Blog and Information

Why risk management is good for business

15 May 2019

All businesses are striving to achieve their goals and along the way there will always be obstacles that slows the process down, there could also be new opportunities that are worth exploring. 

It is in the business' interest that goals are achieved within set timelines, to budget and to specification.  This is were effective risk management comes in. By planning ahead and anticipating what must go right and what might go wrong, the business can prepare and put suitable controls in place. In essence "Plan for the worst and hope for the best". The business will then be prepared and in a position to deal with disturbance, surprise and change .

Effective risk management mean having a system in place that takes a holistic approach to the business, or the project, that will work to identify the risk and finding ways of reducing either the likelihood or the impact of the risk, or both. 

In the UK there is a requirement for PLCs to have formal risk management and in the European financial services sector there is legislation for insurance companies, banks and investment firms to have risk management in place. But this does not mean that risk management is only for large organisations or for financial services - it makes business sense for any size business to effectively manage risk.

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

Some organisations need to have a Data Protection Officer 

15 April 2019

Do you know if you need a DPO? When the GDPR came into effect as well as the UK Data Protection Act 2018 in May 2018 there were new criteria on what organisations need to have a data protection officer.

In the UK, organisations such as GP practices, dental practices, opticians and pharmacies fall under the definition of "public authority" if they carry out NHS work, and are therefore required to to have a data protection officer.  There are other organisations that need to appoint one too. 

Under the GDPR you need to appoint a DPO if any of the following apply:

• you are a public authority or body (except for courts acting in their judicial capacity);

• your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or

• your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

Even if you are not required to have a DPO it is still recommended to have one, as it will facilitate your commitment to data protection and is a point of contact between your organisation and the data protection authority. The person who takes on the role should be appointed basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.

To find out more on what a DPO does and who can be a DPO in your organisation, check out our page on how be a DPO: https://sites.google.com/kantarell-limited.com/home/gdpr-help/how-to-be-a-dpo

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

Major flaws in pharmacies and opticians privacy policies 

31st March 2019

We carried out a survey amongst 157 pharmacies and 100 opticians across the UK, where we visited their websites to see how well their privacy policy reflects the ICO recommendations. 

Of the pharmacies 45%, had major flaws or no privacy policy to be found at all, even in instances where personal data was clearly collected by contact forms or on-line shopping facilities. For opticians 60% had major flaws in their privacy policies and did not fulfill the required criteria.

There were many privacy notices that were referencing the Data Protection Act 1998, which has now been superseded by the 2018 Act. Referring to an obsolete regulation does not help in building trust with clients.

The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. The GDPR includes a detailed list of information that must be provided in a privacy notice. 

If personal data is collected, it is very clear in the regulation exactly what information the data controller must provide at the time of collection of personal data. Therefore, if there is a contact form, or shop available on the website, a GDPR compliant privacy statement must be easily accessible on the website.

We came across numerous privacy policies where many of the compulsory details were missing. In some cases it was clear that work had been done to update the privacy policy to reflect the requirements of the GDPR, but compulsory information had still been left out! For opticians in particular there seems to be a lack of understanding of what lawful basis' for processing the data are the most appropriate. 

It seems like using a web based privacy policy generator is quite popular but unfortunately the generated privacy statements are very difficult to understand and it is questionably if they would pass a test as of being presented in clear language. Remember, your privacy statement is unique to your operation and your circumstances, and a generic approach is not advisable.

Need help with your privacy policy? Contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

More than 59,000 data breaches reported in the EEA in 8 months

Date : 19th March 2019

According to a report published by law firm DLP Piper more than 59,000 data breaches were reported to European Data Protection regulators from 25th May 2018, when the GDPR went live, to the end of January 2019. 

The country with the highest number of reported breaches was the Netherlands with 15,400 followed by Germany with 12,600 and the UK with 10,600. Based on number of breaches per hundred thousand people, the Netherlands still tops the table with 89.9 breaches. UK falls as number 10 down the table with 16.3, just below Sweden (8th) and Malta (9th) at 24.9 and 22.3 respectively.

Following the introduction of GDPR there is a legal obligation to report data breaches to the regulator. Failure to report a breach, when required, can result in a  fine up to 10 million euros or 2 per cent of your global turnover. Turning a blind eye to data breaches can be a very high risk strategy. 

