I’m not sure any information management blog would be complete without comment on the recent news.  There have been two stories  that caught my eye.  The first, I am sure, almost goes without saying and relates to the malware attack and importance of cyber security.   The second was less prominent although still relating to the on-line environment and looks at the right to be forgotten introduced by the General Data Protection Regulations (GDPR).

Make sure you have considered appropriate cyber security measures to protect personal data

Cyber security is a critical consideration for every organisation.

The Increasing Profile of Cyber Security

It is very unlikely that you have managed to escape the fact that there has been a ransomware attack on global scale affecting huge numbers of organisations.  IT security is often an area where costs are cut without a full awareness of risks associated with poor security.

Without proper arrangements in place, organisations may be in a situation where they have quite literally lost all of their information, records and documents.  For some this will almost certainly mean that they will have to stop operating or trading.  Even if organisations can continue operating, what is the real cost of losing financial, customer and operational records?  They are likely to be substantial and this is without considering risks to the organisation’s reputation.

Are You Managing Key Risks?

As with any loss of data, this may also be considered a data breach by the Information Commissioner, regardless of whether access has been compromised.  Under data protection legislation organisations must take appropriate technical and security measures to keep personal data secure (Principle 7 under the Data Protection Act 1998).

There is already a huge amount of guidance and advice that has been issued from a number of reputable sources, one of which is the NCSC.  Just to reiterate, there are basic steps everyone can take to improve their information security and protect themselves against on-line threats:

  1. Keep all of your software up to date, particularly operating systems. Your network can be compromised in a number of ways, it is not limited to e-mail.
  2. Ensure you have a comprehensive anti-malware software and other appropriate on-line protection.
  3. Make sure you have a reliable back up of all your critical business information. This should be separate from your main systems.  You should also test your back up regularly.
  4. Train your staff and others using equipment on your systems or with access to your network. Basic training about the importance of information security is essential.
Right to erasure

Every organisation will need to comply with the right to be forgotten under the GDPR.

The Right to be Forgotten

The increasing cyber security risks wasn’t the only story to catch my eye recently.  I read with interest that one of the political parties issued an election pledge to pass legislation that enables people to remove their records from social media.   The records would need to relate to a time before they were 18 years old.  While I am not going to get into legal technicalities in this blog, it would seem that they may not be aware of the General Data Protection Regulation (GDPR).

The GDPR provides a right to erasure, or the “right to be forgotten” (Article 17).  It has been designed to tackle people’s lack of control of their own information in the on-line environment.  It will, however, apply to all personal data and not just information published on-line.  The GDPR has no restrictions on who can make a request and the right applies to everyone, not just those who are under 18.

You should check your systems will allow your organisation to comply with the right to be forgotten.  With cloud-based computing and the ability to restore back ups, it may not be straightforward.  The GDPR also introduces significantly enhanced protection for personal data that relates to children.  Anyone processing the personal data of children should check the new legal requirements as a priority.

One pro-party article I read said that the party will introduce a new data protection act to tackle these issues.  Good news!  No need, the job is already done!

Tkm can help with your preparations for the GDPR.  To discuss your requirements for data protection consultancy and training, please contact us.