Blackmores ISO Consultancy Service: The creators of isology®

Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023.

Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive.

As a result, the question of businesses being affected by a cyber incident has become ‘when’ rather than ‘if’.  However, there are a number of steps you can take to mitigate risks ahead of any potential incidents.  

We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks.

You’ll learn

• Who are Epiq?
• What is a cyber incident?
• The importance of being proactive in reducing the risk of an incident
• What can organisations do to be proactive in mitigating cyber incident risk?
• What are forensic tabletop exercises, and how do they enhance preparedness?
• Why might an organisation need to get an incident response retainer?
• What role do Information Governance consultants play in reducing cyber risk?

Resources

• Epiq
• Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk.

[02:40] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them.

Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director.

Jack’s role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology.

[06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation’s information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats.

Organisations looking to combat information security risks should consider ISO 27001, as it’s key principles include the confidentiality, integrity or availability of your businesses information.

[08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business?  – Let’s look at some startling statistics:

In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week.

48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business.

This is the most shocking of the statistics, and why it’s so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident.

70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don’t).

Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following!

 [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024:

January saw a rise in cyber incidents predominantly affecting retail, education and local government.

In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets.

All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident.

[13:35] ISO Standard trends – At Blackmores, we’ve seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries.   

[15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation’s requirements and compliance issues arising from a cyber incident.

If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it’s imperative that your organisation has established, sound relationships with law firms and consultants.

[17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents.

Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business.

[18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs.

The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident.

[19:35] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity.

In Blackmores’ experience, a lot of organisations don’t actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it’s a bit of an eye opener when they realise they’re not as resilient as initially thought.

It’s always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task.

[23:40] Why might an organisation need to get an incident response retainer? – We’re starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements.  One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements.

[26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate.

[27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining:

• Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements.
• Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements.
• Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process.
• Privacy Compliance: Aligning with regulations such as  GDPR, DP, DPA, CCPA.

[33:30] What are Jack’s top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn’t a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against:

Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks.

These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions.

So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security.

Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases.

Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees.

Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure.

Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I’m seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur.

If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

There’s no escaping it, AI is here to stay. Over the course of 2023 we’ve seen more general and public use of popular AI tools such as ChatGPT and Gemini (previously Google Bard).

It’s now even being integrated into everyday applications such as Microsoft Word and Teams. There is no doubt that there are a lot of benefits to using AI, however, with new technology comes new risks.

So how do we address the growing concerns around AI development and use? That’s where the new Standard for AI Management Systems, ISO 42001 comes in!

Join Mel this week as she explains exactly what ISO 42001 is, who it’s applicable to, why it was created and how ISO 42001 can help businesses manage AI risks.

You’ll learn

• What ISO 42001 AI Management Systems is
• Who it’s applicable to
• Why it was created
• How ISO 42001 can help businesses manage AI risks

Resources

• Isologyhub
• ISO 42001 Webinar registration

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today we’re touching on a very topical subject – AI, and more specifically the brand new AI Management System Standard – IS0 42001. We’ll also be exploring who it’s applicable to, why it was created and how it can help businesses manage AI risks.

[03:30] What is AI? – AI – otherwise known as Artificial intelligence, as it’s most simplest description is the science of making machines think like humans.

We’ve seen a lot of AI tools be released to the public over the last year or so, tools such as ChatGPT and Google Bard. It’s already being integrated with some of the most commonly used apps and programs like Microsoft word and Teams.

In short, AI integration is here to stay, so we may as well get to grips with it and make sure we’re using it responsibly.

[05:10] What is ISO 42001? – , ISO 42001 is the first International Standard for Artificial Intelligence Management Systems, designed to help organisations implement, maintain, and improve AI management practices.

It was jointly published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The emphasis of ISO 42001 is on integrating an AI Management System with an organisations existing management system – i.e. ISO 9001 or ISO 27001 compliant management systems.

Interestingly, a lot of the specific mentions of Artificial Intelligence and Machine Learning are within the Annexes rather than the body of the Standard. The Standard itself is very similar to ISO 27001 in that it’s mostly about what organisations should be doing to manage computer systems regardless of any AI components.

