Success stories

GDPR Assessment and Data Discovery Service

Cloud Business is pleased to announce the launch of our new Data Privacy and Compliance Service powered by eSpyder.

We have been working with eSpyder for several years on a GDPR assessment and data discovery service to meet demand from our customer base. During this time we have been refining the service to help companies ultimately gain a competitive advantage through effective data privacy compliance.

GDPR Compliance Platform

Cloud Business and eSpyder’s GDPR Compliance Platform has been developed to support Data Processing Officers (DPOs) and ensure company compliance with GDPR regulations and global data privacy legislation.

Our service includes:

  • Data discovery & review
  • GDPR compliance assessment & implementation
  • Automated monthly data discovery & reporting

Our GDPR assessment and data discovery service also ensures your DPO can respond to Data Subject Access Requests (DSARs) quickly and easily, tracking progress and reducing the cost of compliance. Typically, when a DPO receives a DSAR it’s the IT team that needs to locate PII, which is why our service provides a solution both for DPOs, CTOs and IT Directors and Managers.

eSpyder is a system, platform and device agnostic solution that integrates into existing IT environments with no need for additional server infrastructure. It will scan PCs, laptops, data servers (cloud and on premise) regardless of location and get visibility to what data resides in each system or datastore.

Click here for further details about the service >

Or get in touch if you would like to discuss your IT environment in more detail.

data privacy and compliance service

Do you really know where your sensitive data (PII) resides?

Last month we ‘celebrated’ the anniversary of GDPR legislation becoming legally enforceable. 2 years on, a lot has happened. Some of which, as our guest blogger Tim Dunn explains below, may have distracted some organisations from gaining real visibility over their sensitive data and PII.

As you’ve probably heard before, GDPR compliance is a journey not a destination. There is no magic button that can be clicked to make your organisation 100% compliant. However, as Tim discusses below, going on that journey and taking the steps he outlines in the GDPR compliance maturity model, can deliver significant benefits over and above compliance.

Read on to find out more about these benefits and the steps to take to gain visibility of PII and your organisation’s sensitive data.

The General Data Protection Regulation (GDPR) came into force in May 2018. In the subsequent 2 years UK companies have not only had to ensure they are compliant with GDPR, but also prepare for Brexit and more recently adapt their businesses to working under Covid-19 restrictions. 

It’s fair to say that many organisations of all sizes were not ready to manage their obligations under GDPR by the May 25th 2018 deadline and whilst most companies reviewed their data processing policies and business processes, there was still a huge challenge in terms of identifying where Personally Identifiable Information (PII) resided in their systems. Which limited the effectiveness of the compliance measures they were trying to establish. Furthermore, a majority of companies still struggle to track and protect PII on an on-going basis. 

Common barriers to gaining visibility of PII

One major barrier to gaining visibility to sensitive data is that there are a myriad of IT and business systems with their own individual data stores. Also, many users transfer data to their local machines from secure corporate data stores, often with the best intentions of working efficiently offline or from remote locations such as their homes.   

Another major challenge is that the Data Owners and Data Protection Officer (DPO) are typically business executives rather than IT. Whilst they are the people who need to ask questions of what Data is being held and where, for example in response to a Data Subject Access Request (DSAR), they are wholly reliant on IT staff to provide the results. This is costly and time-consuming for both the business stakeholders and the IT department. It also significantly hampers business agility, which has been crucial for companies in the current Covid-19 crisis where businesses had to develop new business practices to continue trading.  

GDPR compliance: 4 steps to maturity

Understanding with confidence where the companies’ sensitive data is stored and who can access it, is the foundation and starting point for an effective Data Protection capability. When adopting a maturity model as below, you cannot progress beyond level 1 without completing the initial discovery and then implementing an ongoing tracking and search capability. 

GDPR compliance majurity model

Once a company knows where their data resides and can ensure it is appropriately controlled and protected, they will gain significant business benefits beyond just GDPR compliance. 

  • It greatly reduces costs associated with managing data protection and management. 
  • It saves time and limits the resource required to gain visibility and control over data. 
  • It increases business agility through both the time-savings and the reduction of risk in implementing new business models and services. 
  • Improves customer service and brand reputation through rapid responsiveness to DSARs and demonstrable care and respect for customer’s data and privacy. 

If you would like support understanding where your business’s sensitive data resides, please get in touch with our team.   

About Tim Dunn   

tim dunnTim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies.  

As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA.   

In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.   

eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for users, but fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers’ estate no matter if on servers, clients, visible or hidden, remote or on premise.  

The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine. 

data subject access requests

A to Z of GDPR Data Subject Access Requests (DSARs)

Data Subject Access Requests (DSARs) are on the increase. Here’s how A to Z of what they are and how to respond to one.

