LinkBack URL
About LinkBacksRead more.After the government starts to implement the EU’s NIS directive in the UK, from 10th May 2018.
Read more.After the government starts to implement the EU’s NIS directive in the UK, from 10th May 2018.
Millennium (30-01-2018),Saracen (31-01-2018)
This should have been effected and put in place many years ago, however back then CyberSecurity wasn't as much on the radar as it is now.
I wonder if a company can be clocked by the GDPR and this side by side, in which case it could be financially crippling.
Millennium (30-01-2018)
It needs to be done though. Far too many companies, large and small, have terrible data protection practices. We need the legislation here, arguably even more, to keep people safe in the digital age.Originally Posted by Tabbykatze
hexus trust : n(baby):n(lover):n(sky)|>P(Name)>>nopes
Be Careful on the Internet! I ran and tackled a drive by mining attack today. It's not designed to do anything than provide fake texts (say!)
Saracen (31-01-2018),Tabbykatze (30-01-2018)
How much will the government agencies get fined or are they exempt with it being public cash they waste ?
Minimising the impact - don't store in plain text.
They can. Should be fun.
Ooft, my money is on Talk Talk being breached again
Well, we're going out of business, then.......!!!!
I've already seen adverts for hardware encrypted hard drives boasting about how you don't need to notify anyone if you lose it
That's not quite right, if a hard drive is stolen with sensitive information on it then the data controller does have to notify that the data has been lost but it was encrypted and secured.
However if the hard drive is stolen with sensitive information on it and it is technically the only copy then that is the same as it being stolen.
Basically any company saying something like that should not be trusted. The GDPR is too serious to just be brushed off like that, organisations and companies are scrambling to get themselves secured. Basically, the reason I say the above is it is the responsibility of the oranisation to prove that the data was encrypted or pseudononymised. With those little hardware encrypted hard drives, I would be interested in how they allow an organisation to "prove" that the data was encrypted at point of breach. Because if they can't prove it, fine time.
Last edited by Tabbykatze; 31-01-2018 at 08:57 AM. Reason: clarification of encryption and GDPR
Why the stock image of the Sellafield nuclear site? What has that got to do with cyber security? If you are looking for a vaguely relevant stock image to use, I am sure you can find one of the GCHQ donut.
This is a good start, but as I understand it, this legislation applies only to "operators of essential services", not the vast majority of commercial operators. It's about securing "critical infeastructure" not protecting data security for consumers.
While I entirely back measures to ensure critical infeastructure is protected, and frankly it's disgraceful that, first, it's taken this long, and second, it took an EU directive to get it in place, I would personally like to see FAR more aggressive legislation and action protecting consumer data. Any company that goes out of it's way to acquire data on us should face crippling fines if it fails to take adequate precautions to secure it. If that means a company or two get fined out of existence, great. It'll motivate the others.
I wonder how all the NHS hospitals are going to respond to this?
I'm curious about what you would like to change? Personally I think the UK's implementation of the GDPR is good.
For others reading this, PII=personally identifiable information. Think of is as any data about a person such as an email address, political affiliations, home address or even your name.
It requires:
Companies to know what PII they hold and where.
Only store PII that is necessary for them to do business (i.e. stop storing all other PII)
Secure that data using "state of the art security"
Mandatory data breach notification to the regulator within 72 hours.
Fines can be up to 2% of global turnover for lesser offences or 4% of global turnover for more serious breaches.
For example Google with its appx $90 billion turnover could be fined $3.6 billion
Companies that make no profit can still be hit with huge fines.
"State of the art" is used as a description for security as mandating controls tends to be out of date by the time legislation is passed.
Finally, this is a simplification for the sake of remaining brief.
"In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penises, taken Viagra and are looking for a new relationship."
The same way they always do.
Massive panic. Draw up loads of irrelevant process and paper forms for everyone to fill in every time they think about touching technology. Staff then ignore the overbearing processes as they are a complete waste of time.
Rest of country continues to worship the religion and fiscal black hole that is "our great NHS" and point out that the front line staff are wonderful as justification that the rest of the organisation is also somehow wonderful. Then NHS continues killing grannies and rationing treatment because they "need more funding"
"In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penises, taken Viagra and are looking for a new relationship."
First, an informed, explicit, written consent before ANY PII can be held for longer than is needed to provide whatever goods/services were contracted for, and after that, it can ONLY be used for complying with legal requirements on record-keeping, like accounting, auditing, tax requirements, unless that explicit, informed and written consent is given.
Second, consent can be withdrawn at any time, after which data will cease being used for any non-mandatory purposes, including but not limited to all marketing, data warehousing and especially data analytics.
Third, a more granular level of permissions, especially where sensitive data is held, like medical data, or political opinions.
Fourth, for such sensitive data, any consent automatically expires after a defined period, say, three years, unless consent is explicitly renewed.
Fifth, under NO CIRCUMSTANCES will sensitive data be transferred to ANYBODY other than the persons to whom it was originally supplied, without explicit consent.
Sixth, under NO CIRCUMSTANCES WHATEVER will such data be transferred outside of the direct jurisdiction of the regulatory authority under which it was supplied i.e. currently, EU Data Protection courts and, post-Brexit, the UK courts.
Seventh, some of the possible punitive fines bring applied where firms don't take adequate precautions and for repeat offenders, punitive to the point of bsnkruptcy.
Eight, for illegal cold-callers and spam marketers .... execution by means of the death of 1000 cuts.
Okay, I'll accept I'm probably pushing my luck with 8. But I can hope.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote