GDPR (EU data protection) from an HR perspective

The GDPR will replace the mixed blend of 28 different EU Member States’ laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonisation throughout the EU.   Its main objectives are threefold:

1. The GDPR increases the rights for individuals.
2. It strengthens the obligations for companies.
3. The GDPR dramatically increases fines in case of non-compliance, up to €20m(£17m) – or up to 4% of total
worldwide annual turnover.

What important changes should be on your HR team’s radar?

1             Consent – Under GDPR an employee’s consent remains a legitimate basis for processing his or her personal data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable” Further it is important that the employee is able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that the employee’s consent must take, it is highly unlikely that blanket data protection consent clauses in contracts of employment and policies will suffice.

2            Subject Access Requests – The right of employees to request information about the personal data processed by the employer remains broadly the same. However, under GDPR the starting position will be that the employer must respond to a request without undue delay. The current 40 days will be replaced by 30 days. The £10 fee some companies levy for making the request will be abolished.

3             New (and enhanced) Rights – GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with a suite of so-called “delete it, freeze it, correct it rights” which are aimed at giving them more control ( in certain circumstances) over how their personal data is processed.

4              Data Breach Notification – In the UK employers must notify personal data breaches to the Information Commissioner’s Office (ICO) with 72 hours of becoming aware of it.  The term ‘personal data breach’ covers a plethora of common workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It is important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.

5             Routine CRB Checks – Enhanced DBS checks will still be permitted, however if employers adopt a routine policy of conducting DBS checks on all employees regardless of role and whether or not there is an English legal requirement to that effect, this may be unlawful under the GDPR.  Although standard and enhanced DBS (Disclosure and Barring Service) checks will still be permitted under GDPR, employers (as it currently stands) will not be able to conduct routine basic DBS checks on all employees (unless their role requires them to be security cleared).

GDPR has already started to appear in CJEU’s (Court of Justice European Union) soft case law (AG Opinion in Manni)
The recent judgment of the CJEU in Case C-398/15 Manni (9 March 2017) brings a couple of significant points to the EU data protection case law:

• The court clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist;
• The court clarifies that the individual has the right to object to the processing of that data, based on his/her particular circumstances and on justified grounds.

Organisations should be checking that all their HR staff are fully engaged on GDPR to ensure there is a comprehensive grasp of the responsibilities and actions required ahead of implementation.  How ready is your HR department?   Let us know.

 

 

C Level Execs Reveal UK Business Still Not Prepared for GDPR

Trend Micro’s recently published survey has revealed a worrying lack of recognition that GDPR is going to seriously impact UK business if left unmanaged.  The results revealed a lax attitude about the severity of what is around the corner if data protection is not diligently overseen for compliance to ensure that employees, directors and decision makers all use data correctly.  The survey stats revealed the following:

•    Senior execs shunned GDPR responsibility in 57% of businesses.
•    Only 21% of businesses surveyed currently have a senior executive involved in the GDPR process.
•    66% were dismissive about the amount they could be fined.
•    42% of businesses do not know that email marketing databases contain PII.

•    In an example given, businesses were very uncertain as to who was accountable for the loss of EU data by a US service provider – with only 14% correctly identifying it is the responsibility of both parties.

•    Businesses were broadly found to lack the expertise to combat threat:

o   Only 34% have implemented advanced capabilities to detect intruders
o   Only 33% have invested in data leak prevention
o   Only 31% have employed encryption technologies

JP Norman, Amicus ITS Director of Technology, Security & Governance urged a proactive response without delay for anyone not already taking steps.  “Any organisation that does not recognise the importance of GDPR compliance and data protection responsibility needs to wake up fast.  A data breach after next May will no longer result in the organisation facing a slap on the wrist, some reputational damage and a manageable fine.  We have worked closely with the ICO and recommend their 12 step guide as a starting point for review.  Whatever challenges businesses think we may face through Brexit, GDPR has the potential to wipe businesses off the map entirely.  For the public sector, where the purse is controlled by Government and ringfenced locally, this will become even more damaging – personally, financially and politically.  However, whereas the cap is currently £500,000 till May 2018, this corporate penalty will rise to up to 4% of global turnover or a €20 million fine plus the potential of criminal prosecution thereafter.  I would urge all organisations who have not begun their information audit to start now”.

 

Building the blocks around the smartest cryptocurrency on the market



We’re talking Blockchain – but it began with Bitcoin.