Data breach risk can be managed, and part of the controls required would be a data breach policy that is rolled out across the organisation. Staff and management training in breach reporting are also very important elements in the risk management process. 

Taking into account the amount of data transactions that a modern organisation carry out daily and the increased sophistication of fraudsters ways of compromising digital services, being faced with a data breach is a matter of when and not if. 

Need help with your data breach risk management? Contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

A personal data breach needs to be reported within 72 hours

Date : 20th February 2019

Do you know what to do in the event of a Data Protection Breach? Do you have a data breach policy and procedure in place? Under GDPR a personal data breach needs to be reported to the regulator within 72 hours of the business becoming aware of the breach. Those 72 hours include non-working hours and weekends, so you will not have very much time to make the initial assessment.

Immediate steps to take in the event of a breach:

• Assess the incident of what has happened.

• Obtain information about personal data affected:

  • Is personal data affected by the incident?

  • How many records and individuals are affected?

  • What is the nature of the data and what adverse effect might the breach have on the individuals concerned

• Assess if the incident needs to be reported:

  • Does the incident need to be reported to the regulator?

  • Do the individuals concerned need to be informed?

  • Who in your organisation is the point of contact for the regulator?

• Gather information about the cause of the incident and what you have done to deal with the breach and what measures you have taken to mitigate any adverse effects.

In their report Cyber Security Breach Survey 2018 the UK Department for Digital, Culture, Media and Sport reported that 43% of businesses surveyed had experienced a cyber security breach or attack during the twelve months prior to the date of the survey (Contains public sector information licensed under the Open Government Licence v3.0.). 

It is highly likely that you will experience a cyber security breach and it is essential that you have a process in place to establish if personal data is involved in the breach, if the breach needs to be reported to the regulator, and whether the individuals concerned need to be informed.

Need help with your data breach policy? Contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

10 steps to cyber security - the starting point for SMEs and micro businesses

Date : 11th February 2019

All businesses large and small have got valuable data. Customer lists, business plans, budgets and meeting notes could be of extremely high value should they fall into the the wrong hands. Not only that, but if a small business was not able to access their data for several days or weeks it could have dire consequences to the business results. If that data is personal data, it could also be a reportable data breach under the Data Protection Act 2018.

In the UK the National Cyber Security Centre (NCSC) are recommending all business to at least follow their 10 steps to cyber security to provide basic protection and preparation:

• Risk Management Regime

• Secure configuration

• Network Security

• Managing User Privileges

• User Education and Awareness

• Incident Management

• Malware Prevention

• Monitoring

• Removable Media Controls 

• Home and Mobile Working

For practical implementation of these steps into your business contact: 

Mark D'Mello, Director

mark@kantarell-limited.com

WhatsApp, Message & Call +44 7775 900 333

No-deal Brexit and your GDPR Responsibilities

Date : 11th January 2019

What you should be doing right now - There is currently uncertainty around Brexit and we recommend organisations to prepare for a no-deal Brexit with regards to data protection. If there is a no-deal Brexit, the UK will be considered a 3rd country from an EU/EEA perspective and and although the UK Government has already made clear its intention to permit data to flow from the UK to EEA countries, transfers of personal information from the EEA to the UK will be affected.

In order to transmit personal information between the UK and the EEA there needs to be evidence of adequate protection. It is possible that the EU makes a formal adequacy decision that the UK regime offers an adequate level of protection, then there will be no need for specific safeguards (other than complying with the GDPR). However, on exit date there may not be such a decision in place and therefore you need to plan to implement adequate safeguards. You may want to consider putting standard contractual clauses (SCCs) in place if you are receiving data from the EEA. 

6 steps you should be taking now:

• Continue to comply with the GDPR;

• Review data transfers from the UK to the EU/EEA;

• Review data transfers from the EU/EEA to the UK;

• If you operate across Europe you will need to assess your structure and data information flow;

• Review your documentation and identify any updates that will need to be made once the UK leaves the EU;

• Make sure everyone in the organisation is aware of these key issues and that there is a plan in place.

Kantarell can give you guidance and help you plan ahead to make sure you can continue to receive data from the EEA even in the event of a no-deal Brexit.

For more information contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

Happy New Year for 2019!