[08:00] The 4 Annexes of ISO 42001:

Annex A: This acts as a Management guide for AI system development, with a focus on trustworthiness.

Annex B: This provides implementation guidance for AI controls, with specific measures for Artificial intelligence and Machine Learning – if you’d like to learn more about the difference between the two, go back and listen to episode 135.

Annex C: Which addresses AI-related organisational objectives and risk sources.

Annex D: This one is about the domains and sectors in which an AI system may be used. It also addresses certification, and we’re pleased to see that it actively encourages the use of third-party conformity assessment. This just ensures that your AI claims have more validity.

[09:15] Who is ISO 42001 applicable to? – Those annex descriptions may have you assuming that this Standard is only applicable to organisations developing AI technology but in actuality it’s applicable to any organisation who is involved in developing, deploying OR Using AI systems.

So if you’re a company who is only utilising AI in your day to day activities, it’s still very much applicable to you!

[10:20] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[12:25] Why was ISO 42001 created?:

• To address the unprecedented rapid growth of AI and all the risks that come with this new technology.
• To ensure that AI development and use are trustworthy and above all, ethical.
• The public are also reasonably wary of this new technology, so ISO 42001 aims to help build more public trust and confidence in the future use of AI .
• ISO 42001 acts as guidance for organisations on exactly how to integrate AI Management controls with their existing systems.

[14:05] AI risks you should be aware of – This isn’t an exhaustive list, as the technology develops, more risks will become known. However, as of the start of 2024, you should be aware of:

Inaccurate information – Many of the chat bots and public AI tools are trained on publicly available information, and as we all know, not everything on the internet is true. So the output from these chat bots will need to be checked and verified by a person before being used or published.

AI bias – Studies have proven that AI results can still be bias. As all the data fed into it is all based on existing information, it still presents the issue of a lack of information from underrepresented groups, or existing bias based on existing data.

Time sensitivity – Not all AI use live data sets. Google Bard does, however Chat GPT is only accurate up until 2021. So double check whichever tool you’re using to make sure the information it produces is up-to-date.

Plagiarism – Data gathered using AI came from somewhere! If you simply copy and paste information provided by AI platforms, there’s a chance you may be plagiarising existing content. Be sure to just use AI as a starting point!

Security risks – Use of AI can expose you to additional security risks, For example, malicious actors could send someone an email with a hidden prompt injection in it. If the receiver happened to use an AI virtual assistant, the attacker might be able to manipulate it into sending the attacker personal information from the victim’s emails.

Data Poisoning – AI uses large data sets to train its models, and we currently rely on these data sets being relatively accurate. However, researchers have found that it’s possible to poison data sets – so in future, AI may not be very reliable if preventative measures aren’t put in place by AI developers.

[17:45] How can ISO 42001 help business manage these risks? – Above all, it provides a structured approach to identify, assess, and mitigate AI risks. ISO 42001 includes the guidance needed to put this in place from the start to ensure you don’t fall prey to the risks mentioned, with a view to monitor and update to address new risks in future.

It promotes transparency and accountability throughout the AI life cycle.

It helps ensure fairness, non-discrimination, and respect for human rights in AI development and deployment.

It will help minimise potential legal and ethical liabilities associated with AI. The UK’s current GDPR and Data Protection Act can loosely cover aspects of AI, depending on how the terminology is applied, but there are already dedicated AI based regulations being developed within the EU which will likely be adopted by the UK. 

It can foster innovation and accelerate adoption of responsible AI practices.

And lastly, it provides a common language and framework for collaboration on AI projects.

[21:35] Don’t miss out on our ISO 42001 webinar – We’re partnering with PJR to bring you a 2-part webinar series on ISO 42001. Catch the first part on the 5^th March 2024 at 3pm GMT, register your interest here.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the technological category, is something called Data Masking. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into data masking to explain what it is, why it’s so important and details a few of the different types of data masking

You’ll learn

• What is data masking?
• Why is data masking important?
• How does data masking work?
• What are the different types of data masking?

Resources

• ISOlogy Hub
• Blackmores

In this episode, we talk about:

[01:33] The purpose of data masking according to ISO 27002 – Now more clearly defined when compared to earlier versions

[02:55] A brief overview of PII (Personally Identifiable Information)     

[03:52] A summary of the defined attributes of data masking     

[05:25] What is data masking? Including definitions for obfuscation, data anonymization and pseudonymisation

[08:50] The benefits of having a more clearly defined control for protecting PII

[09:35] Other standards where data masking is applicable – ISO 27017, ISO 27018 and ISO 27701  

[11:27] Why data masking is so important currently

[12:40] How data masking works in practice  

[13:10] Static data masking –  data is masked in an original database then duplicated into a test environment

[13:34] Dynamic data masking – The original sensitive data remains in the repository. Data is never exposed to unauthorised users, contents are shuffled in real-time on-demand to make the contents masked

[14:50] On the fly data masking – Masking data while it is transferred from production systems to test or development systems before the data is saved to disk.

[15:55] Techniques for data masking include – Substitution – Businesses substitute the original data with random data from supplied or customised lookup file.

[16:15] Shuffling – Businesses substitute original data with another authentic-looking data but they shuffle the entities in the same column randomly.   

[17:09] Number and date variances – For financial and date-driven data sets, applying the same variance to create a new dataset doesn’t change the accuracy of the dataset while masking data.

[17:56] Encryption is still the number one method for data masking

[18:40] Character scrambling – This method involves randomly rearranging the order of characters. This process is irreversible so that the original data cannot be obtained from the scrambled data.

[19:50] Other forms of data to take into consideration – Protected health information, Payment card information, Intellectual property and Company specific Information

[23:02] How GDPR promotes data masking

Download our ISO 27002 changes Quick Guide here:

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

BS 10012 is a British standard that outlines the specifications for a Personal Information Management System (PIMS). This was introduced in 2009 to help organisations manage personal information and comply with data protection laws. 

The standard was updated in 2017 to reflect the GDPR’s requirements, making it an ideal framework for regulatory compliance. For example, it includes specific guidance on each principal, helping organisations meet the requirements of BS10012 and GDPR. 

After implementing BS 10012 for a number of organisations, here are our Top tips on implementing BS 10012.

• Establish a PIMS team – this is not a one-person job.  You will need to have input from all areas that are involved with personal data.
• Carry out a Privacy Impact Assessment – It is important to understand where all the personal identifiable data is within the organisation, how it is collected and how it is disposed.  (remember this is all Data – soft and hard copies – get in to all the drawers and cupboards)
• Data mapping – collate the information on a data matrix, this would show all the information in one place.
• Carry out a risk assessment – the data matrix will flag up any risks that need addressing
• Update documentation – Ensure all documents are updated i.e data protection policies, cookie policy and privacy policy.
• Training, training and more training – people are the weakest link, ensure ALL staff have had BS 100012 training
• Conduct Internal Audits – to verify compliance and check your systems are effective. 

Implementing a PIMS can be challenging so if you would like assistance please contact us for further information on: enquiries@blackmoresuk.com

Step 1 – Conduct a Privacy Impact Assessment (PIA)

Why?

Enables you to identify all the processes/activities that involve personal data and demonstrates to the ICO that you have carefully considered personal data within your business.

 How?

Complete a PIA for each information stream in your business, we have a host of template documents to help you and your business comply, contact us for further information.

Step 2 – Data Protection Policy Statement

Why?

This policy is your commitment/statement of intent as an organization to Data protection

How?

If you don’t have a DPS you will need one, then you need to consider if it needs to be publicly available or internal only. You should send it to new and prospective clients and share with suppliers.

Step 3 – Data Retention Policy & Data Retention Schedule

Purpose:

Data Retention Policy – This is required to support the creation, retrieval, proper storage and preservation of essential personal data records, and to enable identification and destruction of information where there is no continuing business, legal or historical significance.