So what is Bitcoin?
Bitcoin is a cryptocurrency and a digital payment system.  Invented by an unknown programmer (or a group of programmers), it was released as open-source software in 2009. There is a market cap with Bitcoin.  The value of an individual Bitcoin has increased substantially during this time, every year more and more merchants and vendors accept bitcoin as payments for goods and services, and millions more unique users are using a cryptocurrency (digital) wallet.

Why is there a worry about Bitcoin?
There are many concerns related to Bitcoin, price volatility, doubts around legal status, tax and (lack of any) regulation, Bitcoin has been notorious in criminal activity, and is well renowned for the role it has in cyber-attacks like Ransomware.  But for believers, Bitcoin has huge upsides, de-centralised thus outside the control of a central authority, privacy, deflationary, low cost to transfer funds across borders, but most it is an attractive “store of value”.

Why is Bitcoin important?
Bitcoin is important because it requires a blockchain.  A blockchain is an undeniably ingenious invention, but since Bitcoin, blockchain has evolved into something greater.  And the main question every person is asking is – what is a blockchain?

So what is a blockchain?
The simplest explanation “Blockchain is to Bitcoin, what the internet is to email. A big electronic system, on top of which you can build applications. Currency is just one.”  Sally Davies, FT Technology Reporter.

How does blockchain work?
A blockchain is a distributed database that is used to maintain a continuously growing list of records, called ‘blocks’.   Each block contains a timestamp and a link to a previous block. A blockchain is typically managed by a peer-to-peer network collectively adhering to a protocol for validating new blocks. By design, blockchains are inherently resistant to modification of the data. Once recorded, the data in any given block cannot be altered retrospectively without the alteration of all subsequent blocks and a collusion of the network majority.   Functionally, a Blockchain can serve as “an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way”.

“The blockchain is an incorruptible digital ledger of economic transactions that can be programmed to record not just financial transactions but virtually everything of value.” Don & Alex Tapscott, authors Blockchain Revolution (2016).

Blockchains are secure by design and are an example of a distributed computing system with high Byzantine fault tolerance.  Decentralised consensus has therefore been achieved with a Blockchain.  This makes Blockchains potentially suitable for the recording of events, medical records and other records management activities, such as Identity Management, transaction processing and documenting provenance.

The entire financial, legal, and record-keeping industries are being disrupted using this decentralised, secure, and inexpensive method. It has therefore caught the eye of the Bank of England plus other large organisations including Microsoft, IBM and Cisco have consequently started to take note of it.

In summary the opportunities are infinite.

People need to understand that “blockchain” is NOT the same thing as “Bitcoin”.

Bitcoin was the first blockchain system designed, but there have been a number of others since then which are very different, designed by different people, often for different purposes. These people are in the business of designing things for use by corporations to operate their businesses to drive a competitive edge. This is no different to what Amicus ITS has been doing for 30 years, problem solving and designing solutions that deliver business value as we look constantly to the horizon at future technologies.

Click here to read our White Paper

Bot technology offers a new era in seamless business support

Conversational apps and services, such as Apple’s Siri and Microsoft’s Cortana have managed to find a way into peoples’ everyday lives as a way of finding answers to questions, quickly.

These conversational apps, also called ‘Bots’ which are a form of Artificial Intelligence (AI), are not limited to just answering questions, but can, using ‘natural conversation’ enable users to interact with services (be it ordering a pizza without looking at a traditional menu, or providing technical support to an employee’s PC issue).

Bots can be interacted with by either voice or text and can come in the form of a website, an app, or integration into existing services such as:  Skype for Business; Facebook Messenger; Cortana; Microsoft Teams and more. Bots can be accessed via a wide range of devices from smart phones to laptops and even devices without screens.

So why should businesses consider developing their own Bots?

The advantages of Bots to a business should be obvious – without the need of a dedicated and extensive support desk to handle queries for your own website, app or service, you could bake in support for bots inside your own website, app or service.  This way users would have access to the same support tools using natural conversation, without leaving the screen that requires assistance.

Bots can work well on their own, but they work even better with the help of humans when they hit the limit of their coded knowledge.   Bots are primarily programme driven but are inevitably only be as good as they are designed and coded by humans.  The Bot experience is intended to be seamless to the user, even if the Bot’s script has reached its end and it needs to interface to get guidance from a service desk.  The user talking to the Bot just enjoys a single trafficked conversation without seeing any splits.

The disadvantages at the start of the Bot technology process was in the creation period as building a coding system from scratch to handle conversational queries and integrate across known and used services was a monumental task. The good news however is that a lot of this work has now been done and is being made available as a foundation to consumers to build their own Bots. Microsoft is currently taking the lead in this area with its own Bot Framework, currently in preview.