Date : 4th January 2019

Top risks for 2019 - Cybersecurity should be a standing agenda item for every company board and the board needs to start asking the right questions and setting up cybersecurity objectives. A  recent study conducted by the Chartered Institute of Auditors amongst businesses across Europe found that cybersecurity continues to top the list of most significant risk companies face in 2019.  With the increased responsibilities under GDPR  for protecting personal data and reporting by outsourced data processors, it is imperative to ensure that any third party processors operate at least the same standard as the data controller including basics such as password management.

ICO activities -  Make sure you make a note of when your data protection registration renewal is due and pay the fee promptly. The UK data protection regulator has grown in size and has now got over 500 employees, so they are better placed in taking a more proactive role in monitoring data protection compliance. During the autumn of 2018 the ICO issued the first fines to organisations who had failed to pay the data protection fee. Organisations within childcare and health to construction and finance where the first to be targeted, followed by care homes.

Remember, all organisations, companies and sole traders that process personal data must pay an annual fee to the ICO unless they are exempt. 

Important Actions for 2019 - An annual GDPR compliance assessment as well as the annual policy review need to be carried out and will serve as an excellent way to demonstrate compliance. 2018 was very much about getting ready for the GDPR, learning what's new and starting the process of implementing policies and new procedures across the organisation. In 2019 it is important to ensure continuous policy compliance, identify and report breaches and know when breaches need to be reported to the ICO. Everyone in the organisation should be responsible for data protection so regular staff training is essential in embedding cyber and data security thinking.  

For more information contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

ICO issues fines to organisations who have not paid the data protection fee

Date : 3rd December 2018

Do you need to register with the ICO? Failure to do so can result in a fine!

In the UK, the Data Protection Regulations 2018 requires every organisation that processes personal information to pay a fee to the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so will result in a fixed penalty.

During the last two years the ICO has grown and have now got the ability to act more proactively. As a matter of fact, in late November 2018 they reported that they had recently issued their first fines to organisations across the construction, finance and business services sectors who haven't paid the data protection fee and that further fines are set to follow. 

Whether you are exempt from registering and paying a fee or not you still need to comply with your other data protection obligations.

Want to ask a question?  Contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

Who is responsible for Cybersecurity?

Date : 15th October 2018

Who in your organisation is responsible for cybersecurity? Is it your managing director? Perhaps the responsibility sits with your outsourced IT service provider? Or is it the board of directors?

The correct answer is You! And everybody else in your organisation. Everybody needs to be responsible for cybersecurity, even though the overall responsibility sits with the board of directors.

Because the responsibility cannot be separated from the day to day operations it is imperative that everybody in the organisation understands how to protect all business data and systems at all times. Cybersecurity jargon tends to be highly technical and not very easy to understand for a person with little or no formal training in the subject.   

For the board of directors to be able to understand what their IT department or IT service provider actually does, as well as what they need to do, the members of the board must have a good understanding of cybersecurity. They need to be able to ask the right questions and make sure that the business has the appropriate protection. 

There are surprisingly few IT service providers that actually promote cybersecurity. They are very good at plugging networks together and fixing log-in errors and helping to reset passwords. However, when it comes to cybersecurity they only act on instructions, so you will really need to know what to ask from them.

Everybody in the business who has access to a computer and systems need to understand how to detect a breach and how breaches are reported. They also need to understand what the threats are and how they can help to protect the business' data. The boards need to start asking the right questions and setting up cybersecurity objectives.

We provide cybersecurity training for non-IT people, easy to understand and we use everyday business language. We can train your board and your staff to help protect your business.

Want to ask a question?  Contact Mark

Mark D'Mello, Director

mark@kantarell-limited.com

WhatsApp, Message & Call +44 7775 900333

Requirement to demonstrate GDPR compliance - Accountability

Date : 10th September 2018

One of the fundamental principles in the General Data Protection Regulation, GDPR, is Accountability and an organisation's ability to demonstrate compliance.

It is not sufficient to just say "Yes, we comply." You also have to be able to answer the question "How?" and provide any supporting evidence that you do, what you say you do.

The regulation does not stipulate as to how to demonstrate compliance and what evidence is sufficient. However the guidance outlines the requirement of organisations to take a risk based approach, which means the greater the risk to the rights and freedoms of individuals, the more emphasis will need to be given to protection of the data and the ability to demonstrate how it is protected.

Written policies and procedures as well as documenting responsibilities and tasks will provide vital evidence, but the starting point will always be the ability to demonstrate that you understand your data and all your data processing activities. The risks associated with each data set can then be evaluated and documented before assessing how well the data needs protecting. For example a database of business contacts obtained from business cards at a trade fair, will most probably not require as much protection as a database of customers of a pharmacy or an optician. 

Some of the important questions to be able to answer when demonstrating your understanding of the data you are processing are: What personal data do we process? Where is is held? What are the risks to the rights and freedoms of individuals should the data come into the wrong hands? Who do we share the data with and why?

We have a well established efficient approach on how to demonstrate compliance. Would you like us to show you how?

Want to ask a question?  Contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

DPO requirement for public authorities

Date : 17th August 2018

Under the GDPR there is a requirement for public authorities to have a Data Protection Officer, DPO. In the UK service providers such as opticians, pharmacies and dentist that provide NHS services need to appoint a DPO. The question is why?

Having a DPO appointed should mean that patients,  customers, clients, can feel comfortable that their service provider have the necessary data protection expertise in their business and that appropriate processes to protect their data have been implemented. Therefore, just having a colleague or an external person named as a DPO does not fulfil the intended purpose.

A data protection officer needs to have expert knowledge of the data protection law to be able to provide guidance in identifying any gaps in data protection compliance and give advice and issue recommendations. Therefore, when appointing a DPO make sure that it is somebody with the necessary skill sets and data protection knowledge.

What data is it that individuals such as patients and customers are entrusting their pharmacy, optician, doctors surgery and dentist with? Apart from name, address and contact details they also trust their service provider with special categories of data outlining their health conditions. In addition, perhaps they have also provided their bank details for direct debits or credit card details. So, from a patient/client point of view they will want assurance that their personal data is safe with their pharmacy, optician, doctor and dentist. 

So, what needs to be done to ensure compliance with the requirements of GDPR? There are 12 major areas of compliance and over 120 relevant check points. For example: Documented justification as to why or why not you need a DPO; mechanisms in place to demonstrate compliance; staff training in data protection and breach notification; and the ability to demonstrate that you know your data and how it is protected throughout the data processing flow.

Need help with fulfilling the DPO role in your business?

Contact:

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

What can happen if we don’t protect our clients data

Date : 16th August 2018

Your clients provide you with your livelihood. If they stop trusting you they will leave you - there is plenty of competition out there both on the high street and online. 

Technology is moving so fast and with the increase of processing data electronically it is becoming more and more difficult to protect that data. On an almost daily basis we see the news headlines of yet another data breach. However, it is only the large breaches we hear about. The small ransomware attacks, staff accessing or stealing data they are not authorised to access and the odd lost prescription we don’t read about. With these threats being so close to us, it is essential that we make ongoing investments in data protection. This does not mean massive costly software systems or IT consultants. 

There are some very easy and cost effective ways of protecting the data and educating your staff. Let us show you how!

Want to ask a question?  Contact Margareta

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866

What it means to have a GDPR compliant Privacy Policy

Date : 15th August 2018

Having a policy in place means that you do what you say in the policy and the policy stipulates what you are required to do. Therefore it is not enough to just be given a “GDPR ready” privacy policy by an association or website provider, and then think that you are GDPR compliant. You actually need to understand what all the requirements are, and be able to demonstrate that you do what you say you do!

You must be able to deliver what you say in your Privacy Policy.

The purpose of the privacy policy is for your clients and visitors to your website to be assured that you have appropriate policies and procedures in place to protect their data. They are entitled to know what data you are obtaining from them, what you are going to do with their data and that it is protected throughout the data process flow whilst in your and your data processors care.

You can only produce a true Privacy Policy when you understand the personal data in your care and the full data flow. These are some of the questions you need to know the answers to: What data do you process? What is the purpose of the processing? Have you established the appropriate lawful basis for processing? Where is the data kept? Do you have paper records as well? If so, how are they protected? How do you make sure the data is secure? Who do you share the data with, and why? Do you have GDPR compliant processor agreements in place with all your data processors? 

Need help with your Privacy Policy?

Contact: 

Margareta Zaveri, Director

meta@kantarell-limited.com

WhatsApp, Message & Call +44 7852 175866