Schedule – This schedule defines the different types of records typically found in businesses.  It may not capture all the personal data/records that you may have in your company.  Where any are missing, you need to add these to the ‘Other’ tab within the document.   The schedule defines any legal retention requirements/ guidance on best practice from the ICO.

Action: Make the Policy and schedule available to staff.

Step 4 – Privacy Policy Template

Why?

In the interest of transparency (a GDPR principle requirement), you are required to provide privacy information to data subjects when you are collecting their personal data.  Typically you will find a Privacy policy is put onto the website (as generally this is where you may have data capture forms).

How?

Have a look at what you have got already in your Privacy Policy and if it needs updating within the section related to Legal Basis for processing (as per the PIA/Data Matrix outputs) as not all may apply.

• Display it in an ‘easy to digest’ format on your website. i.e. section headers with an overview paragraph – they option to expand to see full details.
• Add in a link to this page on your email signatures
• Have a think where else in the business where you might be collecting personal data that you should be providing some level of privacy information i.e. Terms of engagement (use the same headings if possible).

Step 5 – Security Incident Procedure

Why?

This is the document that you need to describe the process for reporting data breaches or security weaknesses, events, and investigation of security incidents.  All staff must be made aware of document and understand the procedure as they have responsibilities to be able to know how to report breaches/ security incidents as they become aware of them.

How?

• Write up your procedure and make it available to staff and ensure they’re aware of their data protection/ information security breach responsibilities as appropriate.

Step 6 – Information Security Breach Checklist

Why?

The checklist is to capture the key elements relating to a data breach to ensure actions are recorded and progressed as appropriate. The root cause can then be understood, and that is any new/changed controls are needed to be made and applied as part of the lessons learnt activities.

How?

• Ensure it’s availability to staff and they understand and are aware of their data protection/ information security breach responsibilities as appropriate.

Step 7 – Subject Access Request (SAR) Procedure

Why?

As stipulated by GDPR any individual that you hold information on has a right to know what data you hold on them eg name, address, etc – this info can be requested by an individual using a  ‘Data Subject Access Request’.

How?

Write up your procedure outlining the steps to be followed by staff upon receiving this request, what information they need to record and how to go about it. This will ensure that your company receives and processes Data Subject Access Requests in accordance with the General Data Protection Regulations.

Step 8 – Subject Access Request (SAR) Log

Why?

There are rules relating to how long you have to respond (within 30 days) to these requests and this log enables you to keep track of any requests in progress, or any historical requests made.  This log is linked to/ referenced within the Subject Access Request procedure.

Step 9 – GDPR Staff Training

Why?

Most data breaches/ Information Security breaches/incidents can be traced back to an individual’s actions or decisions.  Providing awareness training to staff is a form of control that you may need to evidence to the ICO/Client in the event of a data breach.

How?

• Ensure all staff receive this training.
• Retain evidence that this training has been delivered i.e. staff training records

Step 10 – Supplier Data Compliance Questionnaire

Purpose:

This questionnaire is to check that the suppliers that your business shares personal data with are GDPR compliant. It is a requirement for your company to check the security and data protection compliance of any processors/ sub-processors used by the business

How?

• Identify those suppliers/ partners to whom you may supply personal data (Use the Data Matrix/ PIA results as a reference point)
• Send the questionnaire to the companies likely to respond.
• Conduct the required due diligence for larger organisations and retain evidence of findings
• Take action depending on the outcome of the questionnaires/ proactive due diligence.

Next steps………

1. Use your common sense when it comes to protecting your client dataJ
2. Review your client terms of engagement – are you being transparent about the handling and protection of your client data?
3. Complete the Privacy Impact Assessment (PIA)
4. Identify your risks and implement the organisational controls (Policies, procedures and training)
5. Identify the risks and implement the technological controls i.e. data back-up, anti-virus software, restricted access, password management.

If you would like more help understanding this topic – then contact us today!

What’s the difference between BS 10012 and GDPR?

The General Data Protection Regulations (GDPR) are the requirements for data protection across the EU, laid down in law; therefore, every organisation that controls or processes personal data is legally obliged to comply with the requirements and must be able to demonstrate the application of data protection principles.

BS 10012:2017 is a Standard – a framework –  to assist organisations in meeting the legal obligations laid out in the GDPR Articles and Recitals.  Not only does BS10012:2017 address all the operational requirements of GDPR within Clauses 5 – 8, it also addresses how businesses can ensure they align their data protection responsibilities within the overall strategy of the business through context, leadership and continual improvement.  But more importantly, it ensures ongoing compliance to GDPR.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.

Neither GDPR nor BS10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

If you need any more information on this topic – contact Blackmores today!

May 25th 2018 – GDPR becomes law

This is the date the ICO has set for all organisations to align with GDPR.

Are there any legal implications for my business?

GDPR becomes law on May 25th 2018.  Therefore compliance to the requirements becomes a legal implication for your business on this date.

Steve wood, the Information Commissioner’s Office Head of International Strategy & Intelligence has quashed any suggestions of a soft start to GDPR. He stated “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.”  He explained the ICO intend to focus on risk and will be happy to work with organisations if there are any areas that seem unclear but there will be no grace period.

What happens if my company does not comply?

Under the GDPR there are tiers of fines that can be imposed depending on the severity of breach.  The worst case scenario for fines are 4% of global turnover or £20M – whichever is greatest.

Not only are fines imposed, but the ICO  ‘name and shame’ businesses that are in breach.  This is not a new development – this is also the case under the DPA. More information can be found HERE.

Need help understanding GDPR – contact Blackmores today!

Node IT Solutions and Blackmores, specialists in Quality, Risk & Environmental Management, are repeating their sell-out GDPR & Cyber Essentials Business Briefing. Join us on the 22nd May for this FREE Business Briefing, the link to register can be found below.

The General Data Protection Regulations (GDPR) will come in to force on 25th May 2018.

If your business controls or processes any personal information – e.g. employee and/or customer data – you will need to comply. Failure to do so could cost you dearly, resulting in heavy fines and serious damage to the reputation of your business.

Central to GDPR compliance is making sure that the personal data your business deals with is controlled and processed securely. Businesses of all sizes are increasingly under threat from cyber attacks. If you have not put the appropriate technical measures in place to protect personal data, your business will be liable should you suffer a data breach.

Cyber Essentials is the UK Government Cyber Security standard for all businesses and organisations. Meeting the standard demonstrates that your business is taking all reasonable steps to protect the data you hold, and that you take cyber security seriously.

Feedback from the first event was overwhelmingly positive:

“The Business Briefing was informative, clear and easy to follow and has given me some invaluable insight into GDPR and Cyber Security. After attending the meeting I now feel really positive and am looking forward to putting everything I learned into place for my business.”

Agenda:

9:00-9:30 Arrival: tea, coffee & refreshments

9:20-9:30 Introduction

9:30-10:10 Mel Blackmore, Blackmores
GDPR compliance and the steps you need to take now

10:10- 10:20 Break

10:20-11:00 Leigh Wood, Node IT Solutions
Why Cyber Security should be central to your GDPR strategy

11-11:20 Q&A with Mel & Leigh

This event is for you if

• You are a Business Owner/Director who needs to understand how GDPR & Cyber Security impact your business
• You have responsibility for ensuring your business is GDPR-compliant

Join us to find out what your business needs to know about GDPR and Cyber Security and start taking positive steps towards GDPR compliance. Click HERE to register for this FREE business briefing. 

Interested in how we can help your business – contact us today!

The Basics of BS 10012

BS 10012 is the British standard for Personal Information Management, and provides a framework for maintaining and improving compliance with data protection requirements and good practice.

It covers topics such as privacy impact assessment, risk assessments, data retention and disposal, privacy by design and employee awareness training; helping you to put policies and procedures in place to effectively manage the personal information of individuals.

