Blog
In 2018 the European Union introduced the Global Data Protection Regulation (GDPR). This Regulation, for the first time, provided a set of standardised data protection laws across all member countries that would allow all individuals to understand how their Personal Information was being used, and that it was being used and managed in an acceptable manner. It also made, for the first time, all organisations accountable for their actions with regard to the handling of personal information. It did this by codifying what was allowed, and by introducing substantial sanctions if an organisation did not comply. On the 23 rd May, 2018, the 2018 Data Protection Act received its Royal Assent and was incorporated into UK law. This act included, in its entirety, all the provisions of the EU GDPR. What is Personal Information? Personal Information is any information that can be used to identify a ‘natural’ person, or someone who is currently alive. At the basic level the information is split into the two categories of non-sensitive and sensitive. Non-sensitive information, whilst relating to the individual, will not necessarily allow them to be definitively identified, whilst sensitive information does allow for this definitive identification. Therefore, non-sensitive data includes items that are shared by more than one individual, such as: Date of birth Post code Gender Place of birth Whereas Sensitive data are items that are essentially unique to the individual, such as: Passport of driving licence number Full name Mailing address Credit card information The capture, processing, and storage, of any of this information is governed by 7 over-arching principles that define the framework upon which the Act is based, these are laid out in the Act, and are, the: Capture and processing of personal information must be lawful and fair Purpose for which the information is captured and processed must be limited and transparent to the individual at the time it is captured Amount of information that is captured must be minimised, such that it is only that needed for the stated purpose Captured and processed information must be accurate Storage and processing of the captured information must only be undertaken for a defined period of time, after this period the information must be destroyed Organisation that is processing the information must ensure that it is appropriately managed to ensure its Confidentiality, Integrity and Availability, ie its security Organisation capturing, processing or storing this information will be held accountable for conforming to these principles. So, What are the Rules for Capturing and Processing Personal Information? To lawfully capture and process personal data the Act requires that one of following 6 criteria are satisfied: If the individual, otherwise known as the Data Subject, freely Consents to the capture and processing of the information and that this consent is separate from any other terms and conditions; or The capture is undertaken as part of a Lawful Contract with the individual that defines the information that will be captured and processed, and the reason for this; or There is a Legal Obligation for the organisation to capture this data; or To protect the Vital Interest of the data subject, or another individual; or Whilst undertaking a task in the Public Interest; or For the purpose of Legitimate Interest by the organisation controlling the information. Most of the personal information that is captured by an organisation will satisfy one of the first three of these principles as that is what most organisations deal with in their day to day operations, and the delivery of their services. The remaining principles are primarily to satisfy the needs of the legal process, or national interest. On a few occasions additional safeguards have been introduced for information that can be highly sensitive, and potentially damaging, to the individual if used incorrectly. This sub-set of personal information has been defined as Special Category data and has been accorded additional safeguards. What are these Special Categories of Personal Information? and What extra Conditions Apply? The Act defines several items of personal information that are seen as being of enhanced sensitivity, and that therefore require extra safeguards to be in place around their capture and usage. These Special Categories of Data are identified as, data revealing: Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade Union membership Genetic data Biometric data for the purpose of identifying a person Data concerning health Data concerning a person’s sex or sexual orientation Data relating to criminal offences If data in these categories are necessary, and therefore need to be captured, a more rigorous set of criteria for their capture and processing must be met. These enhanced conditions are that the information is: Obtained with Explicit Consent from the individual, generally meaning that some form of personal contact and explanation for the use must be undertaken rather than an electronic affirmation To Fulfil Obligations under employment, social security or social protection law, or a collective agreement By a Not-for-Profit body with political, philosophical, religious or trade Union aims with relation to past of current members. Data Made Public by the Data Subject In conjunction with eh Defence of a Legal claim Substantial Public Interest around European Union or Member State Law In conjunction with preventative or occupational medicine and the provision of Health or Social Care Systems Public interest in the area of Public Health Archiving purposes in the Public Interest, scientific or historical research purposes As has been mentioned above most businesses will, in the main, use the more general range of personal information as only in specific instances will the use of information in the Special Category be required. Even where this is found to be the case, the use of Explicit Consent should be adequate to satisfy the needs of the Act. If this is not the case it is probably worth asking whether it is really necessary to capture and process this information in the first place. All businesses capture and process some degree of personal information, even if it is only that relating to your employees. Therefore, it is imperative that all business managers make themselves aware of their responsibilities under the Data Protection Act. If you would like some advice in identifying the Personal Information that you hold, or guidance in ensuring that you are capturing and processing this information in line with the Act please contact us at info@evolve-ec.com and we would be delighted to talk to you about this or any related matter.
The rise of the digital world Organisations are becoming ever more reliant on the digital world to send information and transact business. Email has now become the default method of communication and connected applications, via the cloud, are now mainstream. Consequently, the volume of easily available data is increasing exponentially. This is affecting all organisations, both large and small, by driving the need to change the way that they manage their affairs. The security of the data held by an organisation, and by extrapolation its information or the intelligence that can be gleaned from that data, has now become one of the primary areas of focus for all businesses. Why is securing data increasingly important for SMEs? As an SME ensuring the security of your data has become increasingly important due to the following reasons: Larger organisations are using more sophisticated tools and techniques to secure their data, resulting in criminal elements switching to targeting smaller, less well, protected businesses Data is being increasingly held in single locations, such as cloud storage applications, rather than on paper in dispersed offices and sites raising the spectre of a single point of catastrophic failure New legislative regulations are being introduced, such as GDPR, which carry increased fines and penalties if data security is breached The loss of data belonging to Customers and Partners is now seen as being a major business risk due to the associated loss of trust and reputation For all these reasons it is becoming important to not just be secure, but to be able to demonstrate that you are securely managing all the information in your possession. The best way of doing this is to introduce an Information Security Management System, tailored to your needs, which will allow you to demonstrate to customers, suppliers, staff and any other stakeholders that you take data security seriously and that you are doing everything practically possible about it. Isn’t Introducing an information Security Management System Time Consuming and Difficult? This is a typical question that gets posed by SMEs. A ‘Management System’ sounds complicated and raises visions of the need for armies of administrators who just add overhead costs, enforce rigid ways of working, and reduce the ability to respond nimbly to any situation. For a small business with limited resources this is a frightening prospect. However, when organised well an Information Security Management System (ISMS) does not need to act as a brake to business activity. Most small businesses are already managing their data well, using tools and techniques that work for them and keep the data secure. All an ISMS will do is document how the current practices work and ensure that they can be viewed as one entity. This will: Allow you to demonstrate to anyone who is interested that you are taking data security seriously Raise the visibility of the current practices, allowing them to be easily communicated to everyone who needs to know about them, especially new joiners Pull everything together, allowing the whole suite of tools, techniques, and ways of working to be assessed as one, and any gaps or weaknesses to be identified Assign responsibility for actions to an individual, or set of individuals, thereby making sure nothing can slip between the cracks Build confidence in customers, partners and staff that you are securely managing their data, thereby enhancing your organisation’s reputation. So what needs to be considered? As mentioned above most small businesses will already have actions in place to reduce any risk of losing data. The ISMS therefore only needs to document how these areas are being handled. The key areas being: Physical Security: Ensuring that unauthorised individuals cannot gain access to any locations or equipment Personal Security: Making sure that you employ trustworthy individuals to work for you, and have trained them in how to keep themselves secure from attacks such as Phishing exercises Cyber or Systems Security: Securing accounts and systems through the use of passwords, firewalls and other network security tools; the deployment of backups for critical data; and actions to secure mobile equipment Operational Security: Deploying standard ways of working that are known to be safe and secure rather than expecting everyone to find their own way of undertaking a task Contingency Planning and Disaster Recovery: To ensure that if disaster does strike that everyone knows what to do and how to react to get the business back up and running as soon as possible, with the minimum of disruption. Personal Privacy: This has become more important with the advent of GDPR but really just means making sure that you only collect personal data that you need, that you know where it is stored, and that it is stored securely. The vast majority of small businesses are already ensuring that all these areas are covered and managed. The only thing that am Information Security Management System will add is the confirmation that this is happening, and that the security tools and techniques are being consistently assessed to make sure that they are still current and effective. How Can I Make this Happen? The first thing to do is to take each of these areas in turn and write down how security is applied to each of them. This can be helped by a trip to the internet where you will find many frameworks and formats for documents that are free of charge. The government recommends the use of the Cyber Essentials framework as the absolute minimum that any business should use to ensure information security, but this only focuses on the Cyber element of the points above. Whatever your thoughts the best thing to do, as a minimum, is to begin by listing what you do in each of these areas, and to begin today. If you would like to discuss any of the points raised in this blog please contact Graham at info@evolve-ec.com and he will be delighted to discuss your concerns.
