Data Protection Network | Data Security

Combatting the cyber threat How small-to-medium sized organisations can mitigate cyber risks “Cyber security is now a matter of business survival and national resilience” “Hesitation is a vulnerability” National Cyber Security Centre (NCSC) The NCSC’s Annual Review contains stark warnings, revealing the UK is experiencing four “nationally significant” cyber-attacks every week. But big business and critical national services aren’t the only targets. Hackers increasingly have their eyes on small to medium sized organisations including smaller charities, schools, law firms and local businesses. The NCSC says 1 in 2 UK small businesses identified a cyber-attack last year. Often small businesses or other smaller organisations don’t have the budget for specialist internal cyber/information security teams or even one dedicated specialist security role. Many rely on outsourced IT specialists to manage their systems and keep them secure. Who’s behind the attacks? A substantial proportion of all incidents handled by the NCSC last year were linked to Advanced Persistent Threat (APT) actors – either nation-state actors or highly capable criminal groups. The finger’s often pointed at Russia and China, but there’s also been an increase in teenage hacking gangs from English-speaking countries. This year alone seven teenagers have been arrested in the UK during investigations into major cyber-attacks. What action to take Cybersecurity is a challenging, occasionally intimidating, subject. Which means it’s often tricky for smaller organisations to know where to start, or what extra measures should be taken. Here, then, are a few helpful resources and tips. Cyber Action Toolkit This new free Government service has been launched specifically to help small organisations implement foundational controls. It’s been designed to be simple and easy to follow, even if you’re new to cyber security. Using the toolkit will give you: ■ A list of personalised actions ■ A step-by-step approach – “starting with low-effort, high-impact actions” ■ The ability to build layers of protection around your business which prevent common threats such as email hacking and ransomware. Cyber Essentials Alongside the new toolkit, businesses are urged to implement Cyber Essentials. This helps protect your operations from the most common types of cyber-attack. Here at DPN we’re a micro business: we went through the steps to become Cyber Essentials certified. We’d encourage you to do the same, it’s worth the effort to give you peace of mind. The certification scheme includes automatic cyber liability insurance for any UK organisation who (a) certifies their whole organisation and (b) has less than £20m annual turnover. Physical copies of your cyber-attack plans Following high-profile cyber incidents and the rising threat, the Government has written to the chief executives and chairs of all FTSE350 companies, stressing the importance of ensuring cyber resilience is a board-level responsibility. This includes some sound advice – organisations should have physical copies of their plans. A cyber-attack could leave you unable to access you systems, so an electronic copy of your cyber incident plan may be useless. This is wise advise for any size of business! This should include all contingency plans, including how teams will communicate until normalcy is restored. If anyone’s seen the TV series ‘Billions’, there’s a brilliant episode where Axe Capital’s computer systems are temporarily unavailable. The old schoolers dust off their Filofaxes and ancient Nokia dumb-phones to continue trading. This isn’t doomsday or zombie apocalypse stuff – it’s becoming as common as burglary. Businesses need to be prepared for operating without business critical electronic systems. Another option, is to have a ‘shrink-wrapped’ isolated, non-networked laptop, unconnected to any of your systems, on which you store critical plans. 11 more security tips Backups – make sure you have regular off-site backups of business-critical data, enabling speedier recovery from an attack. Make sure these backups can be restored quickly. Business continuity plan – make sure this is up to date (and keep a physical copy!) Multi Factor Authentication – this is a ‘must have’ wherever possible to protect personal or any other sensitive data, from your website to your CRM and crucially on financial or administrative accounts. Firewalls – deploy firewalls to protect your network from threats. VPNs – use a Virtual Private Network for employees accessing your network externally. Secure Wi-Fi – use strong encryption and a complex password for your wi-fi network. Don’t just use the default password provided. Protect against malware – use up-to-date anti-virus and anti-malware software on all business devices. Update software – promptly install security patches and updates for all devices and software, including router firmware. Where possible enable automatic updates. Access controls – make sure there are robust access controls – an extra layer of protection may be a hurdle some cyber-criminals might be unable to penetrate. Strong passwords – implement the use of strong passwords for all accounts. If you aren’t already, consider using a password manager. Grow your knowledge – some smaller organisations may have an outsourced IT provider or be doing it all in house – you need to know enough to ask the right questions – assign at least one person to be the internal ‘specialist’. It’s worth checking out the ICO ransomware and compliance guidance which provides information on how to best protect systems. As the NCSC says ‘hesitation is a vulnerability’ – don’t put this off. Don’t get bogged down in meetings deciding on the best course of action. Make a start today. Now.

Rising cyber threats but data breaches aren’t always obvious The UK Government and National Cyber Security Centre have issued warnings about significant and growing cyber threats, with the expectation of increased ransomware attacks, state-sponsored cyber activity and sophisticated cybercrime. Do take heed: the retail sector has already seen a number of damaging attacks. Sometimes, it’s obvious a data breach has taken place. However, this isn’t always the case, especially when cyber criminals take steps to cover their tracks. A recent example illustrates the consequences for organisations who fail to fully appreciate the significance of a malicious attack. The ICO has issued a £60k fine to law firm DPP, following a 2022 cyber-attack. The attack led to highly sensitive and confidential personal information being published on the dark web. The ICO investigation discovered lapses in IT security practices, leaving information vulnerable to unauthorised access. Hackers were able to exploit a user account which did not have Multi-Factor Authentication (MFA), enabling them to move laterally across the firm’s systems. Let’s be clear; MFA is now a must have on all relevant data systems. Announcing the fine, the ICO said; “DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.” A personal data breach is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ That’s a broad scope. The ICO enforcement notice accepts actions taken by the attackers made DPP’s response to the incident difficult. Unfortunately, DPP’s initial assessment indicated no personal data had been exfiltrated and didn’t consider loss of access to personal data to be a breach – therefore the firm didn’t report it. You can check out the full enforcement notice, but bear in mind it’s reported DPP disputes some of the ICO’s conclusions and may appeal. Any organisation suffering a cyber-attack has my sympathy. Attacks are becoming more frequent, sophisticated and harder to track. They can severely disrupt day-to-day operations. Ascertaining the cause and consequences of an attack can be difficult. Indeed, in some cases the consequences might never be clearly established. And when it becomes public knowledge the organisation needs to work decisively, not just to get operations back up and running and mitigate any harms to those affected, but also manage PR. As I write, we’re witnessing M&S battle a significant ransomware attack, which has left store shelves empty. Cyber criminals have also reportedly told the BBC their attack on the Co-op is more serious than the company had previously admitted. Organisations are legally required to report personal data breaches to the ICO (or another relevant Data Protection Authority) within 72-hours of becoming aware, unless there is unlikely to be a risk to individuals. When it comes to ransomware attacks, it may be best to assume that (more likely than not) personal information is affected. The ICO states in a research paper; ‘If you become a victim of ransomware, you should assume the information has been exfiltrated (extracted).’ In other words, it would be wise to submit an initial data breach report. It’s understood you won’t know all the facts immediately and you may need to bring in digital forensics expertise. In this situation, you can submit an initial report and update the Regulator when more facts become known. The risk can subsequently be upgraded or downgraded as you continue your investigations. We’ve written more about how to assess the risks posed by a data breach here. It’s important, even for small-to-medium sized businesses, to have sufficient knowledge about what constitutes a personal data breach, and the threats we all face. Here’s a refresher of some common ways a personal data breach can occur. Cyber security incidents We often hear about ransomware attacks where hackers gain unauthorised access to databases, exfiltrating or altering personal information, and making a demand for payment. There are also other forms of malicious attack, such as; ■ Brute force – this is where hackers use algorithms to ‘guess’ username and password credentials, testing multiple combinations to try to gain access to user accounts. It’s understood this is how hackers initially got into DPP Law’s systems. Clearly, these attacks are more successful when passwords are easy to guess and when MFA is not in place. ■ Denial of Service (DOS) – this works by overloading a computer network or website and can result in a degrading of performance, or render the system completely inaccessible. DoS attacks may result in full or partial loss of access (availability) to personal data records. And as we said above, that’s classed as a data breach. ■ Supply chain attacks – these attacks target vulnerabilities in third-party services your organisation is using. In 2023 the BBC, British Airways and Boots were among many organisations impacted by the well-publicised MOVEit supply chain breach. More recently the ICO issued a £3 million fine to an IT software company which provided services to many UK organisations including the NHS. ■ Phishing – this is when criminals use scam emails to trick people into clicking on a malicious link. Phishing attacks can trick people into sharing sensitive information, such as payment card details or login credentials. As well as email, phishing can be spread via text messages or over the phone. I’d urge you to read the ICO’s Learning from the Mistakes; which provides detailed information on the types of cyber-attacks organisations can suffer and ways to mitigate the risk. Loss or theft of devices or hard copy documents This is pretty self-explanatory; a smartphone, laptop or other device containing personal data is lost or stolen. When devices are not encrypted this can lead to the exposure of potentially sensitive personal information. Alternatively, a data breach can occur when physical documents are lost or stolen. Disclosure of personal information This type of incident can occur in a number of different ways, for example; ■ An email sent to the wrong recipient(s). ■ Accidentally using the CC field in emails for multiple recipients, thereby revealing their email address to all recipients. In some cases this can just be embarrassing, but in others like the Central YMCA breach much more serious. ■ Information is posted to the wrong person, such as a hospital sending medical records by post to wrong recipient. ■ Publishing confidential information on a public website. ■ Sharing personal data with unauthorised third parties. Unauthorised Disclosure This type of incident may occur due to a malicious attack such as ransomware, or it may be an insider breach, as illustrated by these cases; ■ In 2023 two former Tesla employees leaked confidential and personal information relating to employees and customers. ■ Back in 2014 a Morrison’s employee leaked his colleagues’ payroll details in what was seen as an act of revenge after being given a verbal warning. A case which resulted in years of legal wrangling over whether Morrison’s was liable for the actions of a rogue employee. This type of incident also includes ‘employee snooping.’ For example, a member of staff with access to a customer database browses the personal data of others without a legitimate business purpose. Or a police officer or council official looks up and discloses information without authority. Improper disposal of records Insecure disposal of electronic or paper records might lead to a data breach. For example, if a company disposes of old paper files containing customer details without shredding them, and a third party finds them. The above is by no means an exhaustive list, but provides those less experienced in data breaches with a steer on what risks to be aware of. Not all security incidents will be personal data breaches; they could involve commercially sensitive information, but no personal data. While these don’t need to be reported if they meet a certain threshold, they still have the potential to cause considerable fallout. Privacy violations In other circumstances there may be a violation of data protection law, which is not a data breach. As an example, I’ve been asked before whether it’s necessary to report an email marketing campaign accidentally sent to customers who’ve unsubscribed as a breach. While a clear violation of the right to object to direct marketing, this doesn’t represent a breach of security: there’s been no destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The individuals’ personal data remains secure. Efforts therefore need to focus on trying to minimise the risk of complaints escalating, and making sure this never happens again. To conclude, the DPP Law case is instructive; it’s not a big company, employing less than 250 people, but handles highly sensitive information relating to their clients. The attack suffered sends a clear message; any business can fall victim to cyber-attacks and personal data breaches. The more sensitive the data your organisation handles, the more damaging a breach could be. Not only must cyber security be treated as a priority, but so are robust data breach procedures to guide your team through any potential attack.

ICO fines software company £3millon after cyber-attack First UK processor fine is a stark reminder of supply chain risks The Information Commissioner’s Office has fined Advanced Software Group Ltd (Advanced) £3.07 million following a cyber-attack in 2022 which put the personal information of nearly 80,000 people at risk. This marks the first fine issued under UK GDPR to a processor. Advanced, which provides IT and software services to organisations including the NHS, was found to have failed to implement appropriate technical and organisational measures to protect its systems. In the ransomware attack, hackers managed to access certain systems of Advanced’s health and care subsidiary. This was done via a customer account, which notably did not have Multi Factor Authentication (MFA). The attack caused massive disruption to critical NHS services and healthcare staff were left unable to access patient records. Advanced was found to have insufficient measures in place, including; ■ Gaps in deployment of Multi Factor Authentication ■ A lack of mature vulnerability management scanning mechanisms ■ Inadequate security patch management A provisional fine of £6.09million was reduced to £3.07million after Advanced’s proactive engagement with the National Cyber Security Centre, the National Crime Agency and the NHS. Advanced has agreed to pay the fine without appeal. You can read the ICO enforcement notice here. Key learnings from this case This action serves as a timely reminder for both controller organisations and service providers to make sure robust measures are in place to protect personal data and ensure systems are secure throughout the supply chain. Supplier due diligence While this fine has been imposed on a processor, organisations which engage other parties to provide services have a duty to make sure they work with suppliers who can demonstrate robust standards in data protection and information security. In our experience, controllers need to make sure they’re asking the right questions before they onboard any new supplier who’d be processing personal data on their behalf – whether this be cloud computing providers, SasS solutions or other technology providers. To give a simple illustration; ■ Do they have a DPO or another individual in the business who oversees data protection compliance? ■ Do they have an Information Security Officer, or other related role? ■ Can they provide evidence of data protection and info sec policies and procedures? ■ Have they experienced a data breach before? ■ What information security measures do they have in place? ■ Are security measures regularly test, and how? Suppliers for their part need to be prepared to meet client’s due diligence requests, including being able to provide detailed information of data location(s) and security measures and controls in place to protect client data. We’d stress a proportionate risk-based approach should be taken to this, the more sensitive the data the more robust the checks should be. Seven quick information security tips 1. Restrict access to your data and services and use Multi Factor Authentication where possible 2. Choose secure settings for your network, devices and software 3. Protect yourself from viruses and other malware 4. Keep your devices and software up to date 5. Keep logs and monitor them 6. Restrict or prevent use of USB / memory drives 7. Back up your data The ICO has published ransomware and compliance guidance which provides information on how to best protect systems. Controller-processor contracts Once satisfied with a prospective supplier’s approach to data protection and information security it’s then vital to make sure contractual terms cover core requirements under UK GDPR. Often covered in a Data Processing Agreement/Addendum, these shouldn’t be overlooked. We’ve written about supplier agreements here. It’s worth noting liability clauses in such agreements are facing increasing scrutiny, reflecting the increased cost of non-compliance and the fall-out from data breaches. Irina Beschieriu, Deals Counsel for Atos IT Solutions has written an interesting article on this for IAPP and says; “General limitations of liability clauses are no longer considered sufficient to address the specific risks associated with data privacy. Instead, we have seen the rise of dedicated provisions meticulously crafted to address data privacy liabilities specifically. Negotiations surrounding these provisions are now more intense, more detailed, and carry higher stakes than ever before.” See: The growing burden of data privacy liability in tech contracts While ICO fines are not commonplace, we’d urge both controllers and processors to take heed of this action. In announcing this enforcement action Information Commissioner John Edwards says; “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”

Data Sharing Checklist Controller to Controller Data Sharing Data protection law doesn’t stop us sharing personal data with other organisations, but does place on us a requirement to do so lawfully, transparently and in line with other key data protection principles. Organisations often need to share personal data with other parties. This could be reciprocal, one-way, a regular activity, ad-hoc or a one off. Quick Data Sharing Checklist Here’s a quick list of questions to get you started on how to share personal data compliantly. (The focus here is on sharing data with other controllers, i.e. other organisations who will use personal data for there own purposes. There are separate considerations when sharing data with processors, such as suppliers and service providers). Controller or processor, what are we? 1. Is it necessary? It may be possible to achieve your objective without sharing personal data at all, or perhaps the data could be anonymised. 2. Do we need to conduct a risk assessment? Check if what you’re planning to do falls under the mandatory requirement to complete a Data Protection Impact Assessment. Depending on the nature and sensitivity of the data it might be a good idea to conduct one anyway. Quick DPIA Guide. 3. Do people know their data is being shared? Transparency is key, so it’s important to make sure sure people know their personal details are being shared. Would they reasonably expect their personal data to be shared in this way? Is it covered in your Privacy Notice? In some situations it may not be possible to be transparent, in which case a robust and defensible justification is needed. 4. Is it lawful? To be lawful we need a lawful basis and we need to meet the relevant conditions of the basis we’ve chosen. For example, if we’re relying on consent is this specific, informed and an unambiguous indication of the person’s wishes. If we’re relying on legitimate interests, have we balanced our interests with those of the people whose data we’re sharing? Quick guide to lawful bases. 5. Can we reduce the amount of data being shared? Check what data the other organisation actually needs, you may not need to share a whole dataset, a sub-set may suffice. 6. Is it secure? Agree appropriate security measures to protect the personal data, both when it’s share and at rest. This includes security measures where the other organisation is being given access to your systems. Are controls in place to make sure only those who need access, have access? 7. Can people still exercise their privacy rights? Both parties should be clear about their responsibilities to fulfil privacy rights, and it should be easy for people to exercise them. 8. How long with the personal data be kept for? Consider if it’s appropriate to have specific arrangements in place for the shared data to be destroyed after a certain period of time. 9. Is the data being shared with an organisation overseas? If the personal data is being shared with a business located outside the UK, it will be necessary to consider the international data transfer rules. 10. Do we need a data sharing agreement? UK GDPR does not specify a legal requirement to have a agreement in place when data is shared between organisations acting as controllers. However, the UK ICO considers it ‘good practice’ as and agreement can set out what happens to the data at each stage, and agreed standards, roles and responsibilities. ICO Data Sharing Agreement guidance. Other data sharing considerations Are we planning to share children’s data? Proceed with care if you are sharing children’s data. You need to carefully assess how to protect children from the outset, and will need a compelling reason to share data relating to under 18s. This is likely to be a clear case of conduct a DPIA! Is the other organisation using data for a ‘compatible purpose’? Consider the original purpose the data was collected for, and whether the organisation you’re sharing it with will use it for a similar purpose. It’s worth noting the UK Department of Education came a cropper for sharing data for incompatible purposes. Is data being shared as part of a merger or acquisition? If data is being shared as part of a merger or acquisition, the people the data relates to should be made aware this is happening. You’d want to be clear the data should be used for a similar purpose. Robust due diligence is a must, and perhaps a DPIA to assess and mitigate any risks. Is it an emergency situation? We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The ICO is clear on this point: in an emergency you should go ahead and share data as is necessary and proportionate. The ICO has a Data Sharing Code of Practice, full useful information about how the Regulator would expect organisations to approach this.

Access controls: Protecting your systems and data Is your data properly protected? Do existing staff or former employees have access to personal data they shouldn’t have access to? Keeping your business’ IT estate and personal data safe and secure is vital. One of the key ways to achieve this is by having robust access controls. Failure to make sure you have appropriate measures and controls to protect your network and the personal data on it could lead to a data breach. This could have very serious consequences for your customers and staff, and the business’ reputation and finances. How things can go wrong Recently a former management trainee at a car rental company was found guilty and fined for illegally obtaining customer records. Accessing this data fell outside his role at the time. In 2023 a former 111 call centre advisor was found guilty and fined for illegally accessing the medical records of a child and his family. In 2022 a former staff advisor for an NHS Foundation was recently found guilty of accessing patient records without a valid reason. Anecdotally, we know of cases of former employees being found to be using their previous employer’s personal data once they have moved onto a new role. The ability to access and either deliberately or accidentally misuse data is a common risk for all organisations. Add to this the risk of more employees and contractors working remotely, and it’s clear we need to take control of who has access to what. High-level check list 1. Apply the ‘Principle of Least Privilege’ There’s a useful security principle, known as ‘the principle of least privilege’ (PoLP). This sets a rule that employees should have only the minimum access rights needed to perform their job functions. Think of it in the same way as the ‘minimisation’ principle within GDPR. You grant the minimum access necessary for each user to meet the specific set of tasks their role requires, with the specific datasets they need. By adopting this principle, you can prevent the risk of employees gaining more access rights over time. You’ll need to periodically check to make sure they still need the existing access rights they have. For example, when someone changes role, their access needs may also change. If your access controls haven’t been reviewed for a long time, adopting PoLP can give you great start point to tighten up security. 2. Identity and Access Management IAM is a broad term for the policy, processes and technology you use to administer employee access to your IT resources. IAM technology can join it all up – a single place where your business users can be authenticated when they sign into the network and be granted specific access to the selected IT resources, datasets and functions they need for their role. One IAM example you may have heard of is Microsoft’s Active Directory. 3. Role-based access Your business might have several departments and various levels of responsibility within them. Most employees won’t need access to all areas. Many businesses adopt a framework in which employees can be identified by their job role and level, so they can be given access rights which meets the needs of the type of job they do. 4. Security layers Striking the right balance between usability and security is not easy. It’s important to consider the sensitivity of different data and the risks if that data was breached. You can take a proportionate approach to setting your security controls. For example personal data, financial data, special category or other sensitive personal data, commercially sensitive data (and so on) will need a greater level of security than most other data. Technologies can help you apply proportionate levels of security. Implementing security technologies at the appropriate levels can give greater protection to certain systems & data which demand a high level of security (i.e. strictly-controlled access), while allowing non-confidential or non-sensitive information to be accessed quickly by a wider audience. 5. Using biometrics How do you access your laptop or phone? Many of us use our fingerprint or facial recognition which give a high level of security, using our own biometrics data. But some say, for all their convenience benefits, they are not as secure as a complex password! But then, how many of us really use complex passwords? Perhaps you use an app to generate and store complex passwords for you. Sadly lots of people use words, names or memorable dates within their passwords. Security is only going to be as good as your weakest link. 6. Multi-factor authentication (MFA) Multi-factor authentication has become a business standard in many situations, to prevent fraudulent use of stolen passwords or PINs. But do make sure it’s set up effectively. I’ve seen some examples where MFA has to be activated by the user themselves. So if they fail to activate it, there’s little point having it. I’ve heard about data breaches happening following ineffective implementation of MFA, so do be vigilant. There are an array of measures which can be adopted. This is just a taster, which I hope you found useful – stay safe and secure!

International Data Transfers Guide A top-level overview of international data transfers There are restrictions under UK and EU data protection law when transferring personal data to organisations in other countries, and between the UK and EU. The rules regarding restricted transfers can be an enigma to the uninitiated and their complexity has been magnified by Brexit and by an infamous 2020 European Court ruling known as ‘Schrems II’. This guide aims to give an overview of what international data transfers are and the key data protection considerations. It does not cover all the intricacies, nor data transfers for immigration and law enforcement purposes. Also please be aware there may be specific restrictions in place under laws in other territories around the world. As a general rule, controllers based in the UK or EU are responsible for making sure suitable measures are in place for restricted transfers to other controllers, or to processors. A processor will be responsible when they initiate the transfer, usually to a sub-processor. Some might be thinking; what would be the impact if we just put all of this into the ‘too difficult’ tray? It’s certainly an area which many feel has become unduly complicated and an onerous paperwork exercise. However, getting the detail right will pay off should things go wrong. For example, if a supplier you use based overseas suffers a data breach, the consequences may be more significant if you have not covered off legal requirements surrounding restricted transfers. It’s an area likely to come under regulatory scrutiny, in the event of a breach or should a complaint be raised. What is an international data transfer? An international data transfer refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity (‘third party’) located in another country; in other words, the personal data can be accessed from overseas. There are specific rules about the transfer of personal data from a UK sender to a receiver located outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR); these are known as restricted transfers. A receiver could be separate company, public body, sole trader, partnership or other organisation. EU GDPR Personal data can flow freely within the European Economic Area (EEA). A restricted transfer takes place when personal data is sent or accessible outside the EEA. Where such a transfer takes place, specific safeguards should be in place to make the transfer lawful under EU GDPR. UK GDPR A restricted transfer takes place when personal data is transmitted, sent or accessed outside the UK, and safeguards should be in place to ensure the transfer is lawful. The reason for these rules is to protect people’s legal rights, as there’s a risk people could lose control over their personal information when it’s transferred to another country. Examples of restricted transfers would be: Sending paper or electronic documents, or any kind of record containing personal data, by email or post to another country Giving a supplier based in another country access to personal data Giving access to UK/EU employee data to another entity in the same corporate group, based in another country. There are some notable exceptions: Our own employees: A restricted transfer does not take place when sending personal data to someone employed by your company, or them accessing personal data from overseas. However, it does cover the sending, transmitting or making personal data available to another entity within the same corporate group, where entities operate in different countries. Data in transit: Where personal data is simply routed via several other countries, but there is no intention that this data will be accessed or manipulated while it is being routed via other countries, this won’t represent a restricted transfer. ICO guidance says; Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer. What are the safeguards for restricted transfers? A. Adequacy Adequacy is when the receiving country has been judged to have a similar level of data protection standards in place to the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures. Transfers from the EEA The European Commission has awarded adequacy decisions to a number of countries including the UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions. Therefore personal data can flow freely between EEA countries and an ‘adequate’ country. These decisions are kept under review. There are some concerns UK Government plans to reform data protection law could potentially jeopardise the UK’s current EC adequacy decision. EU-US Data Privacy Framework: The EC adopted this framework for transfers from the EU to US in July 2023. It allows for the free flow of personal data to organisations in the US which have certified and meet the principles of the DPF. A list of self-certified organisations can be found on the U.S Department of Commerce DPF website. Transfers from the UK There are provisions which permit the transfer of personal data between the UK and the EEA, and to any countries which are covered by a European Commission ‘adequacy decision’ (as of January 2021). Therefore personal data can flow freely between UK and EEA and any of the countries awarded adequacy by the EC. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems suitable for transfers from the UK. More information about UK adequacy decisions can be found here. UK-US Data Bridge: The UK-US ‘Data Bridge’ was finalised on 21st September 2023 and goes live 12th October 2023. Like the EU-US Data Privacy Framework, organisations based in the US must self-certify to the DPF but they must also sign up to the ‘UK extension’. Read more about the Data Bridge B. EU Standard Contractual Clauses In the absence of an EC adequacy decision, Standard Contractual Clauses (SCCs) can be used which the sender and the receiver of the personal data both sign up to. These comprise a number of specific contractual obligations designed to provide legal protection for personal data when transferred to ‘third countries’. SCCs can be used for restricted transfers from the EEA to other territories (including those not covered by adequacy). The European Commission published new SCCs in 2021 which should be used for new and replacement contracts. The SCCs cover specific clauses which can be used for different types of transfer: controller-to-controller controller-to-processor processor-to-processor processor-to-controller There’s an option for more than two parties to join and use the clauses through a docking clause. More information can be found on the European Commission website – Standard Contractual Clauses Two points worth noting: The deadline to update contracts which use the old SCCs has passed – 27th December 2022. Senders in the UK cannot solely rely on EU SCCs, see the point below about the UK Addendum. C. UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs Senders in the UK (post Brexit) have two possible options here as a lawful tool to comply with UK GDPR when making restricted transfers. The International Data Transfer Agreement, or The Addendum to the new EU SCCs ICO guidance stresses; the new EU SCCs are not valid for restricted transfers