Alignment with BS 10012

BS 10012:2017 provides the framework to implement a personal information management system around the principles of Data Protection (GDPR):

• Principle (a) Lawfully, fairly and transparently processed (Clause 8.2.6);
• Principle (b) Obtained only for specific legitimate purposes Clause 8.2.7);
• Principle (c) Adequate, relevant, limited in line with data limitation principles (Clause 8.2.8);
• Principle (d) Accurate and up to date, with every effort to erase or rectify without delay (Clause 8.2.9);
• Principle (e) Stored in a form that permits identification no longer than necessary (Clause 8.2.10);
• Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organisational measures (Clause 8.2.11).
• General Accountability for the above

I already have an ISO certification, can I integrate BS 10012?

BS 10012:2017 follows the ‘Plan-Do-Check-Act’ continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, enabling organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013. It is also a standard which organisations can now certify against.

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012?

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client-related personal data they may be controlling in the business.

With BS 10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS 10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.

Contact Blackmores today if you would like to learn more!

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How much work is involved in implementing BS10012

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

Gone are the days when a simple communicated Data Protection policy and registration with the Information Commissioner would suffice for Data Protection compliance.   One of the biggest changes is the ‘accountability’ principle underpinning the six other principles.   You now need to be able to prove you have applied all the principles within your business.

Over and above just the basic principles, you should be striving to:

• Demonstrate that you understand what personal data you control or process,
• Identify the legal basis for processing
• Demonstrate the steps you have taken to understand and control/mitigate risk
• Communicate requirements to interested parties
• ‘Bake in’ Data Protection within your organisation (including required processes and review of planned/unplanned changes)
• Review performance and strive for continual improvement.

When you consider the potential consequences of getting any of this wrong – 4% of global annual revenue or €20M whichever is greater – why wouldn’t you take the best practice approach and implement BS 10012?

What is data subject consent?

This is clearly defined by GDPR, what the data subjects wishes are in processing their data.

What is a freedom of information request?

Under the GDPR, individuals will have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

You must provide a copy of the information free of charge.  However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.

In order to provide the information you must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, you should provide the information in a commonly used electronic format.

If you would like to learn more about GDPR – contact us today!

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.
Neither GDPR or BS 10012 alignment happens without input or effort. Both require action and top level commitment from a business. There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How will BS 10012 add value to my business?

By implementing and certifying your business against BS 10012:2017, you will be able to demonstrate some clear advantages over your competitors:

• Commitment to protecting client and stakeholder personal data – independently assessed by a 3^rd party certification body
• Identify risks to personal information and implement controls to mitigate them – reducing risk for both your organisation, and any clients whose personal data you may process
• Utilise a management system to actively demonstrate compliance with both the GDPR and the revised UK Data Protection Act
• Continually improve your management of personal data against recognised best practice and improved controls
• Proactively protect your reputation – both in the market and to your interested parties
• Achieve competitive advantage when tendering for new business

Running a successful business is all about reducing risk wherever possible (BS 10012 is a risk-based standard) and seeking opportunities to improve on the competition (BS 10012 certification sets you apart from mere internal GDPR ‘compliance statements’).

You can confidently state that you have credible 3^rd party assurance that you are meeting your data protection obligations under GDPR – through certification to BS 10012 with a recognised certification body such as ISOQAR, BSI, LRQA, SGS etc.

If you would like more help understanding BS 10012 and GDPR, contact us today!

Will ISO 27001 make me GDPR compliant?

ISO27001 v BS 10012

On its own No – this is a myth.

Information security is just one of Six principles of BS10012 and GDPR

 “f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Whilst a very important principle, if you rely on just having ISO 27001 for GDPR compliance you run the risk of not being in full alignment with all the principles (and related articles and recitals).

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client related personal data they may be controlling in the business.

With BS10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.

If you would like more help understanding these certifications – then contact Blackmores today!

Are you ready for GDPR? Is your business data secure from cyber threats?

The General Data Protection Regulations (GDPR) will come in to force on 25th May 2018. If your business controls or processes any personal information – e.g. employee and/or customer data – you will need to comply. Failure to do so could cost you dearly, resulting in heavy fines and serious damage to the reputation of your business.

Central to GDPR compliance is making sure that the personal data your business deals with is controlled and processed securely. Businesses of all sizes are increasingly under threat from cyber attacks. If you have not put the appropriate technical measures in place to protect personal data, your business will be liable should you suffer a data breach.

Cyber Essentials is the UK Government Cyber Security standard for all businesses and organisations. Meeting the standard demonstrates that your business is taking all reasonable steps to protect the data you hold, and that you take cyber security seriously.

Node IT Solutions are holding this business briefing on GDPR and Cyber Essentials in partnership with Blackmores, specialists in Quality, Risk & Environmental Management. Mel Blackmore will be talking about GDPR and how businesses can prepare. Leigh Wood from Node IT will be taking you through the government Cyber Essentials standards and what businesses need do to qualify and pass the assessment.

9:00-9:30 Arrival: tea, coffee & refreshments

9:20-9:30 Introduction

9:30-10:10 Mel Blackmore, Blackmores
GDPR compliance and the steps you need to take now

10:10- 10:20 Break

10:20-11:00 Leigh Wood, Node IT Solutions
Why Cyber Security should be central to your GDPR strategy

11-11:20 Q&A with Mel & Leigh

Join us to find out what your business needs to know about GDPR and Cyber Security and start taking positive steps towards GDPR compliance. Click here to register for the event. 

If you would like to learn more about what Blackmores can offer your business – contact us today!

How to go about implementing BS 10012?

At Blackmores, we are ISO consultants who can help with any standard including implementing BS 10012 for your organisation.

The best way to go about gaining any ISO standard is to work with a consultant. We have a proven technique and procedures to work with any organisation. When you choose to partner with Blackmores, you also gain access to our online training portal with various training resources for you and your team.

Implementing BS 10012

The first step to Implementing BS 10012 would be to carry out a Gap Analysis to identify where the gaps are in your Personal Information Management. Evaluate the results and formulate a plan to put the correct policies and procedures in place to be compliant. This evaluation will also highlight any potential existing risks with your personal information management, which can then be addressed as you create your management system.

Unless you are familiar with BS 10012 requirements, we suggest seeking out guidance or support with the process of establishing a management system. Blackmores also offer assistance with BS 10012, so feel free to Contact Us for more information.

Do I have to delete all historical data?

No – If there is a legal basis to retain and use this data, then the GDPR should not prevent you from using this, or require you to delete this data. However, under GDPR you are required to identify the legal basis in line with the overarching principles.

You should review your data retention policies and ensure that you are not keeping historical data unnecessarily.

What if I want to keep personal data I have previously collected?

The requirement to keep data retention to a minimum is not a new concept. The DPA has always mandated that only necessary data should be collected and only used for as long as required. The same principle applies with the GDPR.

If there is a legal basis to retain and use this data, then the GDPR should not prevent you from using this. However, under GDPR you are required to identify the legal basis in line with the overarching principles.

ONI successfully recommended for BS 10012 certification

Leading the way in GDPR compliance, Blackmores are delighted to announce that ONI Plc have been recommended for certification to the updated British Standard for Personal Information BS 10012:2017 with Certification body Alcumus ISOQAR.

The standard was updated in 2017 to provide a framework to support organisations to align their Personal Data Protection Policies and procedures with the GDPR requirements coming into force on the 25th May 2018.

Supporting ONI Plc to integrate their robust information security (ISO 27001) controls with BS 10012 to demonstrate commitment to GDPR, we are delighted that ONI Plc are the first to be recommended for certification.

Aligning with GDPR assures your clients that you understand data protection & have the controls to keep their information safe. GDPR takes into consideration the rights of the data subjects, security threats and new technology.

What difference will it make to the customers?

Ultimately, the customers will be assured that you are aligning to the GDPR Data Protection Principles, that you understand data protection risks relative to your activities and are applying proportionate controls to ensure that you keep their personal data protected within your business.

Data Protection is not a new concept, however the changes with GDPR have recognised the rights of data subjects, recognized information security threats and the fact that new technologies have expanded the availability of personal data.

If you would like to learn more about Blackmores and what they can offer – contact us now!

What is BS 10012?

Any organisation that processes personal information should ensure that it protects the privacy of the people it affects. BS 10012 provides a framework for maintaining and improving compliance with data protection requirements and good practice.

This webinar washeld on the 16th March at 12pm-12:45pm. This webinar will covers the following:-

• What is BS10012:2017?
• What’s the difference between BS10012 and GDPR?
• How will BS10012 add value to my business?
• What is the best approach to implementing BS10012?
• Who needs to be involved?
• Is BS10012 certification recognised?
• How Blackmores can help you to achieve BS10012 certification

If you would like to learn more about what Blackmores has to offer – contact us today!

Is there a difference between GDPR and the Data Protection Act (DPA) – In short yes, there are a number differences you must align to.

How is GDPR different from the Data Protection Act?

The overall principles of data protection have not changed greatly, however there are a number of differences to include the following:

• You can no longer charge for ‘subject access requests’ and they have to be provided within 30 days
• There is now a mandatory requirement to appoint a Data Protection Officer (DPO) depending on complexity/sensitivity of personal data activities
• The definition of ‘Personal Data’ has been expanded to include online identifiers, location data, and genetic data
• Notification of breaches is now mandatory (and within a 72 hour timeframe) for breaches that adversely impact a data subject
• The regulations now have responsibilities for both data controllers and data processors
• There is now a right to claim compensation for ‘non material damage’ i.e. where there has been no financial loss
• Parental consent is now required for individuals under 16
• Data consent now has to be ‘clear, affirmative action with the ability to be withdrawn at a later date’
• The maximum penalties for breaches has risen to 4% of global turnover or £20M (whichever is greatest)

If you would like more information about GDPR, contact Blackmores today!

If you share customer data, ensure that you comply with the data protection principles. There are 7 data protection principles that ensure confidentiality, integrity and security of data.

We don’t share the customer data we collect?

Regardless of if you share the customer data you collect, the GDPR still applies. There are several Data Protection principles that need to be upheld, to include ensuring confidentiality, integrity and security of data.

The principles are defined below:

Principle (a) Lawfully, fairly and transparently processed;
Principle (b) Obtained only for specific legitimate purposes;
Principle (c) Adequate, relevant, limited in line with data limitation principles;
Principle (d) Accurate and up to date, with every effort to erase or rectify without delay;
Principle (e) Stored in a form that permits identification no longer than necessary;
Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures; and
General Accountability for the above

If you would like to learn more about GDPR and how you can be compliant, contact Blackmores today!

There are numerous legislative Acts and Regulations that mandate statutory retention periods for documents such as financial records or HR or Health and Safety records.  In addition to these, business should be stipulating their own retention periods for the data and records they keep (to include those that contain personal data).

There is no single answer to this question, but it is an area that needs to be addressed by businesses as part of adhering to the principle “Stored in a form that permits identification no longer than necessary”

Once defined, the retention policies need to be adhered to!

If you would like to learn more about what Blackmores offers, contact us today!

What rights do customers and staff have?

All data subjects have ‘rights’ under GDPR, to include staff and clients.  The GDPR provides the following rights for individuals:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling

Data subject consent?

This is clearly defined by GDPR, what the data subjects wishes are in processing their data.

What is a freedom of information request?

Under the GDPR, individuals will have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

You must provide a copy of the information free of charge.  However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.

In order to provide the information you must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, you should provide the information in a commonly used electronic format.

If you would like to learn more about what Blackmores can provide you, contact us today!

Reviewing your procedures – as your business will constantly evolve your GDPR procedure should align with the growth.

How regularly do I need to review my procedures?

Business are constantly evolving – through the development of new services, the use of new technology and growth within their industry. This means that controls implemented for GDPR (both logical and physical) may no longer be sufficient or relevant in 1 – 2 years time.

As with any other applicable legislation or risk based activity, it is best practice to perform a ‘health check’ every year to ensure that you remain in alignment with the requirements of GDPR. This should include a review of awareness within your organisation.

If you would like to learn more about what Blackmore has to offer, contact us today!