Connect with us

Security

The Ultimate Beginners Guide to GDPR Compliance in 2019

Published

on

What is GDPR?

By now you’ve probably all heard the term GDPR. Up until 25th May 2018 the guidelines surrounding personal information, in relation to privacy, were a bit wishy-washy. The Data Protection Directive (1995) did provide some basic guidelines but it simply wasn’t good enough.

We’ve always taken a keen interest in GDPR as many VPN’s have had to make serious changes to the way they operate inc some of the major players like Avast and NordVPN.

The monitoring and sharing of information is now covered under the General Data Protection Regulation (GDPR). This aims to ensure that information is handled responsibly, by any company that deals with personal information and privacy.

According to ICO, there are 7 key principles that GDPR sets out. These are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The principles outlined aren’t rules as such, but more so an outline of fundamentals that should be followed when creating good data protection practice. If individuals or companies fail to comply with the principles, they could be fined up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).

What was before GDPR?

GDPR is applied throughout Europe, with each country having it’s own amount of control regarding certain aspects of the regulation. The U.K. has implemented the Data Protection Act (2018) which replaces the 1998 Data Protection Act.

The new act was passed through the House of Commons and House of Lords shortly before GDPR came into force.

Impact on businesses

Whether you’re an individual, organisation or company, you may be branded as a ‘controller’ or ‘processor’ of personal data. The Information Commissioners Officer (ICO) outlines exactly what the difference is between controllers and processors.

Businesses who monitor or obtain personal information on a large scale should employ a Data Protection Officer (DPO). The officer’s role should ensure that the company in question complies with GDPR. Any questions or queries regarding data protection should be directed to them.

GDPR applies to businesses that process personal data of EU citizens. This is the case even with businesses who employ less than 250 employees. As previously mentioned, any breach which could impact the rights of data subjects should be reported to the Information Commissioner’s Office (ICO).

If possible, a breach should be logged and reported within a 24 hour period, or 72 hours at the most. Details of the breach and how it is going to be contained and resolved must be outlined to the ICO.

GDPR will give individuals control on how businesses use their data. This also applies to businesses that already have your data. For example, individuals will have the ‘right to be forgotten’. So, if you’re a customer and no longer want a business to hold your personal data, you have a legal right to retract your data.

Helpful checklist for small businesses

GDPR is undoubtedly confusing, and understandably quite stressful! I thought it would be pertinent to put together a checklist for UK small businesses so you know what to expect, and what’s expected of you.

Your small business GDPR checklist should consider past and present employees, suppliers, and customers. It should also consider anyone’s data that you’re processing, collecting, storing, or recording, and using by any means.

1| Understand your data

You will need to understand and demonstrate your understanding of the types of personal data you and/or your business holds. For example, names, addresses, IP addresses, bank details, etc. This also includes sensitive data like religious views and health details. You’ll need to demonstrate that you understand where they come from and how you will be using such data.

2| Think about consent

Does your business require consent to process personal data? Some marketing techniques require consent which makes things much more difficult under GDPR. Consent must be extremely clear and specific, so unless you 100% know what you’re doing tt may be worth avoiding the need to rely on consent unless it’s crucial to your business model.

3| Consider security measures

Your security measures and policies that are in place must be updated to be GDPR compliant. What’s more, if you don’t have any in place already, you should get them pretty quickly! Although there are more specific demands regarding security, as a broad precaution, you could use encryption.

4| Subject access rights

Individuals have the right to access their personal data. You’ll need to ensure that your business is ready to provide this information within a short timeframe if necessary. Individuals may wish to obtain their personal data in order to rectify any issues, simply to have it, or they may wish to erase it altogether. All requests carry a timeframe of one month.

5| Train employees

Employees within your business should be trained in personal data. They will need to understand what constitutes personal data, as well as processes to identify any data breaches. Employees should be aware of who your Data Protection Officer (DPO) is, and any team or individuals related or responsive for data protection compliance.

