Surely this isn’t the first annual report?

The office of the Data Protection Commissioner has been around for many many years and have issued many many annual reports. When the GDPR came along on 25th May, the office was renamed to be the Data Protection Commission. This report (which you can read here) is their first report covering the period 25th May – 31st December 2018.

Due to the fact that there are investigations still going on from before 25th May 2018, under the previous legislation, the report shows two sets of figures. This post will concentrate on the GDPR figures.

What are the highlights?

There were nearly 2,000 complaints made. The top 10 of these accounted for 94% of all complaints. They are:

Issues around access rights was also the number 1 complaint (39%) under the previous legislation, so this is the most important area that a business or organisation should get right. I’m a little surprised by the complaints under Right of Rectification. That is such a simple one to get correct, why were there 30 complaints? ?‍♂️

Data breaches are on the rise.

There were nearly 3,700 data breaches reported. 85% of them were in the category of unauthorised disclosure which wasn’t really surprising.

It’s interesting to note that there were 226 incidents (6%) which related to paper records. I actually think that figure should be a little bit higher, as I suspect people don’t consider losing or poorly disposing of paper records to be a proper data breach.

What about the Facebook problems reported last year?

They are in there too. There are 15 Statutory Inquiries into multinational technology companies. 10 of these inquiries relate to Facebook (7), or Facebook owned companies (WhatsApp 2 and Instagram 1). Of those 10 complaints 4 related to Legal Basis for processing and 3 relate to the data breach reported in September 2018.

The other companies that had inquiries ongoing are Apple with 2, Twitter 2 and LinkedIn 1.

Was there anything else interesting in the report?

Well yes there was. It’s to do with how the DPC acted when dealing with some of the complaints they came across. There were a few case studies provided (pages 24-26). The DPC handled these without the need to impose sanctions, by making the data controller aware of their failings and providing ways to rectify the situation.

What was also interesting was where complaints had come in about data controllers, who had been investigated previously by the Office of the Data Protection Commissioner. In these cases, the DPC prosecuted them in court and had financial penalties applied (pages 64-67). These cases were taken under previous legislation, so the sanctions were small enough. But this shows that if you, as a controller, come to the DPC’s attention multiple times, they will take a dim view of your behaviour.

Conclusion:

There was a lot more to this first annual report than what I covered above, but for most businesses, these are the items that matter.

If you would like to avail of a free 1 hour consultation to find out what you need to do to prepare your business for the GDPR, then please send an e-mail to info@l2cybersecurity.com and somebody will get back to you.

#GDPR #SimpleGDPR

#SecuritySimplified

The post First Annual Report from the DPC appeared first on L2 Cyber Security Solutions Ltd..

Austrian surveillance cost €4.8K

Just to recap, a business owner had CCTV installed outside their premises. One camera was recording a large portion of the public footpath. This was judged to be too invasive and there was poor signage. The regulatory authority hit them with a modest €4,800 fine. The Austrian data protection authority had 36 other proceedings pending at that time.

Portuguese hospital with too many doctor’s accounts hit for €400K

An unnamed hospital in Portugal had 985 doctor’s accounts on it’s IT system and only 296 doctors on staff. It seems that non-Doctor types (e.g. psychologists and dietitians) used doctor accounts to access patient data. What is most troubling is that a doctor account has unrestricted access to every single patient’s data.

You might not think this is a big deal, but you’re dealing with sensitive personal data here. There should be some controls on access to it, including audit logs of any and all access made by authorised personnel.

The regulator has imposed a €400,000 fine on the hospital, which is appealing the judgement. The Portuguese Government have not yet fully implemented the GDPR, but the regulator is acting as if it was in place.

App maker who cooperated, still fined €20K

A German chat platform, knuddles.de had a breach in which 330,000 e-mail addresses (in German) and their account passwords were stolen by hackers. The passwords were in plain text (no hashing or encrypting was applied). It was the screw-up with the password that caused the fine. They hadn’t applied appropriate technical or organisational controls to protect the data.

The regulatory authority acknowledged that Knuddles were very proactive in reporting the breach and the subsequent follow up. They have implemented stronger security controls in a very short time. In consultation with the regulator they have more measures coming in due course.

The regulator also looked at the financial  strength of the company in determining the fine, not wanting to place the business under any financial burden. So the fine was proportionate. I would hate to think what might have been the case if they hadn’t cooperated.

To avoid GDPR fines, budget now to prepare early in 2019

If your business hasn’t put in place any policies or procedures to address the requirements of the GDPR, you should look at addressing this soon. Most annual budgets will have been exhausted by now, so put in place a sensible sum for GDPR preparation work, early next year.

• If you haven’t attended a GDPR awareness event, then seek one out or give us a call on 087-436-2675.
• We are now offering Practical GDPR Training, which can give you virtually everything you need to be as compliant as possible. Being “100% GDPR compliant” is not something that can be stated presently, as there is no certification available to support such a declaration.
• Or if you prefer to keep making money for your business and not be distracted, then we can do the work for you. Send us an e-mail to info@L2CyberSecurity.com and we’ll get in touch.

#GDPR

#SimpleGDPR

#SecuritySimplified

The post GDPR fines are starting to come. appeared first on L2 Cyber Security Solutions Ltd..

“But where are the €20m or 4% of turnover fines for violating the GDPR?” you shout. As the underlying data breach incident occurred some years ago and surfaced before the #GDPR went into effect in May 2018, then they couldn’t be prosecuted under the Data Protection Act 2018, which implements the GDPR.

But this is still a significant judgement. The ICO has gone for the maximum possible penalty against Facebook, showing that what they were up to was completely unacceptable and rightly so. They found that Facebook had breached two of the principles of data protection:

1. Facebook had unfairly processed personal data.
2. And they didn’t put in place appropriate measures to prevent unauthorised or unlawful processing of personal data.

So while Facebook are only fined £500,000 this time, this is a clear indication that data protection authorities won’t be afraid of going after the maximum fines available to them for failures in respect to protecting peoples personal data.

Also don’t forget that the Irish Data Protection Commissioner is investigating Facebook for a GDPR era incident. That incident started with 50m people affected with another 40m possibly impacted. It dropped down to only ~30m affected … but that’s still ~30,000,000 people. Of those, 14m had the following personal data accessed:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

That is a massive amount of personal data to have been harvested, and could definitely be used against the victims. That particular investigation will be a big one and will probably run into some time in 2019.

In the meantime, lets be careful out there.

#SecuritySimplified

The post Facebook are only fined £500,000 appeared first on L2 Cyber Security Solutions Ltd..

I wasn’t deliberately going looking for data breaches or other data privacy concerns. However these two examples just leapt out at me. Please note that I have redacted sections of these pictures where there were potentially identifying features. I’ve also removed individual’s names, just in case you could make them out.

Staff roster and holiday plans on public display

I ate and drank in quite a few different establishments on my holiday, but this one had the staff roster and a holiday planner in plain sight, over one of the tills.

Because it was dark, the camera struggled to pick it out very clearly, but I could read the names clearly on the holiday planner (on the left). This had the staff names down the left hand side. Then the columns were for June, July and August and this is where the staff obviously noted their holiday plans.

The weekly roster is on the right, where again the staff names were down the left hand side. Then what shifts they were working each day was in the columns. I couldn’t make this out myself at the distance I was from it – approximately 2m.

If I had a better camera or better light, there is no doubt I could easily have got the complete staff list, their holiday plans and their work schedule for the coming week.

This is a breach of the staff’s right to privacy. Any member of the public could see when they were going to be on holiday or when they were going to be at work. This could lead to their home being broken into, as the bad guys know when they are going to be away. Or how about an abusive ex-partner? How much would they love to have this kind of information available to them.

The real shame about this … this place had a large back-of-house (kitchen and office) that all the staff had access to, but not the public. Why not post these things back there?

Staff surveillance

CCTV is used extensively in pubs and restaurants mainly for crime prevention and health and safety purposes. In this pub there was this ONE camera that only had eyes for one thing … this till

So obviously they were using this camera to keep an eye on staff to see if they were fiddling the till. This was a very obvious placement of a camera. This would not be considered “covert” by any means or standards. That’s me talking as somebody who notices this stuff for a living. If I was still in school, starting out on my first pub job, I may not notice such things.

Surveillance of staff needs to be declared by the employer. In this instance there should be a point in the staff manual noting that the tills are monitored by cameras. If an employer was to use secret cameras to monitor staff, they should also declare this. They should state that from time-to-time covert surveillance of employees, in the performance of their work, may be implemented.

Have you any holiday data breach snaps?

In both of the above situations, I have anonymously (I was on holiday, so I’m not hunting sales leads) notified the owners of the establishments about my observations.

When you are looking through your photos from your vacation, can you find any holiday data breach pictures? If you think you have, send them in confidence to info@L2CyberSecurity.com and I’ll let you know, but please don’t tell me the name of the place or the location.

If you would like to know more about different data breaches under the GDPR, check out the videos available on the GDPR section of my website.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Holiday Data Breach Photos. appeared first on L2 Cyber Security Solutions Ltd..

I have covered this area before, where I talked about Mobile App permissions. It’s pretty easy to see what permissions a Mobile App is looking for and to make an educated decision about whether it should receive those permissions by you.

In this newly revealed situation, some third-party developers, who create add-on apps for your e-mail may have actually had real people reading your e-mail. ?

The apps in question are usually performing some useful function, like monitoring your mailbox for meeting invitations and then suggesting appropriate times for the meeting. Or itinerary/travel planning apps that look for flight/hotel booking e-mails and then package them up into a useful, coordinated scheduling pack.

According to this Sophos report, when you install these (usually free) add-ons:

Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.

And as is also reported in that Sophos report, one of the companies did admit to allowing their staff to actually read people’s e-mails, supposedly to include new features that people might find useful. However what’s at play here is that most people weren’t aware that their actual e-mails are being read by another actual human.

Most people, myself included, went “Meh!” when we heard that Google’s advertising algorithms were scanning our e-mail content, because it is some non-human thing that is looking at the cold hard data.

However, the notion that another actual human may have been reading sensitive, private discussions in an e-mail chain would be quite concerning to most people and rightfully so.

How can you find out who’s been reading your Gmail?

Well you might not be able to find out if they have read your e-mail, but there’s something really easy you can do to find out what apps have got access to your Gmail.

Check the apps with access to your account page for your Google account and review any apps you have there. I’ve just done it and found there was an app that I previously used to look at Google Analytics, but have since stopped using and uninstalled. However the app developers still would have had permission to access any Google Analytics data I had (which I don’t any more as I have stopped using that too). I simply clicked on the app and removed it’s access. It’s that simple.

If you do have these apps that can enable somebody to read your Gmail, you need to consider a couple of things:

1. If this is your business e-mail account, have you considered the #GDPR aspects of giving an external third party access to view personal data? You will need to have a Data Processing Agreement in place with the third party and also declare their access to the individuals whose personal data you process.
2. If this is your personal e-mail account, then you have got to make the determination if the app is so useful to you that you are happy to allow some developer, somewhere in the world read your e-mail.

For me privacy wins out every time.

Let’s be careful out there!

The post Who’s been reading your Gmail? appeared first on L2 Cyber Security Solutions Ltd..

Under Armour report that the MyFitnessPal breach included user names, e-mail addresses and hashed passwords (hashing is the way to scramble passwords).

This breach was detected last weekend, on 25th March. The data itself had been last accessed by the evil doers in February.

As part of the notification, Under Armour stated that they:

• are notifying MyFitnessPal users to provide information on how they can protect their data
• will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately
• will continue to monitor for suspicious activity and to coordinate with law enforcement authorities
• will continue to make enhancements to their systems to detect and prevent unauthorised access to user information

All good steps to be taken. I particularly applaud the engagement with law enforcement. As I stated in the post about the overwhelming attack which was detected earlier this month, businesses need to start reporting these criminal activities, so our own Garda Síochána can get better statistics which will support more funding for the Garda Cyber Crime Bureau.

Under Armour also provided the affected users with good advice:

• Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account
• Review your accounts for suspicious activity
• Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data
• Avoid clicking on links or downloading attachments from suspicious emails

I suppose it was too much to hope that they would give a suggestion that users should also start using two-factor authentication where possible. Hopefully one of the enhancements that they will make to their systems will be to introduce such a feature.

Have a watch of my short 10 minute video which tells you all you need to know about two-factor authentication:

The post MyFitnessPal Breach – Bigger than Equifax appeared first on L2 Cyber Security Solutions Ltd..

What’s this VPN thing anyway?

A VPN is (usually) a piece of software that is installed on your computer or mobile device which establishes a secure connection between that device and some other point on the internet. That could be your corporate network or a VPN provider’s network. The connection is fully encrypted, so all the data flowing between your device and the other end of the connection will be meaningless scrambled data. It will be useless to anybody that intercepts this data.

What is also very important is that the VPN hides the users identity/location by making your device appear to be located elsewhere on the internet, rather than where your internet provider shows you as being. It does this by assigning your connection a different address on the internet, also known as the Internet Protocol (IP) Address.

So what data does some provider’s VPN leak?

The simple tool provided by the security researcher Paolo Stagno can show your original IP address as well as your VPN provided IP address. Therefore a website can tell where you actually are on the internet rather than where your VPN provider is trying to show you as being from. So here is an example of where you have a VPN leak:

As you can see, in the lower half (Web RTC), your Internet Service Provider (ISP) provided IP address is shown, along with your actual internal address of your local home or office network.

Compare that now to a VPN connection where they are not allowing the data to be leaked:

Here we see only the VPN provider’s IP address and their internal network address. So somebody using this VPN would not be at risk from being identified and located on the internet. This is important to maintain privacy, as that is one of the main reasons for wanting to use a VPN in the first place.

If you would like to have a chat about some of the security services we can provide, then please either send an e-mail to info@L2CyberSecurity.com or call us on 087-436-2675.

The post Does Your VPN Leak Data? appeared first on L2 Cyber Security Solutions Ltd..

What did Cambridge Analytica do?

In 2015, Dr Aleksandr Kogan, who was a lecturer at Cambridge University’s Department of Psychology, put out an “App” on Facebook which carried out a survey for the purposes of “scientific research”. ?

This app had some 270,000 people use it on their Facebook page. “In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow it.” according to a Facebook statement.

Basically, this “App” profiled the people who used it, then probed into the Facebook profiles of the friends of that 270,000 and profiled them as well. This is where the 50 million affected people figure came from.

Just to be clear – There was no breach of Facebook data in this “scandal”. Facebook had a “Feature” at the time which allowed apps to look at freinds profiles. These apps would have told the users that this is what they were enabling before they used the app for the first time. You know. At that screen that nobody (but me) reads! Here’s an example.

Cambridge Analytica then used all of the data to psychologically profile Americans and then target specific political messages, which would definitely influence that individual. Doing so to 50 million individuals is tantamount to manipulation.

This video has a CA whistle blower telling what they did:

Should I delete my Facebook account?

Well that is completely up to you.

I deleted my original Facebook account back in about 2012, after I downloaded a copy of my Facebook data and saw just how much information I had given them and what it could be potentially used for. It’s not just the content of posts, photos and videos that I had put on the platform (and I was fairly prolific at the time), but it was all of the Likes and Shares of different things that caused me concern.

By looking at all of this data in one place, I could see that they could potentially see who and what I was about and what my opinions might be.

It freaked me out.

I deleted my account.

I created a new account in 2014 as I had become involved in a community project which needed online exposure. I have expanded that to a few other community projects, as well as my own business page, but I am pretty frugal with anything else I give Facebook. I usually limit it to photos of my dogs, the scenery or the weather.

I recently downloaded my Facebook data again and because I have been careful, I don’t see too much in they way for potential manipulation with it.

I needn’t worry too much, because I never believe anything I read … particularly on Facebook. ???

But have a read of this other short blog about what breached data can be used for.

The post Cambridge Analytica were nosey ninnies appeared first on L2 Cyber Security Solutions Ltd..

Important Notice:

As every company is different, please seek professional advice when creating your data protection policy. Your business may face circumstances and issues that are not covered by this sample policy.

This data protection policy is made available on an ‘as is’ basis. L2 Cyber Security Solutions cannot take any responsibility for the consequences of errors or omissions. Any reliance you place on this document will be at your own risk.

Neither L2 Cyber Security Solutions, nor its employees are liable for any losses or damages arising from your use of this document. These individuals and organisations exclude all warranties and representations, express or implied, in respect of your use of the website and its content.

Data protection policy

Context and overview

Key details

Policy prepared by:                                         Name

Approved by board / management on:          Date

Policy became operational on:                       Date.

Next review date:                                           Date.

Introduction

[Company name] needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

Why this policy exists

This data protection policy ensures [company name]:

• Complies with data protection law and follow good practice
• Protects the rights of staff, customers and partners
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Data protection law

The General Data Protection Regulation 2016/679 describes how organisations — including [company name] — must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The General Data Protection Regulation is underpinned by eight important principles. These say that personal data must:

1. Be processed fairly and lawfully
2. Be obtained only for specific, lawful purposes
3. Be adequate, relevant and not excessive
4. Be accurate and kept up to date
5. Not be held for any longer than necessary
6. Processed in accordance with the rights of data subjects
7. Be protected in appropriate ways
8. Not be transferred outside the EU, unless that country or territory also ensures an adequate level of protection

People, risks and responsibilities

Policy scope

This policy applies to:

• The head office of [company name]
• All branches of [company name]
• All staff and volunteers of [company name]
• All contractors, suppliers and other people working on behalf of [company name]

It applies to all data that the company holds relating to living individuals, even if that information technically falls outside of the General Data Protection Regulation 2016/679. This can include:

• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• …plus any other information relating directly or indirectly to individuals

Data protection risks

This policy helps to protect [company name] from some very real data security risks, including:

• Breaches of confidentiality. For instance, information being given out inappropriately.
• Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Everyone who works for or with [company name] has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

• The board of directors is ultimately responsible for ensuring that [company name] meets its legal obligations.
• The [data protection officer], [name], is responsible for:
  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data [company name] holds about them (also called ‘subject access requests’).
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
• The [IT manager], [name], is responsible for:
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
• The [marketing manager], [name], is responsible for:
  • Approving any data protection statements attached to communications such as emails and letters.
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

General staff guidelines

• The only people able to access data covered by this policy should be those who need it for their work.
• Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
• [Company name] will provide training to all employees to help them understand their responsibilities when handling data.
• Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
• In particular, strong passwords must be used and they should never be shared.
• Personal data should not be disclosed to unauthorised people, either within the company or externally.
• Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
• Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.

• When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
• These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
• Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Data should be protected by strong passwords that are changed regularly and never shared between employees.
• If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
• Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
• Servers containing personal data should be sited in a secure location, away from general office space.
• Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
• Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
• All servers and computers containing data should be protected by approved security software and a firewall.

Data use

Personal data is of no value to [company name] unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
• Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
• Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
• Personal data should never be transferred outside of the European Economic Area.
• Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.

Data accuracy

The law requires [company name] to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort [company name] should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

• Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
• Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
• [Company name] will make it easy for data subjects to update the information [company name] holds about them. For instance, via the company website.
• Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
• It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

Subject access requests

All individuals who are the subject of personal data held by [company name] are entitled to:

• Ask what information the company holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the data controller at [email address]. The data controller can supply a standard request form, although individuals do not have to use this.

Individuals cannot be charged to honour a subject access request. The data controller will aim to provide the relevant data within 30 days.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, [company name] will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

Providing information

[Company name] aims to ensure that individuals are aware that their data is being processed, and that they understand:

• How the data is being used
• How to exercise their rights

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.

[This is available on request. A version of this statement is also available on the company’s website.]

The post Data Protection Policy Template appeared first on L2 Cyber Security Solutions Ltd..

The GDPR says that the information you provide to people about how you process their personal data must be:

• Concise, transparent, intelligible and easily accessible.
• Written in clear and plain language, particularly if addressed to a child.
• Free of charge.

What information must be provided:

Where you obtain personal data directly from the individual:

• Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer (if applicable).
• Purpose of the processing and the legal basis for the processing.
• The legitimate interests of the controller or third party, where applicable.
• Any recipient or categories of recipients of the personal data.
• Details of transfers to third country and safeguards.
• Retention period or criteria used to determine the retention period.
• The existence of each of data subject’s rights.
• The right to withdraw consent at any time, where relevant.
• The right to lodge a complaint with a supervisory authority.
• Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
• The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

This information should be provided to the individual at the time that the data is obtained.

Where the personal data is not directly obtained from the individual:

• Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer (if applicable).
• Purpose of the processing and the legal basis for the processing.
• The legitimate interests of the controller or third party, where applicable.
• Categories of personal data.
• Any recipient or categories of recipients of the personal data.
• Details of transfers to third country and safeguards.
• Retention period or criteria used to determine the retention period.
• The existence of each of data subject’s rights.
• The right to withdraw consent at any time, where relevant.
• The right to lodge a complaint with a supervisory authority.
• The source the personal data originates from and whether it came from publicly accessible sources.
• The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

In this case, this information should be provided to the individual:

• Within a reasonable period of having obtained the data (within one month)
• If the data is used to communicate with the individual, at the latest, when the first communication takes place; or
• If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

The post Privacy Notice Requirements appeared first on L2 Cyber Security Solutions Ltd..