GDPR Archives - L2 Cyber Security Solutions Ltd.

Legal Basis for Processing

Liam — Fri, 14 Apr 2023 14:44:07 +0000

The General Data Protection Regulation (GDPR) outlines the conditions under which there is a legal basis for processing personal data.

Download Detailed Guidance Here

The Six Lawful Bases for Processing:

To collect or use personal data legally, you cannot just "want" to do it. You must rely on one of six specific legal justifications (Article 6). If you cannot fit your processing into one of these boxes, you cannot collect the data.

You must identify and document one of these bases before you start processing data.

Consent: The individual has given you clear, specific permission to process their data for a specific purpose.
Contract: You need to process the data to fulfil a contract with the individual (e.g., you need their address to deliver goods they bought).
Legal Obligation: You are required by law to process the data (e.g., keeping salary records for tax purposes).
Vital Interests: It is a life-or-death situation (e.g., giving emergency medical data to a hospital to save someone's life).
Legitimate Interests: You have a genuine business reason (like fraud prevention or network security), and this reason is not overridden by the individual's rights or freedoms.
Public Interest: You are performing a task in the public interest or acting under official authority (usually applies to government bodies, not private companies).

1. Strict Rules for "Consent"

If you choose "Consent" as your legal basis, the bar is set very high. You must be able to prove you obtained it validly.

Freely Given: The user must have a real choice. You cannot force them to consent or punish them if they say no.
Informed: They must know exactly who you are and what you are doing with their data.
Specific: You cannot ask for "blanket consent." You must ask for permission for each specific purpose.
Clear Affirmative Action: The user must do something to consent (like ticking a box). You must also keep a record of this consent being given. Pre-ticked boxes are banned.
Easy Withdrawal: You must tell them they can withdraw consent at any time, and if they do, you must stop processing immediately.

2. Contractual Necessity

When to use it: Use this when you have a contract with an individual (or are about to enter one) and you literally cannot do your job without their data.

The Rule: The processing must be necessary for the performance of a contract to which the individual is a party.

Practical Example: If you sell a product online, you need the customer's address to deliver it. You don't need their consent for the address. You need it to fulfil the contract of sale.

Constraint: You cannot use this for things that are "nice to have" but not essential to the contract (e.g., using that same address for marketing newsletters usually requires a different basis, like Consent).

3. Legal Obligation

When to use it: Use this when you have no choice because the law says you must process the data.

The Rule: The processing is necessary for compliance with a legal obligation.

Practical Example: You are required by tax laws to keep records of employee salaries for a certain number of years. Even if an employee asks you to delete their data, you can refuse because you have a legal obligation to keep it.

Constraint: This must be a statutory obligation (EU or National law), not just a contractual obligation to a third party or your own company policy.

4. Vital Interests

When to use it: This is the "Emergency Only" basis. It applies to life-or-death situations.

The Rule: The processing is necessary to protect the vital interests of the data subject or another person.

Practical Example: If a visitor to your office collapses and is unconscious, you might disclose their medical allergies (if known) to the paramedics. You don't need to wake them up to get consent because their life (vital interest) is at risk.

Constraint: You generally cannot use this for large-scale data processing or health data unless it is truly a medical emergency.

5. Legitimate Interests

When to use it: This is the most flexible basis, often used for business activities like fraud prevention, network security, or direct marketing. However, it requires a careful "Balancing Test".

The Rule: Processing is necessary for your legitimate interests (or those of a third party), UNLESS those interests are overridden by the individual's fundamental rights and freedoms.

The "Balancing Test": You must weigh your benefit against the user's privacy:

Your side: "We need to process IP addresses to stop hackers attacking our website." (This is a strong legitimate interest).

Their side: "Does this hurt the user's privacy?" (Likely minimal impact).

Result: You can probably proceed.

Constraint: If the processing would be unexpected, cause harm, or if the individual is a child, their rights likely override your interests. You must document this assessment.

6. Public Interest / Official Authority

When to use it: This is primarily for public authorities (like schools, hospitals, police, or councils) performing their official duties.

The Rule: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you.

Practical Example: A local council collecting data to organise bin collection or a tax authority collecting income data.

Constraint: Private companies rarely use this unless they are contracted to carry out specific public tasks (e.g., a private utility company maintaining the water supply).

Download Detailed Guidance Here

The post Legal Basis for Processing appeared first on L2 Cyber Security Solutions Ltd..

