Connect with us

Security

The Ultimate Beginners Guide to GDPR Compliance in 2019

Published

on

What is GDPR?

By now you’ve probably all heard the term GDPR. Up until 25th May 2018 the guidelines surrounding personal information, in relation to privacy, were a bit wishy-washy. The Data Protection Directive (1995) did provide some basic guidelines but it simply wasn’t good enough.

We’ve always taken a keen interest in GDPR as many VPN’s have had to make serious changes to the way they operate inc some of the major players like Avast and NordVPN.

The monitoring and sharing of information is now covered under the General Data Protection Regulation (GDPR). This aims to ensure that information is handled responsibly, by any company that deals with personal information and privacy.

According to ICO, there are 7 key principles that GDPR sets out. These are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The principles outlined aren’t rules as such, but more so an outline of fundamentals that should be followed when creating good data protection practice. If individuals or companies fail to comply with the principles, they could be fined up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).

What was before GDPR?

GDPR is applied throughout Europe, with each country having it’s own amount of control regarding certain aspects of the regulation. The U.K. has implemented the Data Protection Act (2018) which replaces the 1998 Data Protection Act.

The new act was passed through the House of Commons and House of Lords shortly before GDPR came into force.

Impact on businesses

Whether you’re an individual, organisation or company, you may be branded as a ‘controller’ or ‘processor’ of personal data. The Information Commissioners Officer (ICO) outlines exactly what the difference is between controllers and processors.

Businesses who monitor or obtain personal information on a large scale should employ a Data Protection Officer (DPO). The officer’s role should ensure that the company in question complies with GDPR. Any questions or queries regarding data protection should be directed to them.

GDPR applies to businesses that process personal data of EU citizens. This is the case even with businesses who employ less than 250 employees. As previously mentioned, any breach which could impact the rights of data subjects should be reported to the Information Commissioner’s Office (ICO).

If possible, a breach should be logged and reported within a 24 hour period, or 72 hours at the most. Details of the breach and how it is going to be contained and resolved must be outlined to the ICO.

GDPR will give individuals control on how businesses use their data. This also applies to businesses that already have your data. For example, individuals will have the ‘right to be forgotten’. So, if you’re a customer and no longer want a business to hold your personal data, you have a legal right to retract your data.

Helpful checklist for small businesses

GDPR is undoubtedly confusing, and understandably quite stressful! I thought it would be pertinent to put together a checklist for UK small businesses so you know what to expect, and what’s expected of you.

Your small business GDPR checklist should consider past and present employees, suppliers, and customers. It should also consider anyone’s data that you’re processing, collecting, storing, or recording, and using by any means.

1| Understand your data

You will need to understand and demonstrate your understanding of the types of personal data you and/or your business holds. For example, names, addresses, IP addresses, bank details, etc. This also includes sensitive data like religious views and health details. You’ll need to demonstrate that you understand where they come from and how you will be using such data.

2| Think about consent

Does your business require consent to process personal data? Some marketing techniques require consent which makes things much more difficult under GDPR. Consent must be extremely clear and specific, so unless you 100% know what you’re doing tt may be worth avoiding the need to rely on consent unless it’s crucial to your business model.

3| Consider security measures

Your security measures and policies that are in place must be updated to be GDPR compliant. What’s more, if you don’t have any in place already, you should get them pretty quickly! Although there are more specific demands regarding security, as a broad precaution, you could use encryption.

4| Subject access rights

Individuals have the right to access their personal data. You’ll need to ensure that your business is ready to provide this information within a short timeframe if necessary. Individuals may wish to obtain their personal data in order to rectify any issues, simply to have it, or they may wish to erase it altogether. All requests carry a timeframe of one month.

5| Train employees

Employees within your business should be trained in personal data. They will need to understand what constitutes personal data, as well as processes to identify any data breaches. Employees should be aware of who your Data Protection Officer (DPO) is, and any team or individuals related or responsive for data protection compliance.

6| Supply chain

All suppliers and contractors within your business need to be GDPR compliant. This is to ensure that they are not going to cause any breaches and pass any penalties or fines onto you. You will need to make sure that your contracts with your suppliers are updated too, so make sure you obtain a copy of this.

7| Fair processing

As part of GDPR, you must now be able to explain to individuals what you’re using their personal data for. This shouldn’t be a difficult task or one to worry about if you’re using their data fairly and correctly.

8| Data Protection Officer

It’s time to decide whether you need to employ a DPO or not. Small businesses are likely to be exempt, but larger businesses may not. It’s worth checking out to make sure you’re not in breach of any GDPR rules.

Defining consent

As an individual, you may be familiar with pre-ticked boxes when signing up for online accounts, purchasing products, registering for newsletters etc. These boxes were often pre-ticked and somewhat hidden, giving companies access to your personal data. Now, gone are the days of being bombarded by unwanted marketing emails and random phone calls.

Consent has been redefined under the new GDPR rules. Gone are the days of small print and hidden messages where individuals ‘accidentally’ or involuntarily sign up to marketing emails, texts, etc. Policies must be made abundantly clear now and be presented in such a manner.

Rules around pre-existing personal data are a little different. You may not require consent for this, but there must be a legal basis that’s compliant with the Data Protection Act (DPA). The main thing here is to remember that these legislations apply to businesses and consumers!

GDPR statistics 2018

  • Around 59% of UK businesses know the implications that GDPR will have on them.
  • On average, 73% felt that they were prepared when it came to documents and print management.
  • Only 6% of UK businesses made GDPR a priority. This is compared to 30% in France.
  • CNIL (French data protection regulator) reported a 50% increase in the number of complaints since GDPR came into force on 25th May.

Right of Access

Right of access (or subject access) allows an individual the right to obtain their own personal data. Right of access gives individuals the ability to understand how their data is being used and why their data is being used in such a way. This ensures that their data is being used in a lawful manner.

Individuals have the right to obtain certain information from companies, which includes:

  • a copy of an individual’s personal data
  • confirmation that an individual’s personal data is being processed
  • supplementary information (mainly corresponds to information provided in a privacy notice)

An individual, as we know, is entitled to their own personal data. However, they are not entitled to information about other people. On the other hand, if the information they are trying to obtain is about them as well as someone else, this is acceptable.

As an individual, it’s recommended that you ascertain whether the information you’re requesting is defined as personal data or not. You can check to see what’s classed as personal data (to be sure) here.

Am I a Data Controller or Data Processor?

GDPR applies to data controllers and data processors, but what does this actually mean? Data processors refer to operations performed on data, so when data is stored, collected, recorded, shared, etc. Data controllers are also data processors, the difference being is that they decide what the purpose or reason for processing data activities actually is.

Data Processors

As a data processor, there are legal obligations that GDPR require you to do:

  • Keep and maintain up-to-date personal data records. This includes outlining the details of processing activities and data subject categories. Categories refer to customers, employees, suppliers, and the types of processing – transferring, receiving, disclosing etc.
  • Keep and maintain details of transfer to countries that are outside of the European Economic Area (EEA)
  • Implement and maintain security measures that are appropriate, e.g. encryption

If a data processor is responsible for a data breach, they will have a lot more legal liability compared to the DPA. Individuals can make a direct claim against the data processor, so it’s imperative that you understand your responsibilities as one.

Data Controllers

As a data controller, you are by nature a data processor too. The same GDPR requirements therefore apply. However, the GDPR obligations are placed on you and your business to ensure that contracts with processors are compliant and standards are met.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Kaspersky raises alarm over security breaches through apps

Published

on

By

Cybersecurity firm, Kaspersky, has raised an alarm over security breaches, which emanated from apps downloads.

According to it, the target has primarily become mobile devices. Kaspersky noted that in 2019 the number of worldwide mobile phone users is expected to reach 4.68 billion of which 2.7 billion are smartphone users.

It noted that with smartphone users increasing, it makes users more vulnerable. Kaspersky said with several unsecured Wi-Fi connections, network spoofing, phishing attacks, ransomware, spyware and improper session handling – mobile devices make for the perfect easy target. In fact, according to Kaspersky mobile apps are often the cause of unintentional data leakage.

General Manager for Kaspersky in Africa, Riaan Badenhorst, said: “Apps pose a real problem for mobile users, who give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal – and potentially corporate – data to a remote server, where it is mined by advertisers or even cybercriminals.

“Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread valuable data across corporate networks without raising red flags.”

In fact, according to recent reports, six Android apps that were downloaded 90 million times from the Google Play Store were found to have been loaded with the PreAMo malware, while another recent threat saw 50 malware-filled apps on the Google Play Store infect over 30 million Android devices. Surveillance malware was also loaded onto fake versions of Android apps such as Evernote, Google Play and Skype.

Kaspersky said considering that as of 2019, Android users were able to choose between 2.46 million apps, while Apple users have almost 1.96 million app options to select from, and that the average person has 60-90 apps installed on their phone, using around 30 of them each month and launching nine per day – it’s easy to see how viral apps take several social media channels by storm.

Enterprise Sales Manager at Kaspersky in Africa, Bethwel Opil, “In this age where users jump onto a bandwagon because it’s fun or trendy, the Fear of Missing Out (FOMO) can overshadow basic security habits – like being vigilant on granting app permissions.

In fact, accordingly to a previous Kaspersky study, the majority (63 per cent) of consumers do not read license agreements and 43 per cent just tick all privacy permissions when they are installing new apps on their phone. And this is exactly where the danger lies – as there is certainly ‘no harm’ in joining online challenges or installing new apps.”

However, it is dangerous when users just grant these apps limitless permissions into their contacts, photos, private messages, and more. “Doing so allows the app makers possible, and even legal, access to what should remain confidential data. When this sensitive data is hacked or misused, a viral app can turn a source into a loophole which hackers can exploit to spread malicious viruses or ransomware,” Badenhorst added.

Kaspersky advised that online users should be mindful and be more careful when it comes to the Internet and their app habits including: only download apps from trusted sources. Read the reviews and ratings of the apps as well; select apps you wish to install on your devices wisely; read the license agreement carefully; pay attention to the list of permissions your apps are requesting. Only give apps permissions they absolutely insist on, and forgo any programme that asks for more than necessary; avoid simply clicking “next” during an app installation; for an additional security layer, be sure to have a security solution installed on your device.

“While the app market shows no signs of slowing down, it is changing. Consumers download the apps they love on their devices which in turn gives them access to content that is relevant and useful. The future of apps will be in real-world attribution, influenced by local content and this type of tailored in-app experience will lead consumers to share their data more willing in a trusted, premium app environment in exchange for more personalised experiences. But until then, proceed with caution,” Opil said.

Source: https://guardian.ng/business-services/business/kaspersky-raises-alarm-over-security-breaches-through-apps/

Continue Reading

Security

Google publishes Android Q Security Release Notes

Published

on

By

The public release of Android Q is officially a “few weeks away,” and Google is gearing up for the launch. “Android version Q Security Release Notes” published today detail the vulnerabilities addressed by the upcoming version of the OS.

These “Security Release Notes” were published to the 2019 Android Security Bulletins list that’s usually updated on the first Monday of every month. Appearing as the very last entry, this document is formatted in a similar manner. An “Announcements” section states how:

  • The issues described in this document are addressed as part of Android Q. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

A new security patch level of 2019-09-01 is mentioned even though Android Q Beta 6 devices today are still on August 2019. Google notes how “Android Q, as released on AOSP, has a default security patch level of 2019-09-01.”

Android Q, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android Q and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes.

However, the fact that Android Q is running the September security patch should not be surprising as Google has been targeting Q3 2019 since March for a public launch.

There are 2 vulnerabilities relating to the Android runtime, 24 as part of Framework, and 2 in Library. Media framework lists 68 and System 97. All entries are classified as “Moderate” severity.

Source: https://9to5google.com/2019/08/20/android-q-security-release-notes/

Continue Reading

Security

Lightning-compatible YubiKey 5Ci could secure your iPhone logins

Published

on

By

iPhone owners with a mind toward security have a new option for protecting their online accounts. On Tuesday, security key manufacturer Yubico announced the $70 YubiKey 5Ci, which the company says is the world’s first Lightning port-compatible security key.

At launch, the 5Ci supports a variety of popular password managers, including 1Password, Dashlane, LastPass and Bitwarden. It’s also compatible with authentication services like Okta. In all those instances, you’ll be able to plug in the 5Ci into your iPhone, launch the security app of your choice and log in to an online account without ever entering a password. And if you happen to use Brave instead of Safari for web browsing, the 5Ci removes the need to first open a password manager first in the case of some online services.

The 5Ci also includes a USB-C port for when you need to log in through an Android device or computer. However, one limitation of the 5Ci is that it currently doesn’t work with the 2018 iPad Pro. We’ve reached out to Yubikey to find the exact reason for this limitation, but we suspect it has something to do with restrictions iOS 12 places on USB-C connectivity. That could change when iOS 13 comes out this fall. The Yubikey 5Ci also doesn’t work with any FIDO-compliant service or app out of the box. In a statement to The Verge, Yubico said third-party developers must add support for the 5Ci to their apps individually. A full list of compatible services is available on the company’s website.

If you’re not familiar with physical security keys, they’re currently one of the most effective ways to protect yourself against online hackers because they remove the need for passwords and one-time codes, both of which malicious individuals can easily intercept in the right circumstances. In 2018, Google said it was able to reduce successful phishing attacks on its 85,000 employees to zero thanks to a new policy of mandatory security keys.

However, at $70 the 5Ci is one of the more expensive security keys out on the market. If you’re looking for something more affordable, Yubico also offers the $45 YubiKey 5 NFC, which is similarly compatible with the iPhone. Another option is Google’s $50 Titan security key, which has the advantage of also working through Bluetooth. And while a security key will help keep you as safe as possible, most people need to start with a simple password manager, as reused passwords are the single largest culprit behind hacked accounts. Once you have a password manager, a security key like the YubiKey 5Ci is a good next step if you want to further secure your online accounts.

Source: https://www.engadget.com/2019/08/20/yubico-yubikey-5ci-iphone-lightning/

Continue Reading
Advertisement

Trending

%d bloggers like this: