A run through of the Data Security legislation, a comparison of available management systems and the impacts of Data Security on different organisation types and how these will be affected in the new virtual world that is developing around us.
Presentation – Carl Kruger
Data Management – what does it encompass?
Data accessible by those authorised to use it
Data format pertinent to necessary usage
•Sufficient date clarity for optimising usage
All relevant data available in both time frame and scope
Data is secure, controlled and safe
Data is unchanged, undamaged, complete, known location
Key Data Security Legislation
• General Data Protection Regulations (GDPR)
• Privacy and Electronic Communications Regulations (PECR)
GDPR is an EU Regulation – and thus became law in
the UK when they were issued by the EU.
PECR is from a EU Directive and has been put into force via a UK Regulation of the same name.
Thus PECR is a UK specific version while GDPR is common for all EU states.
They will both be incorporated, more or less unchanged, into the latest version of the Data Protection Act in time for full Brexit attainment
• Operates on the premise that data about someone, is private to that
person – and thus should not be used or released without permission
• This results in a series of Consumer Rights that can be applied
• You may have to appoint a Data Protection Officer
• You will have to register with the ICO annually
• The GDPR is an EU Regulation – but which will, we are told, be fully
embodied in UK law (a revised Data Protection Act) before year end.
How to manage information risks
• Undertake an Information Audit to link ‘data types’ with ‘associated risks’
• Identify risk mitigation options:
• changing how tasks are undertaken (Improve)
• passing responsibility to someone else (Defer)
• deciding to cease actions altogether (Avoid)
• determine that nothing can be changed (Accept)
• Draw up implantation plans to get low risk combined with viable operating processes. This forms part of the ‘data protection by design’ approach.
• Determine optimum operations using results of the implementation plans – to mitigate risk and then maintain at that level, or improve, thereafter.
What are ‘appropriate measures’?
• An appropriate measure takes into account the state of technological development and the cost
of implementing the measure. Must include at least:
• “(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
• (b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and
• (c) ensure the implementation of a security policy with respect to the processing of personal data.”
• These provisions are similar to security obligations in the GDPR, although PECR security obligations for service providers override the equivalent GDPR provisions.
• You should take measures in conjunction with the network provider.
• The ICO has the power to audit a service provider’s security measures.
• If you take appropriate measures but there is still a significant risk to
the security of the service, you must inform subscribers of:
• the nature of the risk;
• any measures they can take to safeguard against it;
• the likely cost to them of taking those measures.
• You must provide this information free of charge, except for any
nominal costs the subscriber may have in receiving or collecting the
information (eg the cost of downloading an email). (ie as per GDPR)
Data Breach – what is the implication?
• Bankruptcy: faster than any fine.
• Customer loss: faster than your reactions.
• Drags business down: faster than any criminal
• Adverse impact: faster than any reaction by
• Slow to impossible to rebuild – even if you had
• NB Out of all proportion to the scale if the news gets out
• Data Protection Act (DPA) 1998 updated by DPA 2018 which also incorporates
GDPR legislation https://en.wikipedia.org/wiki/Data_Protection_Act_2018
• PECR (Privacy and Electronic Communications (EC Directive) Regulation 2003
• Recent post-Brexit UK adjustment to EU Privacy and Electronic
Communications Regs (PECR) 2003, now require consent for all
• Information Commissioner’s Office (ICO) https://ico.org.uk/
• National Cyber Security Centre (NCSC) https://www.ncsc.gov.uk/
• Tools available from Secure Business Data
• 27k1 ISMS, Cyber Essentials, Cyber Essentials Plus, Consultants, Dark Web
searches, GDPR Legal advice, Monitoring services, Penetration Testing etc
If you would like a copy of the slides from this event please email firstname.lastname@example.org