A key component of the General Data Protection Regulation (GDPR) is the ‘Right of Access’. This is your right, and mine, to obtain a copy of all personal data a company or organisation processes and stores. Individuals have the right to obtain the following: 

  • Confirmation that you (a company or organisation) are processing their personal data,
  • A copy of their personal data, and 
  • Other supplementary information such as the purpose of your data processing (scroll down for a list of supplementary information). 

When an individual wants to request this information, it’s known as Data Subject Access Request or DSAR. You may also see it referred to as a SAR, dropping the ‘data’ although that’s the important bit! 

Why would an individual want to request their data? 

It’s helpful to understand why the right to access is part of GDPR and data privacy legislation, as this can help you explain to business leaders why they need to take DSARs seriously.  

GDPR and the Data Protection Act 2018 (the UK’s implementation of GDPR) updates our data protection legislation for a digital age. It’s very difficult to live in a digital age without sharing your personal information and leaving a data trail wherever you go – both on and offline. 

With so much PII (Personable Identifiable Information) in other people’s hands, it’s only right that individuals have a way to get visibility on what information organisations, businesses and government has on them, and get reassurance that it’s being protected appropriately. 

Since GDPR came in force, awareness has increased amongst the general public too. The Cambridge Analytica scandal has also highlighted what some organisations are doing with this data, as well as other stories that have made the headlines such as the recent EasyJet data breach. As a result, DSARs are on the increase as individuals know what their rights are and are justifiably concerned about data privacy. We’re also seeing a spike in DSARs during the current crisis which could be because people have more time to initiate a subject access request. 

Individuals don’t need to give a reason to submit a DSAR. And the only questions an organisation may ask when a DSAR is submitted are to verify the individual’s identity or for information that will help locate the requested data. 

Download our guide on how to achieve effective data privacy compliance for more advice on GDPR and data discovery >

What do DSARs look like? 

There are no formal guidelines on how an individual instigates a DSAR. They can ask you verbally or in writing. Even if you have developed a DSAR process for individuals, they don’t have to adhere to it. Therefore, you could receive a DSAR via social media, email, messaging app, phone call or by letter. It doesn’t have to be sent to a specific person within the organisation either, such as your DPO. So, an individual could in theory make this request to a member of staff in a store, or your IT support team could receive a DSAR via a chatbot or as a support ticket. 

Companies must comply with a request without undue delay and at the latest within one month of receipt of the request; or (if later) within one month of receipt of receiving any information requested to confirm the subject’s identity, or (in exceptional circumstances) a fee. For this reason, it really is essential that all customer-facing staff understand what a DSAR is and who to escalate a request to so it can be responded to within this strict timeframe. 

Many companies include a form on their website for an individual to complete to submit a DSAR. This can make it easier for you to recognise a DSAR and for the individual to provide the information you need to identify their PII. Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. 

However, providing a form does not override the individual’s right to initiate a data subject access request by other means, and you must make it clear that completing the form is not compulsory or use it as a way to delay your response. 

Fees and Data Subject Access Requests 

In normal circumstances you cannot charge a fee for complying with a DSAR. However, if the request falls under one of these 2 factors a ‘reasonable’ fee to cover administrative costs can be charged: 

  1. The DSAR is manifestly unfounded or excessive; or 
  2. An individual requests further copies of their data following a request. 

In these situations, the 1 month clock starts when you receive payment. Although you must respond promptly to the initial request to inform the individual of the fee. 

8 steps to comply with a DSAR 

The following graphic takes you through the steps from DSAR to handing over the information requested: 

respond to a data subject access request

Supplementary Information 

As well as a copy of their personal data, companies and organisations must also provide individuals with the following information: 

  • The purposes of your processing, 
  • The categories of personal data concerned, 
  • The recipients or categories of recipient you disclose the personal data to, 
  • Your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it, 
  • The existence of their right to request rectification, erasure or restriction or to object to such processing, 
  • The right to lodge a complaint with the ICO or another supervisory authority, 
  • Information about the source of the data, where it was not obtained directly from the individual, 
  • The existence of automated decision-making (including profiling), 
  • The safeguards you provide if you transfer personal data to a third country or international organisation. 

Much of this information may already be included in your privacy notice. 

Is your organisation in good shape to respond appropriately to DSARs? 

For many organisations a DSAR is more of a threat to business than the ICO’s much publicised fines for non-compliance.  

The cost of responding within one month to a DSAR can run into the tens of thousands of pounds if you’re not prepared. Data discovery, especially if you need the support of a consultancy firm, is expensive and time consuming – taking your IT team away from projects and support roles in the race to comply in the one month timeframe. 

There is also an alarming trend in DSARs being ‘weaponsied’ by disgruntled employees to disrupt business, damage companies’ reputations and hit former employers in the pocket. Cases of employment lawyers advising their clients to initiate a DSAR are not unheard of. 

Companies that have the tools and processes in place to respond to DSARs quickly and with the minimum of disruption, and cost, to normal business are at an advantage. No more so than in this challenging time where business as normal looks very different with many employees working remotely and handling PII from their own desktops and devices.  

For advice on achieving effective data privacy compliance, download our free guide below. If you want to discuss any of the subjects touched on in this article with reference to your own IT estate, please get in touch. 

remote working and GDPR compliance

Are your remote workers GDPR compliant?

Rapid deployment of remote working to address the Covid-19 crisis has resulted in many B2C businesses failing to meet their own GDPR policies and data protection practicesWhile the Information Commissioner’s Office (ICO) has stated that it

“won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”

However, this extension won’t last forever. Companies need to ensure they know what data they hold and where it resideson premise and remotely, the pandemic is not an excuse for non-compliance. 

As DPOs and CIOs retro-fit GDPR tools to a remote environment, we asked Tim Dunn, CEO of eSpyderfor his insights into the current conditions. In the interview below he talks through the challenges odata privacy compliance with a remote workforce and how to ensure your businesses and your Personal Identifiable Information (PII) are protected 

To learn more about effective data privacy complianceand what’s required to achieve it, download our guide here > 

Remote working and GDPR with Tim Dunn from eSpyder 

Q: What are the main implications of remote working for GDPR compliance? 

Tim Dunn: There are a number of challenges and implications associated with remote working, particularly in the current climate where these working practices have been implemented under extreme pressure and aggressive timescales. As a result, often the supporting business continuity policies and measures have been inadequate. 

A primary issue is that remote users are outside the boundaries of your internal IT infrastructure and therefore the internal security measures and systems that are in place to protect your employees and corporate data are no longer effective in controlling data access, storage and sharing. 

Also many users are resorting to using their personal PCs and laptops, which typically don’t have the necessary security and controls in place. Fundamentally, many companies are losing visibility and control over the access and storage of critical and sensitive corporate data. 

Now that the immediate goal of “keeping the lights on” has passed, there is a need to ensure that remote working has the same protections, visibility controls as traditional corporate data protection. This way of working will become “business as usual” from now on. 

In your experience, how high on the agenda do you think GDPR high was when organisations started rolling out remote working en masse in early March? 

TD: It is fair to say it was immediately identified as a concern and business risk, but organisations typically continued in the knowledge that they would have to address this as soon as possible.  

Maybe the risk has been underestimated. Fraud and cyber crime have risen sharply during the crisis and personal information is a prime target for fraudsters. It’s a sad fact that fraudsters are often more agile in identifying vulnerabilities and exploiting them than companies are at resolving them. 

Certainly, it should now be priority number one for any organisation. 

What percentage of B2C companies do you think had a remote working policy that included GDPR prior to lockdown? 

TD: That’s difficult to quantify, but certainly a large majority of businesses had to move very quickly to move from officebased environments such as call centres to home based workers providing the same business functions. Even where policies existed (which they often don’t), they were not necessarily implemented. 

Q: A critical part of data privacy compliance is ensuring employees understand their responsibilities, do you think employees in general understand the implications of remote working and GDPR? 

TD: Understandably no. Many employees do not appreciate the risks and appropriate working practices. Training in protecting data has not been undertaken by many companies since national lockdowns started. This is compounded by the fact that fraudsters are very sophisticated and do understand how to exploit the deficiencies in business practices and the IT systems underpinning them. 

For advice on achieving effective data privacy compliance, download our free guide > 

Q: In your opinion has this changed over the last 10 weeks? Has awareness increased, are staff being given the tools to protect Personally Identifiable Information (PII) and sensitive data like a company’s IP? 

TD: The picture is mixed, though in general companies are behind the curve in terms of addressing effective data protection under remote working conditions. One of the main issues was that many companies didn’t know what personal information was held on employees machines before the crisis, so now that those machines are outside the protection of the corporate network, there was a potential immediate risk, which has grown as data is being accessed and stored remotely. 

Q: Do personal devices present a bigger problem than corporate laptops and desktops? 

TD: Probably yes. Some companies support “bring your own device” (BYOD) and have policies and technology in place to protect the personal device. However, many companies are using both corporate machines and personal devices whilst at home and sharing data across both. This is typically against corporate policy, but not enforced effectively. 

Q: Is it just company PII that’s impacted by remote working, what about other data which employees may be storing on their personal devices? 

TD: There are various types of sensitive and commercially valuable data that may be at risk. For example, trade secrets, internally confidential communications and financial data. 

There are also other regulatory requirements such as the storage of Card Payment Data (PCI DSS) which need to be enforced. 

Q: We’ve heard of some organisations deploying monitoring software to track how employees use work laptops and devices to protect against misuse. Is this an option you would recommend? What about the employees’ right to privacy? 

TD: I think it is reasonable to protect company information and IT assets, indeed there is a regulatory duty to do so for data such as PII. If you allow people to use their own machines, then ensuring that sensitive data is protected on that machine is fair. Ring fencing a work area on the machine is one way to ensure boundaries of privacy. 

As much as possible, without compromising data protection, it is preferable to adopt a “Trust, but Verify” approach to monitoring data storage and sharing. At the end of the day though, the company is liable for any data breach and the associated penalties. These will be severe if the appropriate controls weren’t in place. 

Q: Have you seen any trends in terms of the kind of data that is being accessed remotely in a non-compliant way? Is this a problem for specific departments within a company? 

TD: It’s a little early to highlight trends, but sales, marketing, customer support and finance teams are all working from home and require access to sensitive data. Whilst many of the supporting business systems maybe cloud based, such as the CRM, Service Desk Solution or ERP, users are often exporting data locally to review and manage. 

Q: It’s been reported that some companies are seeing an increase in DSARs during the pandemic because people have more time on their hands. Is this something you’ve witnessed?  

TD: We have seen an increase in DSARs. To be fair this is not only due to people having more time on their hands, but also because there has been more awareness of privacy issues. 

One interesting issue is ex-employees “weaponising” DSARs and requesting data from their ex-employers. In fact, there are a number of law firms who are using this as a strategy for disgruntled ex-workers taking action against their former employers. 

Q: Can you share some advice for handling a DSAR when users are working remotely? 

TD: The key to effective DSAR handling is to make the process agnostic to where the systems and datastores reside. This means that you should be able to scan PCs, Laptops, Data Servers (cloud and on premise) regardless of location and get visibility to what data resides in each system and store. 

Q: What additional tools should companies deploy to protect data in a remote working environment? 

TD: Solutions that ensure data can only be stored and access from the authorised system / datastore. Also ensure that data is encrypted both whilst stored (at rest) or when being accessed (in transit). 

Most important is a solution that provides visibility to where all your sensitive data is storeand provide a clear view of you regulatory compliance status. 

Q: If a DPO or CIO is concerned that PII is not being handled compliantly, but because of remote working can’t identify where, what can they do to get visibility over the company’s data? 

TD: GDPR Data Discovery and Compliance Reporting Services can help. Not only do these identify where data is held and provide GDPR assessment and implementation, they can also reduce the cost of compliance significantly 

For many companies the cost of handling DSARs is more damaging than the threat of a fine for an infringement. It can involve weeks, even months, of data discovery and consultancy services to respond to just one DSAR if you don’t have effective data privacy compliance in place. Services like Cloud Business’s GDPR Compliance Platform makes it quick and easy to undertake DSARs and tighten up data protection regardless of whether users are on site or working remotely.” 

Cloud Business has partnered with eSpyder to support our customers with a GDPR Data Discovery and Compliance Reporting Service. For further information please contact your Account Manager or, for new customers, call 08456 808538 or email hello@cloudbusiness.com 


About Tim Dunn 

tim dunnTim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies. 

As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA. 

In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.  

eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for usersbut fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers estate no matter if on servers, clients, visible or hidden, remote or on premise. 

The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine 

 

What is ISO 27001 and why should you get certified?

ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector.

ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers.

Background to ISO 27001

Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud.

ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee.

Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems.

There are seven areas that companies need to manage, to achieve ISO 27001 compliance.

  1. Context of an organisation

ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system.

With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards.

  1. Leadership

Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies.

  1. Planning

Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike.

  1. Support

ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats.

  1. Operational planning & processes

Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies.

  1. Evaluation process

Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals.

  1. Improvements

Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future.

Why get accredited?

Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information.

Innovation

Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here >

Differentiation

ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here >

Win more business

Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here >

Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months.

“Within just 60 days of consultancy, we passed the BSI inspection first time. I believe that this was achieved so quickly because Cloud Business committed 50% of its time to gain a complete understanding of how our business worked.”

Warwick Taylor, Experian Data Quality IT Manager

If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >

Book a discovery call advert

Cloud Business Logo - white
Cloud Business - Microsoft Gold Partner Logo

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

Cloud Business - Microsoft Gold Partner Logo

2021 © Cloud Business Limited
Registered Company in England and Wales 06798438