under UK GDPR on their own, but using the Addendum allows you to rely on the new EU SCCs. In other words the UK Addendum works to ensure EU SCCs are fit for purpose in a UK context. In practise, if the transfer is solely from the UK, the UK ITDA would be appropriate. If the transfer includes both UK and EU personal data the, EU SCCs with the UK Addendum would be appropriate, to cover the protection of the rights of EU as well as UK citizens. It’s worth noting, contracts signed on or before 21 September 2022 can continue to use the old SCCs until 21 March 2024. Contracts signed after 21 September 2022 must use the IDTA or the Addendum to new EU SCC, in order to be effective. See ICO Guidance The additional requirement for a risk assessment The ‘Schrems II’ ruling in 2020, invalidated the EU-US Privacy Shield (predecessor of the Data Privacy Framework) and raised concerns about the use of EU SCCs to protect personal data. Concerns raised included the potential access to personal data by law enforcement or national security agencies in receiver countries. As a result of this ruling there’s a requirement when using the EU SCCs or the UK IDTA to conduct a written risk assessment to determine whether personal data will be adequately protected. In the EU this is known as a Transfer Impact Assessment, and in the UK, it’s called a Transfer Risk Assessment (TRA). The ICO has published TRA Guidance and we’ve written a TRA guide. D. Binding Corporate Rules (BCR) BCRs can be used as a safeguard for transfers within companies in the same group. While some global organisations have gone down this route, it can be incredibly onerous and takes a considerable amount of time to complete BCRs. BCRs need to be approved by a Supervisory Authority (for example the ICO in the UK, or the CNIL in France). This has been known to take years, so many groups have chosen to use EU SCCs (with UK Addendum if necessary) or the IDTA, in preference to going down the BCR route. E. Other safeguards Other safeguards measures include; Approved codes of conduct Approved certification mechanisms Legally binding and enforcement instruments between public authorities or bodies. What are the exemptions for restricted transfers? It may be worth considering whether an exemption may apply to your restricted transfer. These can be used in limited circumstances and include: Explicit consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks. Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps. Public interests – the transfer is necessary for important reasons of public interest. Legal necessity – the transfer is necessary for the establishment exercise or defence of legal claims. Vital interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give their consent. The ICO makes the point most of the exemptions include the word ‘necessary’. The Regulator says this doesn’t mean the transfer has to be absolutely essential, but that it “must be more than just useful and standard practice”. An assessment needs to be made as to whether the transfer is objectively necessary and proportionate, and can’t be reasonably achieved another way. The regulatory guidance says exemptions, such as contractual necessity, are more likely to be proportionate for occasional transfers, a low volume of data and where there is a low risk of harm when the data is transfer. The above is not an exhaustive list of the exemptions, further details can be found here. There is no getting away it, international data transfers are a particularly complex and onerous area of data protection law! It pays to be familiar with the requirements and understand the potential risks. Sometimes organisations will have little control over the terms under which they do business with others. For example, large technology providers might be unwilling to negotiate international transfer arrangements and will only proceed if you agree to their existing safeguards. A balance might need to be taken here on the necessity of entering the contract and the potential risks should restricted transfers not be adequately covered.

Managing how employees use their own devices for work How to mitigate the security risks of Bring Your Own Device (BYOD) The switch to remote working due to the COVID pandemic, and subsequently, means even more employees now use their own devices to access work emails, systems and files. This can make practical sense for many organisations, but the use of personal devices can pose a serious security risk if appropriate measures are not in place. A risk to personal information, as well as other confidential or commercially sensitive information. Some organisations (particularly those handling sensitive data) might take the step of banning the use of any personal devices for work purposes. But for others there are good reasons for allowing personal devices to be used. The key is making sure security risks have been considered and appropriate measures are in place to protect the organisation and those whose personal data is held. It’s essential for any organisation which allows employees to use their own devices for work purposes, to have robust security measures in place to address security risks, along with appropriate measures to protect personal data. Furthermore, employees need to know what’s expected of them and this is where having a Bring Your Own Device (BYOD) Policy is crucial. What are the risks, what key security measures should be in place, and what should a BYOD Policy cover? Key BYOD risks 1. Loss or theft of devices – we’re all human, and I suspect many of us have lost a mobile before, or perhaps even left a laptop somewhere. There’s a clear risk if it’s possible for someone else to access valuable or sensitive information on the device. 2. Use of public wi-fi services – connecting to open public wi-fi when employees are out and about can leave personal devices vulnerable to hackers. There’s also a risk if home networks aren’t secure. 3. Malware and viruses – employees can view any website and download any app on their own device, raising the risk these could contain damaging malware or viruses. 4. Former employees – failing to remove access and data from devices when people leave the organisation could come back to haunt the organisation. I know of cases where this has caused a data breach. Key steps to mitigate BYOD risks Here are some methods to reduce or eliminate the risks. This is by no means an exhaustive list, but will hopefully give you some useful pointers. Require employees to use appropriate authentications settings when accessing their devices. For example, access via a passcode or fingerprint. Restrict which business applications and data employees can access via their own device. Implement enhanced user authentication for business apps – multi-factor authentication (MFA). That includes access to their business email account (e.g. via Outlook) which may include personal information in the content or in attachments. Consider measures to make sure personal data from business apps can’t be downloaded, stored or shared via personal devices. Don’t allow staff to share data or screenshots from any business app they use with any other app they may have on their device (e.g. social media or file sharing apps). Put clear procedures in place for lost or stolen devices. For example, reporting the loss and the capability to remotely delete data from a lost or stolen device. Make sure clear procedures are in place to update access controls when people leave the business. or change roles. Prohibit the use of public wi-fi services, which may be insecure. Provide advice on making sure your home wi-fi is secure. Ask employees to update apps regularly to make sure any security vulnerabilities are ‘patched’. Ask them to run antivirus / malware checks regularly. Creating a Bring Your Own Device Policy A BYOD Policy sets out the rules for employees when using their personal devices – be it laptops, smartphones or tablets in for work purposes. It should set out the organisations expectations and the security measures required. When employees are accessing the organisation’s information, it’s okay to insist employees comply with a BYOD Policy. Such a policy would cover all the measures in place to mitigate the risks above, making sure employees’ responsibilities are clearly laid out. You’d also want it to include, or point to, clear onboarding, leavers and procedures for lost or stolen devices. In addition, a BYOD Policy is also likely to cover; Types of device permitted. Establishment of company rights on devices (this can be a tricky area and may be worth seeking legal advice. List of company systems / apps allowed to be accessed via personal devices. An explanation of acceptable use and behaviours. For example, what employees are not permitted to do may include; – Allowing others (e.g. family members) to access work systems and apps – Storing or transferring copies of organisation’s information onto their own devices – Using private email accounts for work purposes – Uses which may be illegal or bring the organisation into disrepute Details of the IT support available to employees. Any necessary sanctions should employees fail to follow the policy. By the way, whilst we refer to employees above, you should bear in mind you may also have contractors who access the organisation’s systems / apps via their own devices. If so, the Policy should apply to contractors too. Recently the Information Commissioner’s Office took action against a company following a data breach. It’s worth noting one of the key failings found was the lack of a BYOD policy. We’ve written more about this here: Information Security Tips

Data protection and our suppliers How to manage the third parties we work with One of the more challenging aspects of data protection compliance has been identifying and managing all our suppliers. Those acting as our processors, supporting our business. Making sure appropriate contractual terms are in place, whilst doing all we can to protect the business from supply chain data breaches (which are all too common) can become onerous. It can help to take a risk-based approach, focusing on the suppliers which represent the biggest business risk first. Alongside this, for any new suppliers we need to make sure we carry out appropriate and robust due diligence. Years after GDPR was implemented, many projects to tackle supplier management remain unfinished, representing an ongoing risk. If we have limited visibility into how our data is processed by our suppliers (and any sub-processors) it clearly leaves the business exposed. What does good supplier management look like? In short, we need to make sure our suppliers are doing what they say they’ll do to protect personal data, using risk assessments and audits. This includes knowing how our suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify us, how will they assist us? Seven-point supplier management checklist 1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this? It’s good practice to request meaningful answers to certain questions, such as: Do they have a DPO or another individual in the business responsible for data protection? Can they provide evidence of data protection policies and procedures? Have they experienced a data breach before? What information security procedures do they have in place? How regularly are their security measures tested? Do they hold any form of certification? In which country/region will the data be processed? Who are their sub-processors and where do they process the data? The above is by no means an exhaustive list. 2. International Data Transfers There are additional considerations if international data transfers come into play. If we’re sharing data (or allowing it to be accessed) by a supplier in a third country, we need to check what safeguards need to be in place. For countries where there’s no adequacy decision (allowing for the free flow of data), we need to implement a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs). There’s also the relatively new requirement to conduct a transfer risk assessment, and consider if additional security measures are needed. 3. Contracts – Do we have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are we prepared to walk away from suppliers whose contracts aren’t up to scratch? Do we have a good understanding of the level of contractual risk the business is prepared to accept? UK/EU GDPR is clear on what should be included in contractual arrangements and the ICO have published useful contracts guidance. There are often negotiations to be had, especially when it comes to those tricky liability clauses. 4. Instructions – Have we provided clear instructions on how our suppliers are permitted to handle the personal data, for what purposes and how long they must retain it? 5. Ongoing risk assessment – Do we have a process for evaluating the level of risk suppliers may represent? It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively we need to risk assess the risk assessments. 6. Review / Audit – Do we have a review or audit programme in place? Annual audits of all suppliers may not be possible, but it makes sense to rotate audits and maintain an up-to-date record of their processing activities. For suppliers considered a higher risk, it may be prudent to routinely audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised. Creating a framework which is tuned and makes sense for the business is a good step and will mean there’s something to show the thought process if the ICO ever comes calling. Here are some factors to consider: What categories of data is handled? What’s the data volume? How risky is the processing? What could be the impact if a data breach occurred? Was any due diligence carried out when the supplier was onboarded? Is the supplier accredited or certified? Have there been any complaints relating to privacy / breaches? Have there been changes in ownership or scope of processing? Have there been significant changes in processes and workflow? 7. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering. It can sometimes feel like a mountain to climb, especially if operating using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to supplier management is identifying the biggest risks and prioritising where action is needed the most.