systems.
We have put together a list of the most frequently asked questions regarding GDPR below, if there is anything you cannot find please get in touch.
When will the GDPR come into effect?
The Regulation will come into effect on the 25th May 2018.
Who does GDPR apply to?
Any organisation which processes and holds the personal data of data subjects residing in the EU will be obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states if they hold data belonging to EU nationals. There ae also adequacy agreements with 12 other countries additional to the EU member states and the three EEA states whereby the EU believe that data will be protected to the same degree as currently granted by European law.
What responsibilities will companies have under this new regulation?
The rules governing how personal information is used will become much stricter and GDPR introduces regulations that significantly widen the control owners of personal data have. This means that companies will have to clearly demonstrate that they have consent to hold personal data and justify why they need it, switching the onus from an opt out approach to ensuring that individuals opt in, the regulations are consent centric.
What kind of information does the GDPR apply to?
The current Data Protection Directive defines personal data as; “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
This has been extended to include your personal data online, like your IP address, physical information from your computer, such as a MAC address, online financial information and even social media posts. The GDPR will also include Sensitive personal data, which are special categories of personal data which uniquely identify a person.” This will include genetic data and biometric data.
Are there any specific rules businesses should be following in order to ensure compliance?
Yes there are – Article 5 of the EU GDPR sets out six privacy principles relating to personal data:
Data should be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it are processed (‘data minimisation’)
Data must be accurate and where necessary kept up to date. Where data is inaccurate, it should be erased without delay
Data must be kept in a form that permits identification of a subject for no longer than is absolutely time necessary
Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
What will the penalties be for failing to comply with GDPR?
Failure to comply with the GDPR carries penalties that are far heavier than the current Data Protection Act (1998) However, they have introduced an approach whereby the severity of the fine will be determined by the characteristics of the breach. Overtly not complying with GDPR or ignoring formal written warnings from the ICO will likely carry the heaviest fines. Ignorance is not an excuse and companies in violation may have to have regular data integrity audits. The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.
What effect, if any, does Brexit have on GDPR?
Even though UK Prime Minister, Theresa May, has now announced a definitive date (29th March 2017) to begin the process of leaving the European Union and Britain is set to come out of the European Union in 2019, most if not all of the GDPR is set to be adopted into UK legislation as early as December 2018.
However, regardless of how much or little Britain decides to adopt of the GDPR (and it is likely that it will be most of it), British companies will have to adhere to the exact same rules and regulations as companies located anywhere in the world, and should not expect any divergence from the GDPR concerning personal data held in the UK.
Do all organisations now have to appoint a Data Protection Officer (DPO)?
It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon a number of factors. According to the ICO, a company should appoint a DPO if:
You are a public company or a public authority (with the exception of courts acting in their judicial capacity)
You are engaged or carry out large-scale systematic monitoring of individuals, and user data
Your organisation processes large volumes of personal data or carry out large scale processing of special categories of data or data relating to criminal convictions and offences
Even if you don’t appoint a DPO for your company, you must ensure that you have the resources in your organisation to comply with the obligations under the GDPR.
I store my data elsewhere with a cloud provider Am I still liable?
If you store your data with a cloud provider, you are not exempt from the GDPR and should your cloud provider fail to comply with the GDPR, you will not be able to blame them.
What rights will individuals have under GDPR?
There are 8 fundamental rights of individuals under GDPR. These are:
The right to be informed – Organisations must be completely transparent in how they are using ALL personal data.
The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
The right to restrict processing – Refers to an individual’s right to block or supress processing of their personal data.
The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
The right to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.