Principles of the GDPR

Liam — Fri, 14 Apr 2023 14:37:37 +0000

The General Data Protection Regulation (GDPR) sets out the principles of the GDPR that organisations must follow when processing personal data.

Download Detailed Guidance Here

Principles of the GDPR

Here is a simplified guide to the 7 Core Principles of the GDPR (Article 5).

Think of these not just as codes, but as the "Golden Rules" for how you handle data. If you violate these principles, you are violating the GDPR, even if your security is technically perfect.

Lawfulness, Fairness, and Transparency

Your Obligation: You must be honest and open about what you are doing.

Lawful: You cannot process data just because you want to. You need a valid legal reason (like Consent or a Contract).

Fair: You shouldn't do things with data that people wouldn't expect or that could mislead them. You must give them control over their information.

Transparent: You can't hide in the shadows. You must provide clear, accessible information (usually a Privacy Notice) explaining exactly how you process their data.

Purpose Limitation

Your Obligation: Be specific about why you need the data and stick to that reason.

The Rule: You must collect data for "specified, explicit, and legitimate purposes".

No "Scope Creep": You cannot collect data for one reason (e.g., "to deliver a pizza") and then use it for a completely different reason later (e.g., "to sell their address to a gym"), unless you get fresh consent or have another clear legal reason.

Communication: You must tell the individual this purpose at the start.

Data Minimisation

Your Obligation: Collect only what you strictly need.

The Rule: Data must be adequate, relevant, and limited to what is necessary for your specific purpose.

Practical Step: If you don't need someone's date of birth to sell them a book, don't ask for it. Avoid hoarding "just in case" data.

Accuracy

Your Obligation: Keep the data correct and up to date.

The Rule: You must take reasonable steps to ensure data is not incorrect or misleading.

Correction: If you find out data is wrong, you must fix it or erase it without delay. You should also give individuals an easy way to update their own records.

Storage Limitation

Your Obligation: Don't keep data forever.

The Rule: You must not keep personal data for longer than you actually need it for your stated purpose.

Guidance: There may be a statutory requirement for a retention period (e.g. Revenue), or a supervisory body providing guidance. If neither exist, then set your own retention period and document the justification for it.

Retention Policy: You need a clear policy that says when you will delete data. When that time comes, you must securely erase or anonymise it.

Integrity and Confidentiality (Security)

Your Obligation: Keep the data safe.

The Rule: You must protect data against unauthorised access, accidental loss, destruction, or damage.

Measures: This isn't just about firewalls. It includes organisational measures like taking data backups, restricting access so only the staff who need to see the data can see it, amongst other things.

Accountability

Your Obligation: Prove it.

The Rule: It is not enough to just comply with these principles. You must be able to demonstrate that you comply.

Documentation: This requires you to have written policies, records of your processing activities, and internal procedures in place to show regulators that you take these rules seriously.

Download Detailed Guidance Here

The post Principles of the GDPR appeared first on L2 Cyber Security Solutions Ltd..

Rights of an Individual

Liam — Fri, 14 Apr 2023 13:46:30 +0000

The General Data Protection Regulation (GDPR) provides strong rights of an individual, whose personal data is being processed by organisations.

Download Detailed Guidance Here

The Rights of an Individual

The right to be informed

Article 13 and Article 14.

Your Obligation: You must be completely transparent about how you use personal data. You cannot collect data in secret; you must provide "fair processing information," typically through a Privacy Notice.

What to include: You must detail your identity and contact info (and that of your DPO), why you are processing the data and the legal basis for doing so, how long you will keep it, and who else will receive it. You must also list the users' rights, including their right to withdraw consent or lodge a complaint.

Format: The information must be concise, transparent, intelligible, easily accessible, and free of charge. It must be written in clear, plain language—especially if addressed to a child.

Timing:

Direct Collection: If you got the data straight from the individual, give them this info at the time you collect it.
Indirect Collection: If you got the data from elsewhere, you must inform the individual within a reasonable period (maximum one month), or at the point you first communicate with them or share the data with someone else.

The table below summarises the information you should supply to individuals where the personal data has been obtained either directly from the data subject or by another means.

Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer.	The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Any recipient or categories of recipients of the personal data.	Purpose of the processing and the legal basis for the processing.
The right to lodge a complaint with a supervisory authority.	The existence of each of data subject’s rights.
Retention period or criteria used to determine the retention period.	Details of transfers to a different country and what safeguards apply.
The right to withdraw consent at any time, where relevant.	The legitimate interests of the controller or third party, where applicable.

If the personal data was obtained directly from the data subject, then you should provide them with the above information at the time you get the personal data.

The next table summarises the information you should supply to individuals where the personal data has not been obtained directly from the data subject.

The source the personal data originates from and whether it came from publicly accessible sources.

Categories of personal data.

The right of access (Subject Access Requests)

Article 15.

Your Obligation: You must allow individuals to verify that their data is being processed lawfully. If asked, you must confirm you are processing their data and provide a copy of it.

Deadlines: You must respond without delay, and at the latest within one month.

Extension: You can extend this by two months if the request is complex or numerous, but you must notify the individual within the first month and explain why.

Fees: You generally cannot charge a fee.

Exception: You may charge a "reasonable fee" based on administrative costs only if the request is "manifestly unfounded or excessive" (e.g., repetitive) or for additional copies.

Verification: You must verify the identity of the requester using reasonable means before handing over data.

Suggested ways:

- Ask the individual to confirm details only they would know based on the data you already hold. Ask 2-3 specific questions:
  - "Please confirm the amount of your last transaction with us."
  - "What is the reference number on your most recent bill?"
  - "Please confirm the phone number we have on file for you."
- Require the user to log in to their secure account area to submit the request.
- If you must ask for photo ID, ask them to redact unnecessary information – e.g. “Please send a photo of your driving licence, but please black out your licence number and date of birth. We only need to see your name and photo”

Format: If the request is made electronically, you should provide the data in a commonly used electronic format.

The right to rectification

Article 16.

Your Obligation: You must correct inaccurate or incomplete personal data upon request.

Third Parties: If you have shared this data with other organisations, you must inform them of the correction if possible.

Deadlines: You have one month to comply. This can be extended by two months for complex requests, provided you notify the individual.

Refusal: If you decide not to take action, you must explain why and inform the individual of their right to complain to a supervisory authority.

The right to erasure ("Right to be Forgotten")

Article 17.

Your Obligation: You must delete personal data when there is no compelling reason to keep it. BUT this is not an absolute right. You are quite likely to refuse this one, as its scope is quite narrow.

When to delete: You must act if:

consent is withdrawn
the data is no longer needed for its original purpose
it was processed unlawfully
if there is a legal obligation to delete it

Special attention is required for data collected from children online.

Public Data: If you have made the data public (e.g., on a website), you must take reasonable steps to inform other controllers processing that data to erase links to or copies of it.

Exceptions: You can refuse deletion if the processing is necessary for freedom of expression, public health, contractual, legal obligations, or the defence of legal claims.

The right to restrict processing

Article 18.

Your Obligation: In specific circumstances, you must stop using the data but keep it stored. You can retain just enough info to ensure the restriction is respected in the future.

When to restrict: You must apply this if an individual contests the accuracy of data (while you verify it), if they object to processing (while you verify your legitimate grounds), or if the processing is unlawful but the individual prefers restriction over deletion.

Notification: You must inform any third parties you shared the data with about the restriction. You must also tell the individual before you lift the restriction.

The right to data portability

Article 20.

Your Obligation: You must allow individuals to obtain and reuse their data across different services by providing it in a format that allows easy transfer.

Format: Provide the data in a structured, commonly used, and machine-readable form (e.g., CSV files) so software can extract the data.

Scope: This applies only to data the individual provided to you, processed by automated means, based on consent or a contract.

Direct Transfer: If the individual asks and it is technically feasible, you should transfer the data directly to another organisation.

The right to object

Article 21.

Your Obligation: You must respect an individual's right to say "no" to processing in certain cases.

Direct Marketing: If an individual objects to direct marketing, you must stop immediately. There are no exemptions or grounds to refuse.

Legitimate Interests/Public Task: If they object to processing based on these grounds, you must stop unless you can demonstrate "compelling legitimate grounds" that override their rights, or if it is for legal claims.

Communication: You must explicitly bring this right to their attention at the point of first communication and in your privacy notice, keeping it separate from other information.

Rights in relation to automated decision making and profiling

Article 22.

Your Obligation: You must provide safeguards against potentially damaging decisions made solely by computers without human intervention.

The Right: Individuals can refuse to be subject to automated decisions that have legal or significant effects on them.

Safeguards: If you use automated decision-making, you must allow the individual to obtain human intervention, express their point of view, and obtain an explanation of the decision so they can challenge it.

Profiling: If you use profiling (analysing personal aspects like performance, health, or location), you must be transparent about the logic involved and the significance of the consequences. You must use appropriate mathematical procedures and secure the data to prevent errors or discrimination.

Download Detailed Guidance Here

The post Rights of an Individual appeared first on L2 Cyber Security Solutions Ltd..

#WeekendWisdom 085 Vaccination Status Data Protection Concerns

Liam — Fri, 02 Jul 2021 01:15:24 +0000

Welcome to #WeekendWisdom number 85. This week we’re going to talk about vaccination status data protection concerns.

https://www.l2cybersecurity.com/wp-content/uploads/2021/07/WeekendWisdom-085-lo.mp4

What is so important about somebody’s vaccination status?

As the vaccination program continues to roll out across the country for the COVID-19 virus, people are getting vaccines on a wide scale.

Now I just want to make sure that everybody is aware that somebody’s vaccination status is actually medical information and as such is classified as a special category data and so it needs to be protected.

Who has Vaccination Status Data Protection Concerns?

The Data Protection Commission issued some guidance recently, which is available here. In that they reiterated that except in very limited circumstances, employers are not allowed to ask employees or capture or store information relating to their employees’ vaccination status.

Why is that the case?

That is because there is no current public health advice stating that there is a good purpose for doing so. This is the crucial thing, that it has to be public health advice that has to give a good reason otherwise there is no actually legal basis for capturing and storing somebody’s vaccination status.

Is there a wider concern here?

That guidance was applicable to employers and employees but as the country opens up and there is all this talk about people showing their vaccination status to get into pubs and restaurants and things like that. I think that there will continue to be this limitation. Unless public health authorities come out and say otherwise, pubs, restaurants, hotels, anywhere that people can gather, I don’t believe that capturing somebody’s vaccination status will be permitted.

So watch out for any updates from public health authorities only and not from the likes of the restaurants association, the vintners, hotels federation, etc.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 085 Vaccination Status Data Protection Concerns appeared first on L2 Cyber Security Solutions Ltd..

#WeekendWisdom 081 Smartphone Messages and GDPR

Liam — Fri, 04 Jun 2021 01:15:49 +0000

Welcome to #WeekendWisdom number 81. This week we’re going to talk about Smartphone Messages and GDPR.

https://www.l2cybersecurity.com/wp-content/uploads/2021/06/WeekendWisdom-081-lo.mp4

This sounds data protectiony

This is a rare data protection post by me. I was reminded this week of a rare enough situation which most my clients don’t ever come across this before.

One of them received a subject access request from somebody whose personal data they were processing. Now the scope of this access request was the person wanted access to copies of emails and messages – text messages, WhatsApp messages – that were relating to them. My client called me up and asked

“Are they entitled to get access to our messages on our phones?”

Smartphone Messsages and GDPR … Really?

I explained to them a message on WhatsApp or on a text message is kinda just like an email. It’s the record of somebody’s personal data. If they’re included in there somehow, someway their personal data is there. That would be a valid scope for a subject access request.

So, Yes text messages would form part of a subject access request and therefore the individuals are entitled to get a copy of them.

What should you do about this

So keep that in mind when you’re building your data protection policies or your reviewing them, to make sure you might have already covered off dealing with email but also make sure you cover off things like WhatsApp messages and text messages as well because they’re also in scope.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 081 Smartphone Messages and GDPR appeared first on L2 Cyber Security Solutions Ltd..

#WeekendWisdom 038 Shadow IT

Liam — Thu, 23 Jul 2020 23:05:38 +0000

Welcome to #WeekendWisdom number 38. This week we’re going to talk about shadow IT.

https://www.l2cybersecurity.com/wp-content/uploads/2020/07/WeekendWisdom-038-lo.mp4

What is shadow IT?

It’s basically where staff or volunteers or contractors in an organisation use a technology that the organisation has no control over. No sight of and is unaware of. Here are three examples:

Used for risky Internet access

One would be where staff might use their mobile phones as an internet hotspot to be able to access the internet unrestricted, through their phone rather than through maybe a tightly controlled firewall on their local network. The risk here is that they may be able to access sites that may bring malware into the network and effectively they’re bridging the insecure internet to your local network.

USB memory sticks – burn them with fire

There’s always the risks as well associated with the use of USB memory sticks, that people are picking up at conferences and things like that. With no idea where they’re coming from. What’s on them. So there’s always been a risk around those.