6| Supply chain

All suppliers and contractors within your business need to be GDPR compliant. This is to ensure that they are not going to cause any breaches and pass any penalties or fines onto you. You will need to make sure that your contracts with your suppliers are updated too, so make sure you obtain a copy of this.

7| Fair processing

As part of GDPR, you must now be able to explain to individuals what you’re using their personal data for. This shouldn’t be a difficult task or one to worry about if you’re using their data fairly and correctly.

8| Data Protection Officer

It’s time to decide whether you need to employ a DPO or not. Small businesses are likely to be exempt, but larger businesses may not. It’s worth checking out to make sure you’re not in breach of any GDPR rules.

Defining consent

As an individual, you may be familiar with pre-ticked boxes when signing up for online accounts, purchasing products, registering for newsletters etc. These boxes were often pre-ticked and somewhat hidden, giving companies access to your personal data. Now, gone are the days of being bombarded by unwanted marketing emails and random phone calls.

Consent has been redefined under the new GDPR rules. Gone are the days of small print and hidden messages where individuals ‘accidentally’ or involuntarily sign up to marketing emails, texts, etc. Policies must be made abundantly clear now and be presented in such a manner.

Rules around pre-existing personal data are a little different. You may not require consent for this, but there must be a legal basis that’s compliant with the Data Protection Act (DPA). The main thing here is to remember that these legislations apply to businesses and consumers!

GDPR statistics 2018

  • Around 59% of UK businesses know the implications that GDPR will have on them.
  • On average, 73% felt that they were prepared when it came to documents and print management.
  • Only 6% of UK businesses made GDPR a priority. This is compared to 30% in France.
  • CNIL (French data protection regulator) reported a 50% increase in the number of complaints since GDPR came into force on 25th May.

Right of Access

Right of access (or subject access) allows an individual the right to obtain their own personal data. Right of access gives individuals the ability to understand how their data is being used and why their data is being used in such a way. This ensures that their data is being used in a lawful manner.

Individuals have the right to obtain certain information from companies, which includes:

  • a copy of an individual’s personal data
  • confirmation that an individual’s personal data is being processed
  • supplementary information (mainly corresponds to information provided in a privacy notice)

An individual, as we know, is entitled to their own personal data. However, they are not entitled to information about other people. On the other hand, if the information they are trying to obtain is about them as well as someone else, this is acceptable.

As an individual, it’s recommended that you ascertain whether the information you’re requesting is defined as personal data or not. You can check to see what’s classed as personal data (to be sure) here.

Am I a Data Controller or Data Processor?

GDPR applies to data controllers and data processors, but what does this actually mean? Data processors refer to operations performed on data, so when data is stored, collected, recorded, shared, etc. Data controllers are also data processors, the difference being is that they decide what the purpose or reason for processing data activities actually is.

Data Processors

As a data processor, there are legal obligations that GDPR require you to do:

  • Keep and maintain up-to-date personal data records. This includes outlining the details of processing activities and data subject categories. Categories refer to customers, employees, suppliers, and the types of processing – transferring, receiving, disclosing etc.
  • Keep and maintain details of transfer to countries that are outside of the European Economic Area (EEA)
  • Implement and maintain security measures that are appropriate, e.g. encryption

If a data processor is responsible for a data breach, they will have a lot more legal liability compared to the DPA. Individuals can make a direct claim against the data processor, so it’s imperative that you understand your responsibilities as one.

Data Controllers

As a data controller, you are by nature a data processor too. The same GDPR requirements therefore apply. However, the GDPR obligations are placed on you and your business to ensure that contracts with processors are compliant and standards are met.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Findings

MYSTERIOUS HACKERS HID THEIR SWISS ARMY SPYWARE FOR 5 YEARS

Published

on

By

IT’S NOT EVERY day that security researchers discover a new state-sponsored hacking group. Even rarer is the emergence of one whose spyware has 80 distinct components, capable of strange and unique cyberespionage tricks—and who’s kept those tricks under wraps for more than five years.

In a talk at the Kaspersky Security Analyst Summit in Singapore Wednesday, Kaspersky security researcher Alexey Shulmin revealed the security firm’s discovery of a new spyware framework—an adaptable, modular piece of software with a range of plugins for distinct espionage tasks—that it’s calling TajMahal. The TajMahal framework’s 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of “files of interest,” automatically stealing them if a USB drive is inserted into the infected machine. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.

“Such a large set of modules tells us that this APT is extremely complex,” Shulmin wrote in an email interview ahead of his talk, using the industry jargon—short for advanced persistent threat—to refer to a sophisticated hackers who maintain long-term and stealthy access to victim networks. “TajMahal is an extremely rare, technically advanced and sophisticated framework, which includes a number of interesting features we have not previously seen in any other APT activity. Coupled with the fact that this APT has a completely new code base—there are no code similarities with other known APTs and malware—we consider TajMahal to be special and intriguing.”

It’s remarkable how long TajMahal remained undetected.

Kaspersky says it first detected the TajMahal spyware framework last fall, on only a single victim’s network: The embassy of a Central Asian country whose nationality and location Kaspersky declines to name. But given the software’s sophistication, Shulmin says TajMahal has likely been deployed elsewhere. “It seems highly unlikely that such a huge investment would be undertaken for only one victim,” he writes. “This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both.”

Those initial findings may indicate a very cautious and discreet state-sponsored intelligence-gathering operation, says Jake Williams, a former member of the National Security Agency’s elite Tailored Access Operations hacking group. “The extensibility of it requires a large developer team,” Williams notes. He points out also that the ability to avoid detection and the single known victim suggest extreme care in targeting, stealth, and operation security. “There’s all kinds of stuff here that screams opsec and very regimented tasking.”

Shulmin says Kaspersky hasn’t yet been able to connect TajMahal, named for a file the spyware uses to move stolen data off a victim’s machine, to any known hacker groups with the usual methods of code-matching, shared infrastructure, or familiar techniques. Its Central Asian target doesn’t exactly provide any easy clues as to the hackers’ identities either, given the vagueness of that description and the countries with sophisticated hacker teams with Central Asian interests, including China, Iran, Russia and the US. Nor has Kaspersky determined how the hackers behind TajMahal gain initial access to a victim network. But they do note that the group plants an initial backdoor program on machines, which the hackers labelled Tokyo. That backdoor uses the tool PowerShell, often exploited by hackers, to allow the intruders to spread their compromise, connect to the a command-and-control server, and plant TajMahal’s much more multifunctional payload spyware, labelled by the hackers as Yokohama, with its dozens of distinct modules.1

Yokohama’s Swiss Army-style versatility is what stood out most to Kaspersky’s researchers. While it includes many of the usual, powerful capabilities of state-sponsored spies, it also has some more idiosyncratic features: When a USB drive is plugged into an infected PC, it scans its contents and uploads a list of them to the command-and-control server, where the spies behind TajMahal can decide which files they want to exfiltrate. If the USB drive has been removed by the time the hackers have made up their minds, TajMahal can automatically monitor the USB port for the same drive to pull off that file, and upload it the next time it appears. The spyware has other modules that allow it to flag files that have been burned to a CD, or put into a printer queue.

While none of those features are particularly flashy, they signal a careful adversary taking pains to discern which files among the vast and messy contents of a victim’s computer might be worth stealing. “One would not print information, save it to a USB stick, or burn it onto a CD if this information was not important in some way,” Shulmin says.

Considering its sophistication and eclectic features, it’s remarkable how long TajMahal remained undetected. The Central Asian embassy victim, Kaspersky says, had been compromised since at least 2014. But the compile times of various elements of TajMahal—the time stamps that indicate when a piece of it was programmed—indicate it was active both before and long after that date. Some modules dated back to 2013, while others dated as recently as 2018.

“Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question,” Shulmin writes. “It is a reminder to the cybersecurity community that we never really have full visibility of everything that is going on in cyberspace.”

Continue Reading

Security

You Can Now Block People from Adding you to Groups Thanks to this New Whatsapp Privacy Feature

Published

on

By

Ever get tired of being added to different Whatsapp groups without your permission? Well Whatsapp is finally rolling out a solution for that problem.
Whatsapp announced on Wednesday the introduction of new privacy features that lets users limit who can add them to group chats.

One notable privacy feature is the introduction of an invite system that basically requires a user’s consent before they can be added to groups. Under this system, users will receive an invite link which carries basic information about the group. Users can choose to join the group via that link; otherwise the link expires in 24 hours.

Whatsapp Now Allows You Block People From Adding You To Groups

Even better, Whatsapp has introduced a feature that allows you to block anyone from being able to add you at all.

With the new privacy feature, you can select who can send you group invites.

Options available include “everyone”, “my contacts” or you can choose to block all invites totally using the “Nobody” option. These options are available under Account > Privacy > Groups in the Whatsapp settings.

Whatsapp announced that the new features are part of updates rolled out beginning on Wednesday. Full global rollout is expected to be completed over the next few weeks.View image on Twitter

View image on Twitter

Kumar Manish@kumarmanish9

😎

Best News of The Day .
Now, You Can Choose To Join #WhatsApp Group .
The new feature lets you prevent people from adding you to their shitty groups. The feature will roll out soon for users in India.234:38 AM – Apr 4, 2019See Kumar Manish’s other TweetsTwitter Ads info and privacy

Whatsapp group is a highly functional and timely feature, but it’s also one of the most abused Whatsapp feature. Without seeking user permission, administrators of different Whatsapp groups annoyingly add users to groups.

Some users immediately choose to leave these groups. But some others may not feel like they can leave. For family groups and groups created by someone they know, users feel guilty leaving or hate it when their exit is announced by Whatsapp. As a result, more Whatsapp users prefer not even joining these groups in the first place.

Whatsapp Using New Groups Privacy Feature To Address Fake News

However beyond this, the latest group restriction plays well in the fight against fake news. In countries like Brazil and India, Whatsapp groups are important points to spread fake and misleading news.

Shashi Tharoor@ShashiTharoor · 14hReplying to @ShashiTharoor

It shows contempt for the voters to seek to exploit their ignorance of the source & context, which in any case was accurate about the past it describes. Unfortunately many are taken in by these lies. BJP is incapable of being ashamed of itself; but why can’t social media act?

Shashi Tharoor@ShashiTharoor

I call on those who run @whatsApp, @Facebook & @Twitter in India&who claim to be concerned about the misuse of their platforms by political fake-news peddlers to make an example of this specimen, to start with. The echo-chamber repeating her lies is part of an organised campaign.1,8588:06 PM – Apr 3, 2019Twitter Ads info and privacy533 people are talking about this

Several reports show that in India, some political parties create groups based on caste, income levels and religion. With this classification, they bombard these groups with different reports designed to influence their thinking and conversations.

To address these issues, Whatsapp has already introduced several features. Some include labeling forwarded messages and limiting the number of times a message can be forwarded to five.

The new group invites system and blocking tools will help protect users even further.

Continue Reading

Security

Microsoft is bringing its Defender antivirus software to the Mac

Published

on

By

Microsoft is bringing its Windows Defender antivirus software to macOS today. The software giant is renaming Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) as a result. Microsoft has created a dedicated Defender ATP client for Mac, and it offers full virus and threat protection mixed with the usual ability to perform quick or full scans.

A limited preview will be available for businesses to try out the antivirus protection in environments that have a mix of both Windows PCs and Macs. Microsoft is using its AutoUpdate software on macOS to keep the client up to date, and it will be available on devices running macOS Mojave, macOS High Sierra, or macOS Sierra.

As ATP is limited to businesses, it’s not clear if Microsoft is also planning to bring a consumer version of Microsoft Defender over to the Mac. Defender is currently built into Windows 10, offering antivirus protection by default. Either way, Microsoft is offering a limited preview to Microsoft Defender ATP customers, and you can sign up here.

Continue Reading
Advertisement

Trending

%d bloggers like this: