Category: Security

Keynote takeaways – Microsoft Future Decoded 2019


Reflecting on the output from Microsoft Future Decoded 2019 in London on 1st October has taken some time, as the talks were truly inspiring and thought provoking, on the future direction of technology and the societal impact that this will cause.   With much talk about the meaningful aggregation and dissemination of data using Azure Artificial Intelligence (AI) and Machine Learning, the message focused on the need to put people at the heart of the change process for AI.

Cindy Rose, CEO Microsoft

CEO of Microsoft, Sataya Nadella’s views were shared by Cindy Rose, Microsoft UK’s CEO, talking about the need for global tech providers to handle users’ data more responsibly to maintain trust going forwards.  In Rose’s speech she reflected on the need for the giants to agree a’ global ethical and empathetic framework and principles around AI design’ following the ‘Techlash’ debacle of 2018 (Facebook, Amazon, Apple, Google etc.).

Abhjit Akerkar, Head of AI Business Integration

In a later panel session, Abhjit Akerkar (Head of AI Business Integration) emphasised the importance of being hot on business trust and data privacy.  Knowing which stakeholders were accountable would mollify users and reassure regulators that (business) models were compliant.  Akekar also added his voice to the need to get employees involved and onboard with AI.  He said helping the workforce understand the possibilities and opportunities around AI and chatbots was key, as was aligning company culture, structure and ways of working to drive successful adoption of AI (and inform decision makers better about why algorithms made the decisions they did).

Microsoft shared some statistics from an AI study of 1,000 organisation leaders and 4,000 employees.  Companies were seen to be going from experimentation with AI (48%) to exploiting AI to solve big business challenges and create some vital commercial changes that would distinguish them resolutely from those who failed to adopt AI as part of their business model.  It was the 8% who were scaling successfully who were seeing the biggest impact change).  The UK survey, “Accelerating Competitive Advantage with AI” found that 56% of UK companies were using AI today and 11.5% of them would outperform their competitors because of this.  This was being achieved through better data science and insights, speed of platform, efficiency outputs, time savings and creating a richer customer experience.

 Darren Atkins, CTO, NHS East Suffolk and North Essex Foundation Trust

An example quoted was NHS East Suffolk and North Essex Foundation Trust (ESNEFT) who put nursing staff at the centre of an Azure AI development project with software developer Thoughtonomy, to create a robotic process automation workflow.   This proved hugely successful a) because the nurses were central to the process from the start so were culturally onboard through collaboration and keen adopters to use the automation workflows and b) the hospital saved 4,500 hours in admin tasks in 12 months that enabled nurses to be re-directed to patient care.

A PwC repot estimates that AI will contribute up to $15 trillion dollars to the global economy by 2030.  For the UK things look promising:

• 36% UK business leaders believe that AI is a skill that will help secure the future of the UK.
• The UK is in the top three countries worldwide for developing AI technology.
• The UK is also in third position for raising AI investment, and second for the number of AI companies based in the UK.

This creates a strong picture of optimism for business and the tech industry as whole.  However, the journey to AI remains challenging.  Only 26% of businesses surveyed said they were ready for transformation.  So many organisations are clearly still struggling to get to full cloud enablement before being in a position to accelerate their desired tech strategy on innovation and true transformation of business opportunities and competitive advantage. Interestingly, there seems to be a huge communication void around this technology between Board and workforce.  In those organisations surveyed who were intending to adopt AI, 96% of their employees had not had any discussion with their bosses about the introduction of AI, and conversely 83% of bosses had not been asked by their employees about introducing AI.  So clearly company vision is not being shared to enable a meaningful conversation to begin.

The power of communication in developing AI

Microsoft emphasised a gear shift in business development execution, asking for leaders to discuss AI more widely and ensure that AI plans were accessible to all, so that AI was democratised and offered inclusivity, as the best outcomes came from ethical integration.

Kate Rosenshine (Head of Azure Solutions Architecture)

Microsoft’s Kate Rosenshine (Head of Azure Solutions Architecture) talked of the need to foster true co-creation involving many voices, not just the technical, but those with social and business skills to create the business outcome and ‘common language’ required to enable the scaling out of AI.  AI, Rosenshine said required “the application of business, psychology and technology through a diverse set of skills and mindsets”.   Given the way most organisations function in their traditional management style, sharing such a project plan methodology would likely be a considerable challenge, but then the rewards would be greatest, and re-invent that business for the twenty-first century.

NHS East Suffolk and North Essex Foundation Trust’s CTO, Darren Atkins in the keynote panel discussion, noted that there appears to be a common fear around the introduction of AI technology.  His recommendation for other organisations looking at transformation projects was succinct:  firstly understand what you want to do with technology, then create a roadmap for the next 12-18 months, then before investing in a solution, ensure you are working with a partner who can support your strategy.

For many organisations, technology solutions often form complex journeys of several parts, involving multiple players.  But trust, openness and inclusivity, in parallel with a strong security and compliance ethic, will offer the best language for good AI design and adoption.  So find your right partner to walk alongside your organisation and take you into this new world offered by AI.

Amicus ITS as a trusted IT Managed Service Provider welcomes all discussions on technology topics.  Call our Sales team today on 02380 429429 for a confidential chat.

 

ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

Microsoft rapid response to Windows patching after security scare


Users and organisations using out of support Windows Operating systems Windows XP, Windows 7, Windows Server 2003, Windows 2008 R2, Windows 2008 are being urged by Microsoft to undertake urgent patching measures, following Microsoft’s discovery of a critical remote code execution vulnerability.

The severity of its potential impact worldwide has prompted Microsoft to step in to release patches for the out of support Windows XP and Windows Server 2003.  Windows XP users will need to download the patch (Remote Code Execution CVE-2019-0708) from the Microsoft Update Catalogue.

Microsoft spokesman and Director of Incident Response, Simon Pope, speaking from their Security Response Centre advised that this exploit vulnerability was ‘wormable’.  This means that the user doesn’t have to ‘do’ anything themselves to cause the damage.  Any malware created by hackers in response to this vulnerability that links to this Microsoft code, would cause a ripple effect by cross-infecting computers through Remote Desktop Protocol (RDP). RDP would facilitate the hacker’s ability to send requests enabling arbitrary code to be run, to view, change or delete data, or create new accounts with full user rights. This was the experience in 2017 when the Wannacry attack went global.

With millions of users still using Windows 7 machines, Microsoft are not taking any chances and are taking the same holistic steps as in 2017 to seek to protect users whether using supported or unsupported systems.

Unfortunately, there doesn’t appear to be a killswitch for someone to discover in this vulnerability unlike with Wannacry, but prudent and expeditious action taken promptly by organisations and their inhouse IT teams, (or through the direct intervention of IT MSPs like Amicus ITS), can take the mitigation steps to limit impact.  Amicus ITS have already taken immediate steps to instigate the patching for all our customers. In addition, the RDP vulnerability can be mitigated by good access control and firewall management our Network Team are undertaking.

I would advise vulnerable organisations to update to the latest operating system (currently Windows 10), but check the following paths as part of risk mitigation consideration:

1. Upgrade to the latest or near latest operating systems – full mitigation
2. Consider migrating to the 365 / Azure platforms – server mitigation
3. Take up an advanced patching service via Amicus ITS – server and device patch assurance

Any organisations seeking advice or support can contact our Sales team in the first instance by calling +44 (0)2380 429429 or by emailing enquiries@amicusits.co.uk quoting ‘Microsoft Code Exploit 2019’

JP Norman is the Director of Technology, Security and Governance at Amicus ITS

Happy Data Privacy Day 2019!

It’s Data Privacy Day (@StaySafeOnline) and the National Cyber Security Alliance celebrates this with its annual symposium in San Francisco today.  It marks an opportunity to raise awareness and remind organisations about the importance of safeguarding data, respecting the privacy of individuals, enabling trust and encouraging a culture of cyber security.

Last week, IBM’s CEO Ginni Rometty speaking from Davos in Switzerland at the World Economic Forum, commented that one of the biggest issues for every government right now is privacy of consumer data but that a barrage of regulations could destroy the digital economy.

“Every government is itching to regulate, and the risk we all have is that there’s a great overreaction. The casualty is the whole digital economy.  We have to protect consumer privacy with precision regulation: consent, opt out, ability to delete”.

Rometty added that privacy is sacrosanct. “We (IBM) exist because clients trust us with data. So I think every company now has to do that, when everyone’s looking to benefit from it. If you’re gonna benefit from it, you have to live by those rules,” she said.

Amicus ITS Sales Director Les Keen added, “This is true for all responsible data guardians and a view that Amicus ITS endorses.  As an IT Managed Service Provider we are trusted and relied upon by our customers to manage their data safely.  Today’s event is a great reminder that we all have to keep on our toes to stay safe online and education will always remain at the heart of this – connecting the technologies, processes and people. Happy DPD!”

Any organisation wishing to discuss data protection issues in confidence can contact the Amicus ITS sales team by calling + 44 2380 429429.

 

Leeds first city to launch fully integrated NHS GP Electronic Patient Records service through GP Connect

NHS Digital have announced the launch this week of the first fully integrated GP Electronic Patient Records system to go live in the City of Leeds.  Leeds is the second largest city in England with a population approaching 785,000 so a decent test for working practice results.

This digital transformation has been facilitated by the NHS GP Connect programme service which works with various GP clinical system providers to develop Application Programming Interfaces (APIs) to make data from clinical systems available in standard form, so that it can be used across different systems.  In the case of Leeds, TPP (SystmOne) joined forces with EMIS Health to create this vital, secure backlink to GP practices.

The new system unlocks the digital records of all patients across the City to hospital clinicians, connecting primary and secondary care providers 24×7. It will enable authorised clinical staff to view GP records digitally and have source GP patient information to hand to better inform their care of patients.  The move reduces the burden on GP practices having to share  information via traditional unsecured routes like fax.  This is the first in a sea change of healthcare updates for the City, as plans are made to add more benefits in 2019.  These include secure access to structured medications (to optimise use of medicines), provision of allergies information, a more efficient appointment management system between practices and the integration of social care and mental health care records.

Richard Corbridge, Chief Digital & Information Officer at Leeds Teaching Hospital Trust said: “GP Connect connectivity improves the way data can be used as information in clinical practice throughout the city.  Delivering integrated care for the population is the key goal for every healthcare system and why the investment in digital is so intrinsic to the success of healthcare as a system rather than as silos of excellence.  In Leeds we can now plan to have a fully integrated primary care, social care, hospital care and mental health care record in place throughout the city in 2019, a giant leap and a unique proposition for the NHS.”

Dr John Parry, Clinical Director at TPP said; “This is a very important step to ensuring that patients benefit from having their medical records available for those caring for them , wherever they are receiving care”.

Dr Shaun O’Hanlon, chief medical officer at EMIS Group said: “We are delighted that connectivity via GP Connect is available right across Leeds. This important partnership with NHS Digital is part of our company’s wider commitment to providing the tools for system interoperability using open NHS standards across the UK, and helping clinicians drive up standards of joined up patient care.”

This marks a significant chapter for the NHS in contrast to the dismal days of NPfIT (National Programme for IT ), the NHS IT programme started in 2002 and scrapped after 9 years by the then coalition government and a public bill of £10 billion.  The journey to transformation in the NHS deploying Electronic Patient Records (EPR) has been slow and painful, but now with a number of vendors rolling out EPR services across the country (including: Cerner, Epic, Emis, Rose, eCare, Intersystems and System C), the pace is quickening for standardised data platforms to make an integrated healthcare service a reality rather than a dream.

French regulators throw the first big GDPR punch at Google with £44m fine

Google has fallen foul of the French data regulators with the announcement yesterday of an impressive £44m fine against the global search engine giant.  In a move that has sent the tech industry chattering, this marks the first major European penalty since the rollout of GDPR on 27th May 2018.  It was going to happen sooner or later, it was just a matter of who first?

Google’s blunder was their covert process of gathering data to personalise ads without ‘sufficiently’ informing user, burying the detail in terms and conditions and using pre-ticked boxes (contrary to new legislation).

CNIL, the French equivalent of the UK’s Information Commissioner’s Office filed two complaints as soon as GDPR came into effect.

Commenting on the severity of the fine, CNIL advised that the action was “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”.

The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation, which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data.

The fine announced on Monday is far lower than the maximum penalty under the European privacy law, which is 4% of global revenue. For Google, that would be more than $4 billion!

The response has been largely welcomed in the wider MSP community as a prompt to improve better marketing processes, echoed by Amicus ITS.  Like many others today, Amicus ITS uses Account Based Marketing, so the lawful consent required is applied directly with the customer.

The news is a salutary reminder for vigilance with firms to ensure they comply with GDPR and offer flexibility in providing services through different marketing channels that create the variety and correct routes for data capture through websites and other means (which these days is translated as the increase in companies offering AI chatbots when communicating services or offering information with 3rd parties).

Are you surprised by the fine?  Who do you think is going to be next up for punishment?  Give us your thoughts.

Beware Santa’s horses bearing gifts

Tis the season to be crafty!   Just as Amicus ITS was reaping the results of its own competition for staff to design a winning Christmas e-card for 2018 incentivised with online gift card vouchers for prizes, came the news report issued last Monday by security firm Barracuda Networks that Santa’s gone a bit phishy in a Gremlins kind of way in the run up to Christmas.

The increasing sophistication of social engineering has created a new cyber security workplace scam targeting receptionists, office managers and executive assistants.   The report states: “These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals”. 

Here, hackers will pretend to be the CEO or senior managers, using tactics like implied urgency and directed emails asking specifically say, for Google Play gift cards.  Phishing emails can also include a ‘signature’ implying it was sent from a mobile device.  Alternatively, the scam can be built around a secret ‘reward’ for employees.  There are no malicious payload links, or suspicious file attachments and they are often sent from trusted email domains.

Spokesman for Barracuda Networks, Asaf Cidon commented: “When sending social engineering-based attacks, attackers have always used context and timing to their advantage – and the Christmas season has opened the door wide to a lot of cleverly designed executive impersonation”.

What can you do about it?
Organisations should have the relevant anti-malware, spyware and adware in place.  Other security tools can include more advanced spybot software and AI-based security solutions to detect anomalies in email addresses that the CEO would not use, or behaviours which would recognised be uncharacteristic.  But alongside all of these technical competencies, it comes back to having an educated and informed workforce across the board, vigilant and trained to spot attack efforts and know the right remedial steps to take:

• Use HR to work with IT to help with employee messaging to avoid falling for these scams and to understand what technology is needed to ward off the attacks.
• Awareness spread through the employee network should reduce the time between attack and detection and prevent more extensive damage.
• If a gift card email scam hits your organisation, why not set a procedure in place for employees to be required to gain direct management approval to verify any financial requests.

Have you experienced this type of attack?  How did you react.  Anyone seeking advice on security measures around their IT systems can contact Sales on 02380 429429.

‘Orangeworm’ the new superworm hacking group that’s targeting healthcare

Hacking activity targeting the healthcare sector continues to rise.  New security research just released by Symantec has identified a global hacking group called ‘Orangeworm’.  Though its targeted victims accounted for a small number of organisations in 2016 and 2017 (mostly in the USA and Asia), some were identified as being based in Europe.  Analysis by industry has revealed that the healthcare sector is Orangeworm’s primary target, with 39% of hacking outcomes manifesting themselves in this data rich sector which includes hospitals and pharmacies.

Symantec said, “Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack”.

Orangeworm’s wormable trojan, named ‘Kwampirs’ is able to vet the data to determine if the computer is used for research, or contains high value data targets eg. patient information.  The Kwampirs then create a backdoor on compromised computers, enabling the hackers to remotely access equipment and steal sensitive data – and Orangeworm survives reboots.

The trojan worm has a penchant for machine software on critical hospital equipment which includes kit like x-ray machines and MRI scanners, as well as machines used to assist patients in completing consent forms.  If the ‘victim’ computer is of interest, the malware then “aggressively” spreads itself across open network shares to infect other computers within the same organisation and uses built-in commands to grab data. This includes “any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.”

The supply chain is a key part of this vulnerability funnel, with targets including manufacturers providing medical devices and technology companies offering services to clinics, plus logistics firms delivering healthcare products.

Director of Technology, Security & Governance, JP Norman advises:  “Ensure your anti-malware provider can detect Kwampirs activity and to prevent and detect an infection, ensure that:

•        A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
•        All operating systems, anti-virus and other security products are kept up-to-date.
•        All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
•        Strong password policies are in place and password reuse is discouraged.
•        Network, proxy and firewall logs should be monitored for suspicious activity.
•        User accounts accessed from affected devices should be reset on a clean computer.”

Sales Director, Les Keen added, “Where there is the option for healthcare / supply chain organisations to prioritise IT funding, updating the Operating Systems is a primary, as is ensuring a strong and regular policy on Patch Management.  Our Sales and Security teams  are always on hand to review and audit organisational IT infrastructure and offer holistic remediation advice as part of our security readiness programmes.  Just call us on +44 2380 429429”.

 

Warning to UK Public Sector about leaky Amazon Web Services

Amazon Web Services (AWS) are currently in the news for all the wrong reasons.  Their Simple Storage Servers (S3) – known as ‘buckets’ – have been successfully targeted by hackers.  The AWS servers have been found to be alarmingly leaky, enabling the new Buckhacker search engine tool to readily access unsecured sensitive data.

AWS, as one of the UK Government’s chosen cloud service providers (GOV.UK PaaS) runs from AWS in Ireland (a UK-based hosting centre is planned for 2018) and is accredited for handling personal and confidential information classified at ‘Official’ level.

Users are able to search either by ‘bucket’ name, which may typically include the name of the company or organisation using the server, or by filename. The service collects bucket names, grabs the bucket’s index page, analyses the results and stores it in a database for others to search.  There are other tools like AWSBucketDump and according to the hackers exposed buckets can also be trawled for rich pickings with a specific Google Search.

Created by anonymous hackers, a Buckhacker developer commented:  “The purpose of the project is to increase the awareness on bucket security, too many companies were [sic] hit for having wrong permissions on buckets in the last years”.

Clearly, it is in the public sector’s interests not to risk exposure of any sensitive data (theirs or the public’s) and thus a prime consideration for any public sector organisation is to scrutinise the credentials, security performance and sovereignty badge protections of their chosen cloud provider.  Public sector organisations struggle to find funding in already tight IT budgets to defend against cyber attack, but with so many different lines of attack facing them, IT managers are having to take a risk-based approach to identify where to allocate their limited funds.

Amicus ITS Director of Technology, Security & Governance JP Norman commented:   It is worth remembering that the security of the data, no matter where it resides is the responsibility of the Data Controller in each organisation. There are ways to provide security assurance in the cloud layer that conform to the basics of Cyber Essentials. Furthermore, the right partner organisation, such as Amicus ITS, can act as a cloud broker providing proven security assurance recommendations and actions to mitigate such risks.

At Amicus ITS, we are happy to challenge the status quo as we brand ourselves are the safe pair of hands for our customers.  So with any digital transformation journey we will ensure intelligent, joined up thinking to ensure our Security and Governance views chime with those of our technical architects and sales professionals.

GDPR (EU data protection) from an HR perspective

The GDPR will replace the mixed blend of 28 different EU Member States’ laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonisation throughout the EU.   Its main objectives are threefold:

1. The GDPR increases the rights for individuals.
2. It strengthens the obligations for companies.
3. The GDPR dramatically increases fines in case of non-compliance, up to €20m(£17m) – or up to 4% of total
worldwide annual turnover.

What important changes should be on your HR team’s radar?

1             Consent – Under GDPR an employee’s consent remains a legitimate basis for processing his or her personal data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable” Further it is important that the employee is able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that the employee’s consent must take, it is highly unlikely that blanket data protection consent clauses in contracts of employment and policies will suffice.

2            Subject Access Requests – The right of employees to request information about the personal data processed by the employer remains broadly the same. However, under GDPR the starting position will be that the employer must respond to a request without undue delay. The current 40 days will be replaced by 30 days. The £10 fee some companies levy for making the request will be abolished.

3             New (and enhanced) Rights – GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with a suite of so-called “delete it, freeze it, correct it rights” which are aimed at giving them more control ( in certain circumstances) over how their personal data is processed.

4              Data Breach Notification – In the UK employers must notify personal data breaches to the Information Commissioner’s Office (ICO) with 72 hours of becoming aware of it.  The term ‘personal data breach’ covers a plethora of common workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It is important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.

5             Routine CRB Checks – Enhanced DBS checks will still be permitted, however if employers adopt a routine policy of conducting DBS checks on all employees regardless of role and whether or not there is an English legal requirement to that effect, this may be unlawful under the GDPR.  Although standard and enhanced DBS (Disclosure and Barring Service) checks will still be permitted under GDPR, employers (as it currently stands) will not be able to conduct routine basic DBS checks on all employees (unless their role requires them to be security cleared).

GDPR has already started to appear in CJEU’s (Court of Justice European Union) soft case law (AG Opinion in Manni)
The recent judgment of the CJEU in Case C-398/15 Manni (9 March 2017) brings a couple of significant points to the EU data protection case law:

• The court clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist;
• The court clarifies that the individual has the right to object to the processing of that data, based on his/her particular circumstances and on justified grounds.

Organisations should be checking that all their HR staff are fully engaged on GDPR to ensure there is a comprehensive grasp of the responsibilities and actions required ahead of implementation.  How ready is your HR department?   Let us know.