Bots are no longer reserved by the technical giants of the world.  With the tools to create Bots having been developed and distributed, this makes Bots accessible to a wide array of devices and services. We will soon see a lot more Bots out in the wild from a wide variety of businesses and tech hobbyists. This influx in Bots could impact the technical landscape in a similar way that mobile Apps achieved when their tools became readily available – like with the original arrival of Apps in 2008 for Apple with the iPhone 3G.  So those who can make a strong brand early on will see stronger success as the platform evolves over time – and Bots could become a regular feature as part of the service desk toolkit for IT Managed Service Providers in future.

 

Work with your Security and Governance teams to thwart cyber attacks

A Petya ransomware attack suspected to be a modified EternalBlue exploit is currently spreading around the world as we go to press, with UK and European organisations already affected and shipping company Maersk and ad agency WPP announcing problems with systems down.

With only a few days since the attack on the UK Government on Friday 23rd June, security experts are describing such high profile attacks as the ‘new normal’.  Weak passwords on email accounts were to blame for around 90 parliamentarians being attacked.  An official spokesperson commented that users had failed to adhere to official guidance from the Parliamentary Digital Service.  Immediate remediation of disabling remote access was put in place as a precaution whilst further investigation were made.

This follows hot on the heels of last week’s report by Which, revealing that communications giant Virgin’s consumer Super Hub 2.0 router was found to be vulnerable to hacking for those who had not changed the default wifi password setting, felt by experts to be too short and not sufficiently complex.  Virgin are not alone amongst Internet Service Providers for issuing relatively simplistic wifi keys according to penetration testing experts.  Future success in thwarting attack will require 1) a change of culture from consumers to proactively change the default password on any wireless device and 2) for retailers to ensure that directions for changing the password are immediate to access the service, easy to read and quick to do.

And all of this just one month since the WannaCry cyber attack on NHS England which was amongst around 70 organisations hit worldwide.  Brian Lord, former Deputy Director for Intelligence and Cyber Operations at GCHQ commented in May that this was due to a change from low level theft and use of ransomware in the past few years to now internationally organised crime.  Todays criminal networks could generate sustained and co-ordinated attacks into the backs of ageing IT systems, delivering a simple tool at mass scale to vulnerable areas – in this case, systems where Microsoft security patches hadn’t been updated.

The clear messages from these tales of woe are:

•    Ensure effective security and governance procedures are in place for businesses and institutions – and that these are shared, understood and abided to by all staff without exception through regular training and education awareness.
•    Consider two factor authentication and more intelligent solutions around identity management and password tools to keep the door closed to wrongful access.
•    Protect older, more vulnerable Operating Systems through regular security assessments and vulnerability detection programmes to scan your networks and find holes in perimeter security to help target your patching priorities.

Rome wasn’t built in a day, but organisations that do not have strong and effective preventative measures can easily fall in one day.  Keep security at the forefront of your thinking and actions.  Read our full article on Ransomware here

ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

Countering ransomware – it’s time to patch the human

Ransomware relies on human fallibility crypto-ransomware, malware that extorts money from victims by encrypting their files and systems until they pay a ransom, has been much in the news since WannaCry hobbled IT systems around the world last month. While much was made of the fact that WannaCry spread through networks by exploiting SMBv1 vulnerabilities in unsupported Windows systems (such as Windows XP, Windows 8 and Windows Server 2003), it is unusual for ransomware to self-replicate in the way WannaCry did.

Often, ransomware, in common with most other forms of malware, is spread by drive-by downloads or phishing campaigns, both of which exploit human error. So, even if you use robust anti-virus and anti-malware solutions, conduct regular penetration tests and ensure you keep your systems up to date and install the latest patches, your system could still be compromised thanks to a careless employee.

According to a 2016 report by SentinelOne:

  • 39% of organisations in the UK were hit by ransomware in the previous year
    • 72% of those infections were attributable to phishing
    • 38% were attributable to drive-by downloads from compromised websites

People are frequently acknowledged as the weakest link in any security system. But with better levels of staff knowledge, companies are more secure as you can, in effect, ‘patch’ your employees. Therefore, a best-practice approach to information security such as an ISO 27001 compliant ISMS (Information Security Management System), follows a holistic approach that addresses people as well as processes and technology.

Amicus ITS takes security seriously.  “We say security is part of our DNA here” advises  JP Norman, Director of Technology, Security & Governance, “and I consistently refer to the importance of “the squishy bits” (ie. the people) in IT management.  You can deploy the best systems and infrastructure money can buy –  but you have to ensure your people are trained too.”