FREQUENTLY ASKED QUESTIONS

The General Data Protection Regulation (GDPR) is a set of rules that protect the privacy and personal data of people living in the European Union (EU). It gives individuals more control over their personal information and requires companies to handle it more carefully.

Under the GDPR, individuals have the right to know what information a company has about them, how it is being used, and to have it deleted if they no longer want it stored. When relying on consent, companies must gain consent explicitly and must notify them if their data is breached.

The GDPR applies to any company that operates within the EU or collects data from EU citizens. Companies that fail to comply with the GDPR can face significant fines.

Overall, the GDPR aims to ensure that individuals’ personal data is treated with respect and care, and that they have control over how it is used.

If you would like to understand how data protection law affects you please get in touch.

Companies should comply with the General Data Protection Regulation (GDPR) for several reasons:

• Avoiding hefty fines: Non-compliance with the GDPR can result in significant fines of up to €20 million or 4% of a company’s global annual revenue, whichever is higher. Compliance with the GDPR can help companies avoid these hefty fines and penalties.
• Enhancing reputation: Complying with the GDPR shows customers and stakeholders that a company takes data protection seriously, which can enhance the company’s reputation and increase trust with customers and stakeholders.
• Improving customer relationships: Compliance with the GDPR can help companies build stronger relationships with customers by demonstrating their commitment to protecting personal data and respecting individual privacy rights.
• Reducing the risk of data breaches: Compliance with the GDPR can help companies identify and mitigate potential vulnerabilities in their data protection practices, reducing the risk of data breaches and associated legal and financial consequences.
• Staying competitive: Compliance with the GDPR is increasingly becoming a standard expectation for companies operating within the European Union. Companies that fail to comply with the GDPR may lose business to competitors who are more compliant and take data protection more seriously.

We can assist you in all of these areas and more, get in touch to find out how.

There are several steps that a company can take to prevent cyber attacks:

• Conduct a cybersecurity risk assessment: Identify potential vulnerabilities and risks to your company’s information systems, networks, and data.
• Develop a cybersecurity policy: Establish a policy that outlines how your company will protect its information systems, networks, and data. This policy should include guidelines for password management, data encryption, and access control.
• Educate employees on cybersecurity: Provide training to employees on cybersecurity awareness and best practices, including how to identify and report suspicious activity.
• Implement firewalls and antivirus software: Install firewalls and antivirus software to help prevent unauthorised access to your company’s networks and systems.
• Regularly update software and systems: Regularly update software and systems with the latest security patches to address known vulnerabilities.
• Conduct regular backups of data: Regularly back up critical data to prevent data loss in the event of a cyber attack.
• Implement access controls: Use access controls to limit access to sensitive information to authorised personnel only.
• Monitor network activity: Monitor network activity to identify potential security breaches and respond quickly to any suspicious activity.

By taking these steps, a company can significantly reduce the risk of a cyber attack and better protect its information systems, networks, and data.

At Privacy People we can assist you to implement all or some of these steps, call us to find out how.

A phishing attack is a common type of cyber attack where an attacker poses as a legitimate organisation or person to trick individuals into giving away sensitive information such as usernames, passwords, and credit card details. To avoid a phishing attack, a company can take the following steps:

• Educate employees: Provide training to employees on how to identify and avoid phishing attacks. This should include teaching employees to be suspicious of unsolicited emails, text messages, or phone calls, and to verify the legitimacy of any requests for sensitive information.
• Use spam filters: Install spam filters on your email system to help prevent phishing emails from reaching your employees’ inboxes.
• Implement multi-factor authentication: Require employees to use multi-factor authentication when accessing sensitive information or systems. This can help prevent unauthorised access even if an attacker has obtained a user’s password.
• Regularly update software: Regularly update software, including web browsers and email clients, to address known vulnerabilities that can be exploited by phishing attacks.
• Use security software: Install security software, such as antivirus and anti-malware software, to help detect and prevent phishing attacks.
• Implement security policies: Implement security policies that require employees to report suspicious emails or other activity that may be indicative of a phishing attack.
• Conduct phishing simulations: Regularly conduct phishing simulations to test employees’ awareness of phishing attacks and their ability to identify and respond appropriately.

By taking these steps, a company can significantly reduce the risk of a phishing attack and better protect its employees and sensitive information.

Get in touch to find out how Privacy People help our clients to educate and assist in preventing successful phishing attempts.

Yes, it is important to train individuals regarding data protection and cybersecurity. With the increasing reliance on technology and the internet in our daily lives, individuals need to understand the risks associated with using these technologies and how to protect themselves and their personal information from cyber threats.

Cyber attacks are becoming more frequent and sophisticated and can result in financial loss, identity theft, and other negative consequences. By providing training on data protection and cybersecurity, individuals can learn how to identify potential threats, how to create strong passwords, how to avoid phishing scams and other online scams, and how to secure their devices and networks.

Additionally, as more companies and organisations collect and store personal information, it is important for individuals to understand their rights and how their data is being used. By providing training on data protection, individuals can learn about data privacy laws and regulations, and how to exercise their rights to protect their personal information.

Overall, data protection and cybersecurity training is essential for individuals to protect themselves and their personal information from cyber threats.

Our bespoke training platform is the perfect way to educate and train your staff on their responsibilities. The training is typically provided in 5 short webinar videos, fully bespoke to your requirements, in your branding and company colours. Call or email us to get a quote.

Yes, a company should perform a data protection audit to assess the effectiveness of its current data protection measures and to identify any gaps or vulnerabilities that need to be addressed. Data protection audits can help organisations to comply with data protection laws and regulations, mitigate the risk of data breaches, and protect sensitive information from unauthorised access, theft, or misuse.

A data protection audit typically involves reviewing the company’s data processing activities, including the types of data collected, how it is used and shared, and how it is stored and secured. The audit may also assess the company’s policies and procedures related to data protection, employee training and awareness, and incident response and management.

By conducting a data protection audit, companies can identify areas where they need to improve their data protection practices, such as implementing stronger encryption or access controls, updating policies and procedures, or providing more employee training. This can help the company to reduce the risk of data breaches and protect its reputation, while also demonstrating a commitment to data protection and compliance with relevant regulations.

Our 157 point audit will tell you exactly how compliant you are against data protection laws and cyber security best practice. The audit is designed to take up a minimal amount of your time and the final result is a useable analysis of current gaps and how to fix them.

Outsourcing a data protection officer (DPO) can have both benefits and drawbacks, depending on your organisation’s specific needs and circumstances. Here are some potential benefits and drawbacks to consider:

Benefits:

• Cost savings: Hiring an in-house DPO can be expensive, especially for small or medium-sized businesses. Outsourcing a DPO can be more cost-effective, as you only pay for the services you need, without having to pay for benefits or other employee-related expenses.
• Expertise: Outsourcing a DPO can give you access to experts in the field of data protection and privacy, who have experience working with a variety of industries and can provide valuable insights and guidance on compliance and best practices.
• Flexibility: Outsourcing a DPO can provide greater flexibility, allowing you to adjust the level of services you need as your business needs change.

Drawbacks:

• Lack of control: Outsourcing a DPO means you are relying on an external provider to manage and oversee your organisation’s data protection practices, which can result in a loss of control and visibility.
• Communication challenges: Communication can be a challenge when working with an external provider, especially if they are located in a different time zone or speak a different language.
• Cultural fit: It’s important to find an external provider who understands your organisation’s culture and values and can work effectively with your team.

Ultimately, whether outsourcing a DPO is more beneficial depends on your organisation’s unique needs and circumstances. It’s important to carefully evaluate the pros and cons and choose a provider that can best meet your organisation’s needs.

At Privacy People we provide an unlimited use DPO service, billed monthly, quarterly, or annually to suit your requirements. We only work with clients who we feel we can add value to and complement their current culture. Call us to find out more.

Writing a data protection policy involves several steps. Here are some general guidelines to follow:

• Determine the scope of your policy: Define what data your policy covers, including the types of personal information you collect and how you use it.
• Identify your legal obligations: Review the laws and regulations applicable to your industry or jurisdiction, such as GDPR, CCPA, HIPAA, or others, and ensure that your policy complies with them.
• Explain the purpose of your policy: Explain why you are collecting data, how you will use it, and how you will protect it.
• Define roles and responsibilities: Clearly define the roles and responsibilities of employees, contractors, and third-party vendors who handle personal data.
• Describe data handling procedures: Detail the procedures that will be followed when collecting, processing, storing, transferring, and disposing of data.
• Outline data security measures: Explain the technical and organisational measures that will be used to protect data from unauthorised access, disclosure, alteration, or destruction.
• Establish data retention policies: Establish policies on how long you will retain data and when it will be deleted or destroyed.
• Provide guidance on how to access and correct data: Provide guidance on how individuals can access, correct, or delete their personal data, as well as how to make requests for such actions.
• Review and update your policy: Regularly review and update your policy to ensure that it remains current and compliant with applicable laws and regulations.

Remember that data protection policies are specific to each organisation and should reflect your unique data handling practices and legal requirements. Consider seeking specialist advice when drafting your policy, especially if you are unsure about any legal requirements that apply to your organisation.

At Privacy People we take care of your data protection policies for you. Our experts can create a one-off policy or an entire privacy framework and everything in between. Let the experts take care of this complex area for you.

Whether your company should pursue ISO 27001 certification depends on several factors, including your industry, customer expectations, and your organization’s specific needs.

ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within an organisation. The certification process involves a third-party audit of your organisation’s ISMS to verify that it meets the requirements of the standard.

If your organisation handles sensitive information or processes data that is critical to your business operations, ISO 27001 certification can provide a number of benefits. These include:

• Increased trust and credibility: ISO 27001 certification is recognised globally and can demonstrate to customers and stakeholders that your organisation takes information security seriously and has implemented best practices to protect their data.
• Improved risk management: By implementing an ISMS based on ISO 27001, your organisation can better identify and manage information security risks, reducing the likelihood of data breaches or other security incidents.
• Competitive advantage: ISO 27001 certification can differentiate your organisation from competitors and give you a competitive edge in winning new business.

However, it’s important to note that ISO 27001 certification requires a significant investment of time, resources, and money. It also requires ongoing commitment to maintain the certification and continually improve your ISMS.

Ultimately, whether your organisation should pursue ISO 27001 certification depends on your specific business needs and objectives. It may be helpful to conduct a risk assessment and cost-benefit analysis to determine whether the benefits of certification outweigh the costs and effort involved.

Cyber Essentials is a UK government-backed scheme that aims to help organisations of all sizes protect themselves against common cyber threats. The benefits of Cyber Essentials include:

• Improved security: By implementing the five basic controls outlined in the Cyber Essentials scheme, organisations can improve their overall security posture and reduce their risk of cyber attacks.
• Competitive advantage: Organisations that achieve Cyber Essentials certification can demonstrate to customers, suppliers, and stakeholders that they take cyber security seriously and have implemented basic measures to protect their data.
• Compliance: Some industries, such as government, healthcare, and finance, may require Cyber Essentials certification as part of their regulatory compliance.
• Cost savings: Implementing basic cyber security measures can help organisations avoid costly data breaches and cyber attacks, which can result in significant financial losses.
• Peace of mind: Cyber Essentials provides a framework for organisations to assess their cyber security risks and take appropriate action, giving them peace of mind that they are doing everything they can to protect their data and systems.

Mapping the data your company processes involves identifying the various types of data your company collects, stores, and processes. This can be done by following these steps:

• Identify the sources of data: Start by identifying all the sources of data your company uses. This could include customer data, financial data, operational data, and more.
• Categorise the data: Once you have identified the sources of data, categorise the data based on its type, format, and purpose. For example, you could categorise the data into structured, unstructured, and semi-structured data.
• Identify data relationships: Determine how the different types of data relate to each other. This could involve identifying which data sets are dependent on each other and how they interact.
• Map the data flow: Once you have identified the relationships between data sets, map the flow of data within your company. This could involve creating a visual representation of how data moves from one system or department to another.
• Assess data security: Finally, assess the security measures in place for the data your company processes. This includes ensuring that data is encrypted, access is restricted to authorised personnel, and that data is backed up regularly.

Overall, mapping the data your company processes is an important step in understanding how your organisation uses data and can help you identify areas for improvement or potential vulnerabilities in your data management practices.

At Privacy People we can help you to map your data and understand the data flows so that you are in full control and can keep the data secure. Call or email us to discuss this further.

You need to complete a Data Protection Impact Assessment (DPIA) when the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. This requirement is outlined in Article 35 of the General Data Protection Regulation (GDPR).

The GDPR provides a non-exhaustive list of situations where a DPIA may be required, including:

• Systematic and extensive processing activities, such as profiling and automated decision-making;
• Large-scale processing of special categories of data, such as health or biometric data;
• Large-scale monitoring of public areas, such as through CCTV;
• Processing that involves the use of new technologies, such as AI or facial recognition;
• Processing that results in a significant impact on individuals, such as a decision that has legal or similarly significant effects.

In addition to these situations, your supervisory authority may provide guidance on when a DPIA is required in your specific context.

It’s important to note that if you are unsure whether a DPIA is necessary, it’s always better to err on the side of caution and carry out the assessment. A DPIA can help you identify and address potential data protection risks and ensure compliance with GDPR requirements.