ICO launches data protection excellence award

The Information Commissioner’s Office (ICO) is marking Data Protection Day 2018 by launching an award to recognise excellence in the field of information rights.

The 12th annual Data Protection Day, Sunday 28 January, has particular significance this year, with the EU’s General Data Protection Regulation (GDPR) compliance deadline and the scheduled introduction of new UK data protection legislation in May.

To celebrate, the ICO is introducing the ICO Practitioner Award for Excellence in Data Protection to recognise practitioners who go above and beyond when it comes to data protection.

Information commissioner Elizabeth Denham said Data Protection Day was the perfect time to launch this award for practitioners who have made a real difference to how their organisations approach data protection. Nominations for the award are open until 28 February 2018.

“As we approach the GDPR and new UK law taking effect, it has been clear there are many success stories out there when it comes to individuals embedding a positive data protection culture in their organisation,” she said. “I look forward to announcing the winner at our annual Data Protection Practitioners’ Conference on 9 April.”

The ICO said the main contenders will be individuals who have shown inspiring data protection practice and leadership, particularly in the areas of accountability and privacy by design, and have made good use of the resources available from the ICO to help organisations live up to their obligations and inspire public trust and confidence in how they handle personal information.

Resources on the ICO’s website include its Guide to the GDPR, GDPR myth-busting blog posts, GDPR FAQs, and a 12-step guide.

According to the latest research from Forrester, UK consumers are most guarded with their data and most informed about their data privacy. Some 58% of UK adults are aware that companies buy and sell information about their household. 

The research also found that UK consumers cannot wait to start using their GDPR-empowered privacy rights, with the ICO receiving a 12% increase in data protection concerns from UK customers. 

German consumers are also highly aware of their data privacy, with 58% likely to cancel a transaction if they see something they do not like in a privacy policy.  Conversely, 43% of Italian and 44% of Spanish consumers are willing to share their data freely with companies and take few precautions for protecting personal information, Forrester found.  

Forrester also analysed the lessons learned from the world's most high-profile privacy and security incidents and found that businesses need to focus on the impact of a breach and how breaches can be avoided in future, rather than focus on the figures and fines.

To mark Data Protection Day, Panda Security compiled some of the top changes businesses need to understand about the GDPR:  

• Scope of the regulation: GDPR affects all organisations that store EU citizen data, even if they do not have a physical presence in Europe.
• Obtaining explicit consent: If organisations choose to base their gathering and processing of personal data on consent, they have an obligation to obtain explicit and active consent from the individual following a fully transparent explanation of how the data will be treated (processing, storage or use of data).
• Right of access: All citizens will have the right to obtain confirmation of whether or not a company is using their personal data. If so, they have the right to access this data and the organisation will be required to provide a copy, as well as explain the purposes of the data processing, the criteria used, and the timeframe of its storage.
• Right to be forgotten: Allows the user to request the erasure of their personal data for various reasons – for example, if the data is no longer necessary for the purpose for which it was collected, if the consent has been withdrawn, or if the data was obtained in an illegal way.

Security firm Delphix is marking Data Protection Day with five tips on how best to secure sensitive data in the face of the GDPR:

• Start learning about DataOps: Companies should be investigating the idea of DataOps, which assigns dedicated people and tools to manage and secure data across an organisation. DataOps enables data operators to know exactly what data is where, to be able to secure (mask) data that is sensitive, and to ensure that data consumers still have access to the data they require, when they need it.
• Govern data access: DataOps and dynamic data platforms enable you to centrally control all non-production copies of your data and mask data at the same time. Data operators can manage who has access to what data, for how long, and when. Data consumers can access and use data independently, while administrators retain full control over masking, privileges and physical resources.
• Treat all data equally: Most security teams focus on the protection of data in a production environment, but the same budgets and security are often not afforded to non-production copies of data that are used in test, reporting, training and analytic systems. The danger is that non-production data represents about 80% of an organisation’s total data and its most vulnerable attack surface. By treating non-production data as you would production data, you can mandate policies that reduce the risk of data breaches in all environments – production and non-production.
• Use technology short cuts: The deadline for compliance with GDPR is 25 May, and you will never protect all your sensitive data in time by doing things the same way you always have. Modern data masking solutions have database profiling tools that scan tables and fields to detect confidential information, such as email addresses, credit card numbers or patient records. Some even recommend masking algorithms, which dramatically reduces the time it takes to build and enforce data masking.
• Stop reinventing the wheel: Define security policies once rather in siloes or at the project level and, if possible, apply them everywhere. Set enterprise security policies to ensure  the right data is protected using the right controls and masking algorithms. Policies must then be applied consistently, regardless of the data source, to support compliance with regulations such as HIPAA and GDPR.

“Data privacy has become a basic human right,” said Jes Breslaw, director of strategy for Europe at Delphix. “With data breaches on the rise and tough new legislation such as the EU’s impending GDPR on the horizon, data protection needs to be the number one mandate for companies today.

“Too often, companies have to balance data protection risks with the pressure to move fast. GDPR tips the scales towards data privacy, which means global businesses have to rethink how they provide secure access to data throughout their organisation.”

Privacy technology firm NordVPN is marking Data Protection Day by issuing a reminder about simple online privacy rules that each user should follow to stay safe and secure:

• Always update the software: Software manufacturers constantly find new bugs and fix them with each new update, but users need to keep their systems up to date. Bugged software might cause data leaks, putting users’ privacy at risk.
• Be cautious about what you share on social media: Have in mind that what you post online, stays online. If you are going on holiday, it is wiser to post vacation photos after you come back – otherwise, thieves might know your house is empty. Also, do not share any personal details, addresses or phone numbers.
• Switch to an encrypted email provider: This will ensure that no one, including the provider, can decrypt and read subscribers’ emails.
• Use strong passwords and a password manager: Perhaps the most basic requirement for any online account setup is using strong passwords and choosing different passwords for different accounts. Weak passwords make it simple for hackers to break into an account. It is recommended to use a password manager for safety and security.
• Turn on multi-factor authentication: Multi-factor authentication is a security system that requires a user to log in with their username and password and then take the second step of authentication: either through a fingerprint scan or by sending a code via text. Most sites, including email providers, already offer multi-factor authentication as an option.
• Use a VPN: A virtual private network (VPN) encrypts all traffic between a user’s computer and a VPN server, adding privacy and security to their internet browsing experience. The only information visible to anyone in between the user’s computer and VPN server is the fact they are connected to VPN – and nothing else. All other information is private as it is encrypted by the VPN’s security protocol.

Marty Kamden, CMO of NordVPN, said every day should be data protection day. “There are simple things that are easy to maintain every day in order to avoid major hacks, system crashes, data loss and various snoopers,” he said.

Jon Geater, CTO at Thales eSecurity, said organisations everywhere are digitally transforming their business, whether moving to the cloud or embracing the internet of things.

“While this represents a wealth of opportunities for increasing efficiency and innovation, it is also generating more data than ever and, in doing so, is making organisations bigger targets for hackers, cyber criminals and nation states for whom this data is immensely valuable,” he said.

“With 67% of global organisations having suffered a breach – 36% of those within the last year – data breaches are unfortunately now the new reality. Businesses need to do more to protect the privacy of their data.”

According to Geater, the only sure way to minimise the impact of a breach is by encrypting data because any data that is encrypted is unreadable if breached, and will be of no value.

“Once encrypted, whoever controls the encryption keys controls access to the data,” he said. “It is important, therefore, for organisations to protect these keys as if the life of their business depended on it, which, with data privacy regulations such as the EU GDPR just around the corner, it may well do.”