4Nov, 2020
    Implementing a GDPR Compliance Program

    By Wendell La Fortune

     

    As it stands, the legislation does not provide a clear definitive, quantitative statement on what compliance is, nor when it has been achieved.

     

    The iterative steps enumerated below takes into account and considers the requirements specified in the legislation for the obligations placed on controllers and processors.

     

    An assessment of your organisation’s current level of compliance with the GDPR(to determine current state), as this will help to identify the areas you need to address to both achieve and demonstrate compliance.

     

    The process should include but not be limited to:

    analysis of your organisation’s processes and procedures relating to data management, governance, risk management and implementation of appropriate technical and  organisational controls.

     

    You must develop and implement policies that  considers and covers the following:

     

    GDPR  6 Core Processing Principles 

    6 Lawful Processing Basis Review

    Data Subject Rights

    International Transfers

    Controller and Processor Obligations (ex, Secure Processing Requirement (Art 32) 

    Data Protection by Design and Default(Art 25)

    DPIAs (Art 35)

    Incident Management/ Breach Reporting Notification Obligations

    DPO requirements(Arts 37,38,39) 

    Processor Assurance(DPAs)

    Record Keeping 

     

     

    20Aug, 2018
    How to get Cyber Essentials Certification
    By Christie Ogubere

    I get calls from clients asking we need to to be certified for Cyber Essentials. We need it to bid for tenders. So I ask them what tenders?

    They mostly reply government tenders. I say ok that’s a start. Why not look at it from the perspective that we want to be Cyber Secure.

    We want to protect our infrastructure and reduce the risk and impact of a Cyber attack and make it part of your best practice?

    Now I explain the differences between Cyber Essentials Basic and Cyber Essentials Plus.

    This is a government initiative assisting businesses to be Cyber Secure. The government launched this scheme on 5 June 2014.

    Cyber Essentials Basic consist of answering self assessment questionnaire by a certification body, your answers are assessed and you be issued a Cyber Essentials Certification if there no compliance issues.

    In order to achieve the Cyber Essentials Plus your organisation would have achieved the Cyber Essentials Basic. The next step is an Auditor appointments by a certification body will conducted Vulnerability Scan of your IT infrastructure.

    Benefits of Cyber Essentials

    It can give your business a competitive advantage; your clients will feel assured that you are keeping their information safe.
    Cyber Essentials Certification will enhance your brand.

    Protect against typical cyber threats.

    Put in good standing to get that government contract.

    More information on are website

    https://intexit.co.uk/cyber-essentials/

    https://intexit.co.uk/cyber-essentials/cyber-essentials-plus/

    20Aug, 2018
    General Data Protection Regulation (GDPR)
    By Christie Ogubere

    General Data Protection Regulation (GDPR) What it’s all about?

    The countdown has begun here a brief overview.

    The new GDPR is meant to protect all EU citizens  their privacy and data.  The new General Data Protection Regulation (GDPR) will come into force on 25th May 2018. In the data driven world that organisations operate this has been a crucial change superseding the UK Data Protection Act 1998. The major changes are how they affect organisations and their operations. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) General Data Protection Regulation (“GDPR”), the Article 29 Working Party (“A29WP”)

    ​Who does the GDPR apply to?

    The GDPR applies to ‘controllers’ and ‘processors’ in all types of organisations. The definitions are broadly the same as under the DPA – the controller states how and why personal data is processed and the processor acts on the controller’s behalf

    When does the right to data portability apply?

    The right to data portability only applies:

    • Personal data an individual has provided to a controller;
    • Where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.

    Consent

    Valid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children must be given by child’s parent or custodian, and verifiable (Article 8).

    Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn

    Data Controller

    Majority of the change applies to data controllers. Organisations enforced by the data controller must designate a Data Protection Officer.  The data controller has the responsibilities of processing and monitoring of data subjects.  We are talking about automated data here.

    Who is the data controller?

    A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files

    Data Subject

    Article 10

    Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

    (a) The identity of the controller and of his representative, if any,

    (b) the purposes of the processing for which the data are intended,

    (c) any further information such as

    • the recipients or categories of recipients of the data;
    • whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
    • the existence of the right of access to and the right to rectify the data concerning him insofar as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

    Penalties

    The new GDPR penalties states that organisations that are breached can be fined can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).  The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.