G is for…

GDPR

The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU. It is a bit more stringent than the Data Protection Act, which is the current legislation in the UK. The UK has been heavily involved in its development, and it will come into force on 28th May 2018.

As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.

For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.

Governance

It’s all well and good having lots of security controls in place, lots of shiny hardware and the latest software, but how do you know that what you have is effective and is being used by everyone?

That’s what Governance is for. It’s about the oversight of all security related activities to make sure that they are fit for purpose and delivering benefit. It’s normally done through regular reporting, reviews of metrics (ie data which demonstrates how effective controls are) and key performance indicators.

What does this mean in practice? Let me give you an example. Let’s assume that an organisation is security policy states that all relevant critical patches from software vendors must be applied within 1 month of their release. A metric that might be used is to identify the number of machines which don’t have critical patches applied within 2 months, and for those machines to be inspected to find out why.

Grey Hat hacker

In an earlier post we talked about Black Hat hackers, who are effectively the bad guys, and we’ll talk about White Hats later this year (you’ve guessed it, they’re the good guys). Grey Hats fall somewhere in between. They see themselves as doing good, trying to help organisations, but technically they’re breaking the law.

It works something like this. A white hacker has written permission in advance before trying to test a system for vulnerabilities. A grey hat doesn’t have that permission, but tests systems for them anyway. When they find a vulnerability, they either notify the organisation or the company that makes the software they’ve found the vulnerability in, often in the hope they’ll get some kind of reward. It has been known for them to be arrested because they’ve not had that ore-authorisation to carry out their tests.

Episode 3 – The Cloud

A while back I posted on here about The Cloud and some of the security concerns associated with it. I’ve just published a podcast covering the same topic which I hope will help bring some of it to life for you. 

EasyCyber Episode 3

If you like the podcast, why not subscribe to my You Tube channel so you can get new releases as they come out. Also, please do let me have any questions / comments. For example, are there any topics I haven’t covered yet which you would like more information on? 

Changes to Data Protection laws

I’m sure that many of you will have heard of the Data Protection Act (DPA) which is used to help protect an individual’s personal data. You’ll also probably have heard mutterings about GDPR and Brexit, how one is affected by the other, but you may not be too clear what this means in terms if the DPA. I’m going to try to explain it for you here. I apologise in advance because there will be more acronyms than I normally use, but hopefully you’ll see why!

First, let’s start with DPA. This law sets out 8 Principles which dictate how personal data must be treated, and what people can do with that data if they’ve been given permission to use it. A company must tell you how it’s going to handle your data and what it will use it for, and if it wants to change that use it must request your permission: this is all usually held in their Terms and Conditions, which is why you should always read them. The principles are summarised below.


The regulator i.e. the organisation you go to if there’s been a breach is the Information Commissioner’s Office, or ICO.

The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU, and is a bit more stringent than the DPA. The UK has been heavily involved in its development, and it will come into force on 28th May 2018. As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.

How does this affect Brexit? Well, that will take up to 2 years to implement following invocation of Article 50. That means Brexit is highly unlikely to have occurred by 28th May 2018, which means that GDPR will become a legal requirement in the UK on that date, so companies will have to comply with it. Whatever happens once the UK leaves the EU, it stand as to reason that UK companies wishing to do business with the EU will have to continue to comply, and I’d suggest therefore that the UK will not implement anything weaker than GDPR as a replacement for the DPA.

For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.