How to Forge a Cyber-Security Strategy for 2018_Cyber Major_London_GDPR

How to Forge a Cyber-Security Strategy for 2018

Intrusion Detection System
Much of having a strong information security plan is depending on having the tools to detect breaches in the first place. Without the technical tools in place to realise you’re under attack, your business continuity planning and risk prevention might as well be pointless. Just to give you an example of the headaches this will cause in the future if not addressed: under the GDPR you’re obligated to put into place a comprehensive personal data breach notification system (to both the Information Commissioners Office and affected victims of personal data theft). However, this requirement can only be fulfilled if you have the means to detect that a breach has happened if the first place. The fines we’ve seen so far indicate that not being aware of breaches is actually a far bigger compliance hazard then the steps you need to take afterwards.

Continue reading

How to Protect Personal Data When Moving It Between Countries while working in a Global Company

The upcoming EU GDPR introduces a relatively new method of ensuring adequate protection for personal data when it is transferred to countries outside the European Economic Area between different sections of the same corporate group.

These are known as “Binding Corporate Rules” and are seen as the new gold standard of intra-company data protection standards.

These were developed because using constant repeated contractual arrangements is not a cost-effective or practical way of legitimising international transfers for data-reliant organisations operating across the globe.

Essentially, a set of BCRs must be based upon European Privacy standards and include the following:

Continue reading

General Data Protection Regulation

The Sea-Change of the Concept of Privacy and its Consequences

"Privacy". It's all the rage nowadays. More and more laws are being drafted for purposes of protecting personally identifiable data, not least the massive upcoming EU General Data Protection Regulation.

But while Privacy may be becoming increasingly valued in the era of "big data" - where giant multi-national corporations devour information to fuel in-house machine learning and other forms of normative Artificial Intelligence - that certainly wasn't always the case. Not until quite recently in fact.

"Privacy" as a concept didn't even exist in formative English common law (beyond very limited torts). In fact, apart from the embryonic 4th Amendment to the U.S Constitution, the weren't any decently strong protections for privacy in the Western world until the passage of the European Convention on Human Rights. Article 8 of the ECHR may in theory ordain a right to privacy but it has so many qualifiers:

"except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

Before the information age, privacy really wasn't seen as a big deal, especially compared to the unqualified rights portrayed in the ECHR such as freedom from torture, right to a fair trial etc that were deemed a far higher priority to protect. But that's all changing now.

Continue reading

When Do You Actually Need a Data Protection Officer under the GDPR?

You can hear the rumbling on the horizon. That's right, GDPR is coming. But no need to panic; as long as you're aware of what exactly you have to comply with - and make solid, demonstrable steps towards compliance - you should be fine.

So with that in mind, let's focus on one of the absolute key areas of the legislation that has organisations concerned. That's right; appointing a Data Protection Officer. Basically, according to Articles 35-39 you must appoint one in three specified situations:

  • where processing is carried out by a public authority;
  • if the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale; or
  • if the core activities consist of processing special categories of personal data on a large scale.

Now, that may seem simple enough. But statutes always seems simple until you actually have to apply them. For example, what do they mean by "core activities" or "large-scale" or "regular and systematic monitoring"? There's no real body of case law to help us after all.

Have no fear, because in December 2016, the Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission) helped clarify all of this.

Continue reading

What are my Obligations under the GDPR

Personal Data Breaches

What are my Obligations under the GDPR?

Get in Touch

  • Phone
    0207 458 4088
  • Email
    This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Address
    40 Bank Street, Canary Wharf
    London, E14 5NR