Cloud Storage – it’s only as secure as you can make it

Finally if Staff were to use personal cloud storage services like a Dropbox or a Google drive or an Amazon S3 bucket, the organisation if they are unaware that, they don’t know how well secured those platforms are. They don’t know whether the data could be potentially breached from those cloud storage services. So there is a risk there.

What’s the real problem that Shadow IT creates?

And with all these technologies, the main risk here is in fact that they’re probably going to give you a breach of the GDPR in that you’re not in control of your IT security.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We can conduct an audit on your infrastructure and look for signs of Shadow IT. When we find it, we can provide guidance on how to remediate it to everyone’s satisfaction.

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 038 Shadow IT appeared first on L2 Cyber Security Solutions Ltd..

#WeekendWisdom 034 Ransomware Case Study

Liam — Thu, 25 Jun 2020 23:15:33 +0000

Welcome to #WeekendWisdom number 34. This week we’re going to talk about a ransomware case study.

https://www.l2cybersecurity.com/wp-content/uploads/2020/06/WeekendWisdom-034-lo.mp4

Where did this ransomware case study come from?

Earlier this week the data protection commission issued a report on the first two years of the GDPR and their regulatory activity within it.

It is quite an interesting report for privacy professionals and I read through it with a great deal of interest. And I came across a case study about a ransomware incident that a sports and leisure company had suffered. It was interesting in that data protection commission had gone back to the company after being told about the breach and they asked for quite a detailed list of items from that company. You can see this list here.

What did the Data Protection Commission want to know?

So you can see that they wanted to know:

The chronology of the events that led up to the incident.
They wanted a description of the hardware and software that the company used.
What was the source and the attack vector of that ransomware
What was the variant
Was there some audit logs
What was the demand notice for the ransomware
Very important of course, whether there were backups available to recover from and
finally what types of measures that company have put in place to try and prevent this from occurring in the first place

That seems like a lot for a ransomware incident.

That’s quite a detailed list of items and if you couldn’t answer those questions right now in your business, then you need some help. You need to have things like:

A data breach handling procedure
Need to have a asset registers for your hardware and software
Your security setup and
Your backups

All of these things you need to have those put in place in case this ever happens to you. So feel free to reach out if you need any assistance or advice on that.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training.

We can also provide assistance on implementing mitigation measures to help protect your business from #Ransomware.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 034 Ransomware Case Study appeared first on L2 Cyber Security Solutions Ltd..

#WeekendWisdom 030 Thermal Imaging Cameras

Liam — Fri, 29 May 2020 08:25:58 +0000

Welcome to #WeekendWisdom number 30. This week we’re going to talk about thermal imaging cameras.

https://www.l2cybersecurity.com/wp-content/uploads/2020/05/WeekendWisdom-030-lo.mp4

Earlier this week I co-hosted an online event where we talked about the “Return to work safely protocol” and data protection aspects in regards to that. If you want to watch it back go to YouTube and search for “breaking bad data protection practices”.

Now if anything I’m about to say here gives you cause for concern or questions, please feel free to contact me on info@L2CyberSecurity.com.

What’s wrong with Thermal Imaging Cameras?

So because thermal imaging cameras are actually processing health data, you need to carry out a data protection impact assessment. This must be done on the whole set up, BEFORE you consider installing it. You can get guidance on www.DataProtection.ie for doing a data protection impact assessment or DPIA.

Who can I screen?

You have the right to screen your employees. What you don’t have is the right to screen any member of the public or people who are not your employees. You just simply do not have that right.

What about visual and audible alerts?

Are you thinking about using any visual or audible alerts from the equipment? If so these must be placed in a very private location where there is only the subject being screened can be aware of these alerts.

Saving the data to the cloud is OK – yeah?

Do the cameras come with cloud storage capability? If so I’d be very reluctant to use it until you’re absolutely certain that the data is not taken outside of the EU.

I can get the clips emailed to my phone. That’s secure isn’t it?

And finally, you’re processing health data, it needs to be protected, so if the cameras have the capability of emailing video clips, don’t use them because email is not the most secure method for transmission of data.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 030 Thermal Imaging Cameras appeared first on L2 Cyber Security Solutions Ltd..

Practical GDPR for Small Business Training

Liam — Mon, 30 Mar 2020 22:56:45 +0000

Practical GDPR for Small Business/Charity Training

Download these details

Make an enquiry

L2 Cyber Security Solutions is delighted to be able to offer the following Practical Data Protection Training, in an online and in-person format.

Title: Practical GDPR for Small Business/Charity Training.

Learning objective:

The purpose of this programme is to equip the learner with the practical knowledge to implement policies and procedures in their organisation. They will also understand the requirements for record keeping.

Content of the Practical GDPR for Small Business/Charity Training:

There are three separate modules in this training:

1. Module 1 – The basic requirements

Quick question – do you need a Data Protection Officer (DPO)?
Interpreting the GDPR’s principles
Creating a simple Data Inventory
Establishing a Data Protection Policy

2. Module 2 – The crucial documentation

What needs to be included in a right-to-be-informed page
Producing procedures to handle an individual’s rights
Knowing the kind of records you need to keep

3. Module 3 – The stuff most people forget about

Understanding Data Processing Agreements
When it hits the fan – using a Data Breach handling procedure
Securing the business with an Information Security Policy

Duration:

Each Module is 60 minutes, including ample time for Questions and Answers

Audience:

Small Business Owners or Data Protection Administrators in small businesses and charities who need to put in place policies, procedures and records keeping for the GDPR in their organisation.

Delivery Format:

Online – Presentation, using Google Meet (or your own online platform of choice).
In-person – Interactive workshop over the selected duration.

Also Included:

A link to a softcopy of any slides will be provided during the session.
Link to additional free resources would be included too.
Certificates of attendance if required.

Pricing:

Please see our website for our current prices:

https://www.l2cybersecurity.com/prices/

Contact us:

info@L2CyberSecurity.com

Follow us on Social media:

Liam is available on LinkedIn, Mastodon and YouTube.

Follow L2 Cyber on LinkedIn.

The post Practical GDPR for Small Business Training appeared first on L2 Cyber Security Solutions Ltd..

#WeekendWisdom 010 Ransomware Breaches

Liam — Fri, 10 Jan 2020 16:20:29 +0000

Welcome to #WeekendWisdom number 10. This week we are talking about Ransomware Breaches.

https://www.l2cybersecurity.com/wp-content/uploads/2020/01/WeekendWisdom-010-lo.mp4

TravelEx ransomware breach

Over the last several weeks, there have been an increasing number of ransomware incidents occurring, all across the globe. Most concerning of recent times has been the TravelEx company in the UK. They are a currency exchange company. They were hit with a ransomware incident on New Year’s Eve and they have been down now for more than 10 days. They only advised in the last couple of days that it was ransomware that hit them. They are now processing transactions on pen and paper with calculators to do calculations.

The GDPR consideration

If you were processing personal data of EU residents and you get hit with ransomware incident, you have got a GDPR exposure because the data has been unlawfully altered. Now because you may not understand what the risk situation is to the individuals and because once you become aware of a data breach you must report it to the data protection authorities within 72 hours, if there is a risk to the rights and freedoms of the individuals, you would be well advised to report the ransomware incident to the data protection authorities. If you process some sensitive data on individuals, you would also need to be notifying them as well about the ransomware breach.

Does paying work?

Some say that people should pay to get their data back because it’s often cheaper than recovering the data and the systems themselves. That can be the case but again recently some of the decryptors that the ransomware creators have made haven’t been working properly and people have actually lost data even though they have paid for to get the data back. So that is significant risk that you really don’t want to take on board.

What if they leak your data?

Another concern is that, again a fairly recent development, is that the ransomware criminals are actually getting the data, they’re stealing the data downloading it from your systems before they scramble it, so then once your data is scrambled and they’re looking for the ransom if you say “I’m not going to pay the ransom”, they will say “OK, well if you don’t pay the ransom we’re going to leak the data onto the internet and let everybody see the data.” So you will have a significant problem there. So you really don’t want to get caught out with ransomware in the first place.

Backups, tested backups and offline backups

So the best protection against ransomware is always having good reliable tested and secure backups. You want to make sure you have tested the backups. This is really important that you test the backups quite frequently and nowadays my advice would be to test your backups at least monthly, no less than quarterly testing of the backups and restore the data. Use the cloud for an offsite copy of the data, the cloud is fine for that. But you do need to have an offline copy of your data, maybe on an external hard drive or some kind of mechanism that you can disconnect from your computer when the backup isn’t taking place. So if you get hit with ransomware and local data is corrupted and maybe even you’re cloud data could be corrupted, you have a local copy on a hard disk that you can recover from.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

www.L2CyberSecurity.com

www.twitter.com/L2Cyber

The post #WeekendWisdom 010 Ransomware Breaches appeared first on L2 Cyber Security Solutions Ltd..