Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

GDPR and Cyber Security LW.pptx

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Starting Out with Xero.pptx
Starting Out with Xero.pptx
Wird geladen in …3
×

Hier ansehen

1 von 69 Anzeige
Anzeige

Weitere Verwandte Inhalte

Aktuellste (20)

Anzeige

GDPR and Cyber Security LW.pptx

  1. 1. The Six Steps for GDPR
  2. 2. What is the General Data Protection Regulation (GDPR)? • EU-GDPR established to protect the rights and freedoms of EU citizens (data subjects) • The Data Protection Act 2018 included all the clauses from the EU- GDPR • Data Protection, Privacy and Electronic Communication Regulations • UK-GDPR 2021
  3. 3. General Principles of the UK-GDPR Data shall be: • Processed lawfully • Collected for specified, explicit and legitimate purposes • Adequate relevant and limited • Accurate • Kept in identifiable form for no longer than is necessary • Processed in a manner so as to ensure security
  4. 4. What are the six steps? • Step 1: Know your data • Step 2: Classify it • Step 3: Justify it • Step 4: Plan it • Step 5: Control it • Step 6: Be breach ready
  5. 5. Step 1: Know your data
  6. 6. Know your data - Discussion • Whose data do you hold? • What personal data do you collect? • Where does your data live? • How many copies of data sets do you have? • Which members of the team have their own data?
  7. 7. Where is your data currently kept? - Discussion - Spreadsheets - Databases - Server/NAS Drives - Cloud - Laptops - Backups Where should it be kept? - Mobile phones - USB Sticks - Websites - CRM Software - Email marketing contacts
  8. 8. What about the data you are sharing? Do you share data with: • Subcontractors? • Suppliers? • Temp staff? • Associates? Data is an asset… But it can also be a liability! You don’t want old and out of date information hanging around anymore. Think about old systems you may have previously used. Is there still data on them? If so, consider deleting it!
  9. 9. Be aware of data fragmentation • Naturally as an organisation with a number of employees, it is easy for data to become fragmented. • As we utilise more software and devices, that data can become more and more fragmented. • Complete a bit of an audit to help you understand where your data sits.
  10. 10. Is it time to move to a CRM? To manage customer data all in one place rather than having it fragmented across multiple areas. - Is it GDPR compliant? - Can you store all your data? - Does it integrate with emails, calendars, phone systems, etc.? - Who needs access? Staff? Volunteers? External orgs? And at what levels?
  11. 11. Share don’t attach To reduce data fragmentation, reduce the number of duplicate documents across the organisation by getting into the habit of sharing documents rather than attaching them to emails. Microsoft 365, Google Workspace and Google Drive enable us to quickly and easily share access to docs, files and folders
  12. 12. Step 2: Classify it
  13. 13. What is personal data? “Personal data” means any information relating to an identified or identifiable natural person. • A name • An identification number • Location data • An online identifier • Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  14. 14. What is personal data? We also have “Sensitive Personal Data” which consists of the following: • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs • Trade-union membership • Genetic data, biometric data • Health related data • Data concerning a persons sex life or sexual orientation
  15. 15. What is confidential data? We also have “Confidential” business information which refers to information whose disclosure may harm the business. Such as: • Trade secrets • Sales and marketing plans • New product plans • Notes associated with patentable inventions • Customer and supplier information • Financial data • Account information • Passwords Not a classification, but you may want to classify this yourself
  16. 16. How do we classify data? Data set Fields Classification​? Marketing data Name Postcode Email Customer data Name Address Email Bank details Staff data Name Postcode Email Religion Health records
  17. 17. Step 3: Justify it
  18. 18. What is the purpose of the data? What is the lawful basis for holding it? Contract: for example, to be able to supply goods or services that they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations) Consent: the individual has given clear consent for you to process their personal data for a specific purpose There needs to be a lawful basis for collecting the information:
  19. 19. Levels of consent *Signed can mean signature, a checked box or agree button Level 1 Verbal consent Level 2 *Signed consent Level 3 *Signed by both parties
  20. 20. Best practices for consent • Active opt-in: a binary choice given equal prominence • Granular: Give consent separately for different processing • Named: Name your organisation and any third parties who will be relying on consent • Easy to withdraw: the right to withdraw their consent at any time
  21. 21. Best practices for consent – A consent template Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand • the name of your organisation • the name of any third-party controllers • why you want the data • what you will do with it • that individuals can withdraw consent at any time
  22. 22. Step 4: Plan it
  23. 23. What is the process that your data goes through? • Collection • Storage • Processing • Deletion
  24. 24. How long should I keep it for? Are there any requirements for the retention of any particular data. For example: • Trade law; • Tax law; • EU Contracts • Employment law; • Administrative law; • Regulations regarding certain professions, e.g. medical.
  25. 25. How long should I keep it for? In the absence of any legal requirements, personal data may only be retained if necessary for the purpose of processing and must be deleted when: • the data subject has withdrawn consent • a contract has been performed or cannot be performed anymore • the data is no longer up to date • the data subject requests the erasure of data • the retention is no longer necessary • Exceptions may apply for historical, statistical or scientific purposes
  26. 26. Privacy Policies vs Notices • Full privacy policy is a very detailed document – very often a separate page entirely and contains all the detail for the whole organization. • A privacy notice is an abbreviated version of the policy for the purposes of a sign-up form. This is also where you would have the consent form (checkboxes, etc.)
  27. 27. Privacy Policy - Hubspot
  28. 28. Privacy Notice - Hubspot
  29. 29. Privacy notices ● Describe all the privacy information that you collect about an individual, make available or provide ● Need to be a blended approach, using a number of techniques to present privacy information ● Demonstrates that you are using personal data fairly and transparently ● Include a ‘request’ for consent If the average person read every privacy policy for every website they visited in a year, that reading time would amount to some 244 hours
  30. 30. Privacy Policy checklist ● Who are we? ● How do we collect information about you? ● How your information is used ● Third party service providers ● Your rights ● Security precautions ● Cookies ● Changes to this Privacy Policy What does your Privacy Policy look like on the website?
  31. 31. Where should notices go? ● Orally - face to face or on the telephone (it’s a good idea to document this) ● In writing - printed media; printed adverts; forms, such as financial applications or job application forms ● Through signage - an information poster in a public area ● Electronically - in text messages, websites, emails and mobile apps.
  32. 32. Example privacy notice
  33. 33. Step 5: Control it
  34. 34. How do we keep data safe? • Who has access? Do the right people have access? • How secure is it through its lifecycle? • Where is it held? • How do you process individuals rights? • How long is it retained for and how is it deleted? • Who do you see as Third Parties?
  35. 35. Are you ready for Cyber Essentials? • Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. • Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks. About Cyber Essentials - NCSC.GOV.UK
  36. 36. Top Cyber Threats
  37. 37. Phishing emails • Phishing is a type of email attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email
  38. 38. Can you recognise a phishing attempt? https://www.independentage.org/information/money/scams/scams-quiz#main- content
  39. 39. Phishing emails – What must I do? • Check the email address of the sender • Hover over and check any links before clicking onto them • Does the email address you directly? • Look out for spelling and grammar issues • If any doubt, then delete it! • Inform others about suspicious emails, as they may have the same • If you click a link or open a file from an email that seems suspicious, do not try to hide it, make sure to tell someone.
  40. 40. Spear phishing / CEO fraud • Spear phishing is a more targeted attempt to reach a specific and well researched recipient while pretending to be a trusted sender. • These emails often claim to be the CEO of your company, or an organisation you do business with and trick you into gaining sensitive information or financial gain. • Never believe these emails – Always call or double check first.
  41. 41. Have I been ‘pwned’? Have I Been Pwned: Check if your email has been compromised in a data breach
  42. 42. Malware: Viruses, Worms & Trojans • Malware is software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system. • Viruses are self replicating programs that attach themselves to other programs or files • Worms don’t need another file or program to replicate, it is self sustaining • Trojan horse attack looks legitimate but performs unknown and unwanted activities like keyboard loggers or a backdoor for hackers to access and control your system
  43. 43. Ransomware Malicious software that sneaks onto your computer, encrypts your data so you can’t access it and demands payment for unlocking the information • Nearly 50% of organisations have been hit with ransomware • The average ransom demand is £1020 • Less than half of ransomware victims fully recover their data, even with backup
  44. 44. What should I do? • Pull out the network lead or switch off Wi-Fi and switch off the computer • DO NOT restart the computer or connect/reconnect to the network • Pass it over to your IT team who will delete, reformat and restore the system from an uninfected local, offsite or cloud backup
  45. 45. How should we better protect ourselves from breaches? Update, update, update! Allow PC and software updates to download as and when they become available. If there are any that pop up that you are unsure of, then make sure to confirm it’s safe with someone else first.
  46. 46. Use complex passwords All passwords must be: • Unique for each account that you use • 8+ characters long • Include upper- and lower-case letters • Include a number • Include a special character Don’t use the same passwords for work and home Don’t share logins and passwords Don’t save your passwords into Word or Excel docs Don’t have documents named “passwords” Don’t use the word “password” in Emails
  47. 47. Top used passwords of 2020
  48. 48. How secure is your password? How Secure Is My Password?
  49. 49. Creating Password’s and Activity Take three words Creating a Strong Password in 3 Steps: 1. Choose three random words phoneglassesbowl 2. Change the letter of each word to a capital PhoneGlassesBowl 3. Add some numbers and/or Symbols PhoneGlassesBowl18! Want to use it for more sites? Add the site as an identifier • Amazon - AnPhoneGlassesBowl18! • Ebay - EyPhoneGlassesBowl18! • Google – GePhoneGlassesBowl18! If you want to make it more complex • Use five words • Add more numbers • Add a dash-between-each-word
  50. 50. Creating Password’s and Activity • Using the initial letters of a favourite song or phrase: • e.g. Life is like a box of chocolates • Lilaboc • Include capital letters and lower case letters: • LiLaBoC • Include a memorable number or date: • LiLaBoC19 • Include a symbol: • LiLaBoC*19
  51. 51. Protect your data Ensure organisation’s data is only stored on organisation’s devices ● Always lock devices when unattended - (WIndows + L) ● Encryption- are all laptops encrypted? ● Don’t copy or export data without consent? Mobile device policies ● Protected from unauthorised access by at least a 6-digit PIN or a passphrase; ● Configured to ensure they automatically lock after a period of inactivity; ● Configured in such a way that they can be remotely wiped in the event of loss; ● Data is encrypted at rest; ● Only have trusted applications from reputable sources installed and antivirus installed if using an Android device ● Receive automatic software updates from the manufacturer and other 3rd parties; and ● Receive software updates for security patches within a reasonable timeframe.
  52. 52. Techniques to secure your data 1. Minimise - Reduce the amount of data you have i. Delete – big audit ii. Archive iii. Build and enforce retention policies 2. Separate – separate personal information from daily tasks i. Split database tables ii. Spreadsheets separation 3. Anonymise or pseudonymise wherever possible – i. in emails, texts, messages ii. In other data sets iii. In client reports 4. Access - Check your access rights i. Who has access ? Is it at the right levels? ii. Password protection
  53. 53. Set up two factor or multi factor authentication If you are using Dropbox, Google Apps, Office 365 or any cloud-based software, set up two factor authentication Usually this means you need your mobile phone with you to approve your sign up. It’s very simple, but it will alert you to any attempts to access your information. Google two step authentication
  54. 54. Look for HTTPS before entering any personal or sensitive info •When a website is asking you to input any personal or sensitive information then make sure to look out for the ‘S’ at the end of ‘https’ •If it only says ‘http’ do not enter any info.
  55. 55. When out and about – be suspicious of public Wi-Fi ● Name that Wi-Fi - be suspicious of wireless networks on your device that show up with names like "Free Wi-Fi" or "Free Hotel Wi-Fi." ● Avoid using passwords - better to avoid activities where you're using passwords to log-in to your most sensitive or important accounts. ● Let your computer help out. Windows and Mac OS X (those computers' operation systems) come with security features that can help protect you. Ensure it’s on ● Look for the "s" for secure. Any time you're on a webpage, look at the address bar (above the web page) and the website's name. If you see "https" right in front, that website is encrypted, which means your data can't be read in transmission
  56. 56. Step 6: Breach ready
  57. 57. Always report something suspicious or lost • If you lose something - tell your manager, never try to hide it • If you click on something – tell your manager, never hide it • If you see someone else acting suspiciously – report it
  58. 58. What is a breach? A breach is any loss or mismanagement of data Examples of breaches: • Hacking of your website • Sending an email with an attachment to the wrong person (sensitive info) • Losing or theft of a laptop • Loss of a mobile device or selling with data still on it • Hacking of your emails • Deleting a database by accident
  59. 59. When do individuals and ICO have to be notified? • Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly • A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority
  60. 60. How do I notify a breach? A notifiable breach has to be reported to ICO within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay. Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.
  61. 61. Summary – Six Steps • Step 1: Know your data • Step 2: Classify it • Step 3: Justify it • Step 4: Plan it • Step 5: Control it • Step 6: Be breach ready
  62. 62. Thank you Please complete the feedback form for this course using the QR code or this link. https://forms.office.com/r/6G0cgGKLA1

Hinweis der Redaktion

  • EU-GDPR May 2018
    DPA May 2018
    DPPECR Oct 2020
    UK-GDPR Jan 2021
  • https://uk-gdpr.org/chapter-2-article-5/
  • Highlight the 6 steps for GDPR above
  • Open up a discussion on the above questions?

    Where does your data live? (Prompts)
    Microsoft 365, Google Workspace
    CRM systems – HubSpot, Capsule, etc.
    Locally on devices? Laptops, tablets, smartphones
    Accounting software? – Sage, QuikBooks, Xero
    Email accounts? – Gmail, Outlook, AOL, Self hosted?

    How many copies of data sets do you have?
    Excel spreadsheets?
    Copied across 365 & CRM? Accounting and Google Workspace?
    Multiple revisions of client data?

    Which members of staff have access to their own data?
    Self employed?
    Small org?
    Freelancers?

  • Focussing on where data is kept from before-

    Open discussion on where it should be kept. i.e. remove multiple copies, use secure cloud systems, no “revisions”. (If 365 or Google let this do it for you through version history)

    Avoid saving on local software if “unsecure”
    Password protect devices (biometric, passcode, Password)
    Password protect docs with sensitive data
  • If you have an email sent to 10 people. Use the multiple attachments example.

    Refer to photo
  • Lamplight for charities and non profits

    One of the alternatives here

    (Google CRM name and GDPR, i.e. “HubSpot GDPR Compliant?”)  

     General Data Protection Regulation | HubSpot
  • E.g. client shares an idea for a project/business. Not personal, not sensitive, but confidential.
  • Bank details are personal, but not sensitive. Account number, etc.

    Which of these is classed as sensitive data? (ONLY STAFF DATA) – Bank details not classed as sensitive data

    Bank details, doesn’t fit into the classification of sensitive, but is highly confidential

    Look back at classification list
  • Contract – if its about the service that you are offering. i.e. a job seeker that comes for advice. That is a contract
    Legal – e.g. visitor book for fire safety/H&S, Risk assessment
    Consent – Consent to market or pass data to third parties.
  • Data goes through a cycle.
  • EU Contracts – have to hold data for about 30 years.

    Accounts only need to be kept for 7 years
  • EU Contracts – have to hold data for about 30 years.

    Accounts only need to be kept for 7 years
  • Activity – Check the privacy policy on the Well Grounded website
  • About Cyber Essentials - NCSC.GOV.UK
  • https://www.independentage.org/information/money/scams/scams-quiz#main-content
  • Have I Been Pwned: Check if your email has been compromised in a data breachv
  • How Secure Is My Password? – ACTIVITY

    Go to this website to test password strengths
  • Tutor to explain how to go about creating a password which will be secure to use,
    Give learners 5 mins to come up with their own,

    IF ISSUES ARE RAISED BY KEEPING PASSWORDS ON PAPER:
    With regards to writing your passwords down on paper, almost all of the major security experts agree this is the safest, most secure way of password management providing that bit (or bits) of paper is kept safely. I would recommend reading this article to put your mind at ease - https://www.vox.com/2014/4/16/5614258/the-best-defense-against-hackers-writer-your-passwords-down-on-paper (one of the people mentioned in this article is Bruce Schneier, who is a hugely respected authority on digital security – his Wikipedia page can be found here: https://en.wikipedia.org/wiki/Bruce_Schneier)
    In particular I will point out this paragraph within the above article – you may recall in particular I mentioned that if you go with the paper password method, you should keep a sheet of passwords completely separate to usernames:
    “Don't leave the paper somewhere where people can copy it. It shouldn't be a Post-it note on your monitor or even under your keyboard. Store it in your wallet, or in an unmarked folder in your filing cabinet. You might want to consider keeping two different piece of paper: one at home that has every password, and a second one in your wallet that just has the passwords you need every day. That minimizes the damage if you happen to lose your wallet.”
  • Tutor to explain how to go about creating a password which will be secure to use,
    Give learners 5 mins to come up with their own,

    IF ISSUES ARE RAISED BY KEEPING PASSWORDS ON PAPER:
    With regards to writing your passwords down on paper, almost all of the major security experts agree this is the safest, most secure way of password management providing that bit (or bits) of paper is kept safely. I would recommend reading this article to put your mind at ease - https://www.vox.com/2014/4/16/5614258/the-best-defense-against-hackers-writer-your-passwords-down-on-paper (one of the people mentioned in this article is Bruce Schneier, who is a hugely respected authority on digital security – his Wikipedia page can be found here: https://en.wikipedia.org/wiki/Bruce_Schneier)
    In particular I will point out this paragraph within the above article – you may recall in particular I mentioned that if you go with the paper password method, you should keep a sheet of passwords completely separate to usernames:
    “Don't leave the paper somewhere where people can copy it. It shouldn't be a Post-it note on your monitor or even under your keyboard. Store it in your wallet, or in an unmarked folder in your filing cabinet. You might want to consider keeping two different piece of paper: one at home that has every password, and a second one in your wallet that just has the passwords you need every day. That minimizes the damage if you happen to lose your wallet.”
  • Information Commissioners Office

    i.e. a job club for alcololics. If that database was sent to someone by accident. They gave it to a journalist, and shared on the news that would be a breach of rights and freedoms

×