Nearly a year on from its inaugural event, the Northern Information Governance Forum continues to support information governance and IT Security professionals in the North and Scotland, encouraging shared learning and providing networking opportunities.
Although the NIGF cannot currently meet in person, they have instead launched two weekly webinars aimed at promoting discussion around different aspects of privacy and information security. This month, the NIGF Committee will be leading a discussion on third party governance on the 1st; Mark Dennis from Evolve North will be speaking about the impact of user error on the 15th and there is a great opportunity to hear Peter Loomes from IASME, talk about the IASME Governance standard and Cyber Essentials on the 29th.
Accountability is a key principle of Data Protection and organisations are expected to demonstrate that they are being accountable in relation to their Data Protection practices.
What this means in practice for organisations can be less clear, but the ICO has recently released an Accountability Framework to help organisations understand whether they are meeting the accountability principle and where there may be gaps in their current practices. This considers such areas as leadership and oversight, training and awareness raising, policies and procedures, individuals rights, transparency, records of processing and lawful basis, contracts and data sharing, risks and data protection impact assessments, records management and security and breach management. The tool can effectively support organisations in understanding where further work may be needed to ensure ongoing compliance with data protection law and the accountability principle. More information can be found on the ICO website.
Last month, the Court of Justice of the European Union ruled that the EU-US Privacy Shield is no longer valid due to US authorities potentially processing data transfers for the purposes of public security, defence and State security (including US surveillance programmes). This means that the levels of protection assured within the GDPR and EU Charter of Fundamental Rights cannot be guaranteed in relation to these transfers. The invalidation of the EU-US Privacy Shield means that companies relying on this as a lawful mechanism for data transfers can no longer do so, with immediate effect.
Although the ruling states that standard contractual clauses and binding corporate rules can still be used, additional supplementary measures may be required to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own (although no further guidance is available as yet on what these may be). Organisations are now expected to check with their third-party providers whether they are affected by relevant surveillance laws and to determine what the lawful basis is to share data with them or their sub-processors. This could include US organisations even if your data is hosted in Europe, e.g. cloud providers.
Further details on this ruling and the impact on organisations can be found in the European Data Protection Board’s FAQs.
If you require any help in this area, Evolve North can offer a review, risk assessment and remediation service to help you review your third parties, identify those that may be impacted by this ruling and identify ways of implementing additional safeguards or changing your current sharing practices to ensure these continue to be in line with European law. This will also support future planning around Brexit and how this may impact on data transfers moving forward.
In the next few weeks, due to the Coronavirus pandemic, businesses in the UK may have more employees working from home. Employees may be working on their work laptops and devices, but for some they may have to work on their personal devices. Employers have a responsibility to undertake security measures to ensure staff are working securely both when in the office and when they are working from home.
Organisations have different IT systems but here are just some of the factors which many employers will need to consider and address as part of their working from home policy: