You have been in touch with Comm-Tech and requested a remote support session on your computer and have been issued a join code. To facilitate this please click on the link below, or copy and paste the following link onto your browser. Once you enter your join code you will be prompted a couple of times to authorise our remote control software to run – you need to click YES to continue.
service tgt restart
tgtadm –lld iscsi –op new –mode target –tid {tid} -T {target_name}
tgtadm –lld iscsi –op new –mode target –tid 2 -T 2018.scsi
tgtadm –lld iscsi –op new –mode logicalunit –tid 2 –lun 2 -b /root/2018.iscsi
tgtadm –lld iscsi –op new –mode logicalunit –tid 1 –lun 2 -b /dev/sdc
tgtadm –lld iscsi –op bind –mode target –tid 2 -I ALL
tgtadm –lld iscsi –op show –mode
tgtadm –lld iscsi –op delete –mode target –tid {tid}
apt-get install open-iscsi
vi /etc/iscsi/iscsid.conf
At the end of the file insert as follows:
node.startup = automatic
node.session.auth.username = isky
node.session.auth.password = pesky
discovery.sendtargets.auth.username = isky
discovery.sendtargets.auth.password = pesky
node.session.timeo.replacement_timeout = 120
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.noop_out_interval = 10
node.conn[0].timeo.noop_out_timeout = 15
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.conn[0].iscsi.MaxRecvDataSegmentLength = 65536
/etc/init.d/iscsid restart
iscsiadm -m discovery -t sendtargets -p ipaddress
iscsiadm -m discovery -t st -p localhost
iscsiadm –mode discovery –type sendtargets –portal localhost
iscsiadm –mode discovery –type login –portal localhost
iscsiadm –mode node –targetname 2018.scsi –portal localhost –login
iscsiadm –mode node –targetname 2018.scsi –portal localhost –logotime
https://www.hiroom2.com/2017/07/11/ubuntu-1604-tgt-en/
https://www.cyberciti.biz/faq/howto-setup-debian-ubuntu-linux-iscsi-initiator/
https://www.cyberciti.biz/tips/howto-setup-linux-iscsi-target-sanwith-tgt.html
http://inqbus-hosting.de/support/dokumentation/docs/target-daemon-tgtd-tgtadm
Sometimes you need to attach a wired-only device to a wifi network, or like happened to me recently, a client’s wifi printer was not working well with the AP, so kept losing it’s wireless connection. I found that any other device was solid on this wifi AP, so just needed to relay the dhcp issued by the main Wifi AP to the wired LAN.
These instructions are for setting this up via LuCi (the openWRT web interface), and I am using a Linux distro, if your going to use Windoz then you’ll need to search for equivaent commands from Windows terminal (cmd)
An example configuration:
Connect your LAN cable to that of the OpenWRT LAN port and connect to LuCi via your browser with: http://192.168.1.134/cgi-bin/luci/
There you should set a first password and configure ssh access, install your ssh key or just ssh allow password access – this device is in the same zone as your LAN printer so probably you need not be so security aware. If your managing this device remotely set up a reverse tunnel (which will make management tasks a lot easier). In that case enforce the use of ssh keys for root login.
Log in to OpenWRT with: ssh root@192.168.1.134
Update: opkg update
Install relayd: opkg install luci-proto-relay
The rest can be done via LuCi, browse to: http://192.168.1.134/cgi-bin/luci
In Network | Wifi see listed the default wifi AP, press Scan and join uplink_ssid (enter password on request)
Accept the default for this interface but set Firewall Zone to be lan
In Network | Interfaces | edit lan and set IP4 Gateway and DNS server address to 192.168.1.1. Disable DHCP for the Interface (ignore interface).
In Network | Firewall, edit lan zone to Accept Forwards, choose lan and wwan to be the covered networks.
Ensure you have saved and applied all the changes, then reboot the openWRT.
Your client on the wired should now obtain an IP from the wireless network. (dhclient -v eth0)
https://wiki.openwrt.org/doc/recipes/dumbap
https://wiki.openwrt.org/oldwiki/dmz.example.transparent
https://wiki.openwrt.org/doc/recipes/relayclient
https://wiki.openwrt.org/doc/howto/dmz
The purpose of this article is to examine the risk of sensitive data being compromised in the event of the loss or theft of a portable device, using encryption to mitigate those risks, assisting with the technical aspects of implementing encryption in portable devices in order that company policies can better comply with the GDPR.
Encryption is a means of scrambling data on a device in such a way that makes it unreadable to anyone without a decryption password.
For example, the contents of a Document may be:
“An individual’s extensive online identity, including bank details, dating profiles, shopping accounts and passport information, can be bought for only £820 on the dark web.” – The Times 28/02/18
An encrypted version of these contents may look like:
èèW`ëç^X²:§1q<87>ÜõÒ<80>ôu!^U²4^Ý^O<8d>^K<9e><8c>^AA.<94>ùXÈç<95>Nj^LtN<9b>G¡Üf$<9d>Æóì<9b>ù’XI=ÛvSÛ%ÊI1!±Ý<8c>öùç*0<8f><84>^G<8b>$f^Tað÷ï^\¸/<81>@<9d>ÕòWuP<8f><8c>üçAN^E<9d>^[ßAyÛâI^Tz\+qùONCá^_-ªÎÙ*<8c>½bÏ£ÙREhäç^Y¿Î”%^XS¬<99><86>å¨<8f>jÖ]¦y<92><91>/ÁCÏ´®èÑÇä\³<8d>V$²e51<9e>Ù<9e>߬î¸<8c>W/~¨1<9a>@ÛpK^\
Content is thus unreadable without the decryption password and decryption key. Modern encryption systems can ensure that revealing the content of encrypted data would take billions of computer hours, and is thus safe for a some period going forward.
When a device such as a laptop or mobile phone is frequently moved between sites (eg. office to office, home to office) we recommend that it is encrypted, so that if a malicious third party intercepts the device as a result of loss or theft, the data on the device remains inaccessible.
Whilst most of your crucial data will be stored on your server, which is physically secured, laptops and mobile phones can still contain downloaded emails, saved passwords, VPN connection details, and other types of sensitive data that could allow third parties access to your client information, or even your server directly. Because these devices are being moved frequently, the risk of having them stolen from a car, or being accidentally left on on train, is much higher than it would be for a server, or static desktop.
In some cases, encryption may also be desirable for home devices that are shared with friends and relatives, or office devices shared between colleagues. In this case third-party access to the data may not be malicious, but due care and attention is still required.
Setting a password, PIN or lock screen pattern does not automatically mean a device is encrypted. With only minimal technical expertise, Windows passwords can be cracked. Hard drives can also be physically removed and the data can be accessed from another computer. Likewise, accessing data on an unencrypted, locked phone is a fairly simple process; all that’s really needed is a USB cable.
When a laptop or phone is encrypted, all of its data is unreadable without that master password.
Principle #7 of the GDPR states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
“Unlawful processing” of personal data often occurs after the theft or loss of portable devices such as company laptops and USB sticks. There is a thriving criminal industry around data recovery off lost or stolen devices, providing opportunities for data and identity theft. A lost laptop or phone is likely to be harvested for data before it is wiped and resold on the black market.
In the event of personal data loss, a data processor can be required under the GDPR to notify the ICO, the Charities Commission and the subject who’s data may have been lost. An embarrassing and fraught process, particularly so if you are not 100 percent sure precisely which data may have been on that lost device.
The GDPR does not state that encryption of any type of data is essential for GDPR compliance. However it does include it as a recommendation in certain circumstances.Two sections of the GDPR are included here for reference and the key sections regarding encryption are highlighted in bold:
Recital 83 specifically suggests encryption as a means of GDPR compliance. The second section highlighted in bold below refers to “security risk”, which would be considered higher for portable devices like phones and laptops.
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage
Article 34 deals with your responsibilities should your clients’ data be breached and your obligations in disclosing that breach to the client. If an encryption policy is in place, you should not be required to disclose the data breach, as you would have “implemented appropriate technical and organisational protection measures” to ensure protection of the data.
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.</p>
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
Mobile phones, laptops and portable USB media can all be encrypted to ensure data security. There are varying types of encryption, and the recommended means of encryption varies between device and platform. The rest of this document deals with types of encryption available for varying devices, and our recommendations.
It is strongly recommended that you adopt a policy of encrypting laptops within your organisation, as the risk of loss or theft is relatively high. Methods of encryption are for laptops are:
Windows Professional and Enterprise editions contain a built-in encryption tool called Bitlocker which is available with all (not Windows Home). It is strongly recommended that this is setup for all laptops in use by your organisation.
Bitlocker, once configured, is very straightforward to use, and simply requires the end-user to enter a decryption password or PIN to use the device.
It is generally recommended when first setting up Bitlocker to backup any existing data and completely reinstall Windows on the laptop, as this removes any bloated programs that are shipped by the manufacturer, and leaves a much cleaner, faster Windows install. This procedure is essential if the laptop ships with Windows Home Edition, as the Home Edition does not include Bitlocker.
We offer an encryption service for Windows laptops which includes a complete reinstall of the Windows operating system, and removal of all junkware and bloatware. Please see Our Services for details.
Apple operating systems since OS X 10.7 (Lion) have contained a built-in encryption tool called FileVault 2. If you are running this version of OS X or later, Apple have created a good quality how-to explaining how to encrypt your device which is included in section 5.
Whilst encryption tools are available for users running earlier versions of OS X, there are significant limitations to these and they are not recommended. If you are running an earlier version of OS X and you are concerned about the data security on this device we recommend upgrading to a later model.
Most common Linux distros (eg. Ubuntu, Linux Mint) contain a method of encryption at installation time. It is less straightforward to encrypt a Linux installation after the fact and is generally not recommended. However, distros and encryption methods vary widely, so please contact us to discuss your specific requirements if you are using Linux.
3 Mobile phones and tablets
3.1 Overview
Mobile phones and tablets should generally be encrypted, especially where mobile devices are used for work emails. However for peace of mind it is strongly recommended to encrypt all phones and tablets, unless they are always kept on the same locked premises at all times.
In the descriptions below I refer to encrypting “phones” only, as these will be the devices that most commonly contain sensitive data, and are generally carried on and off site with regularity. However the information applies the same to tablets or phablets that run Android or any iOS operating system.
If you have a phone, tablet, phablet or other portable device that does not meet any of our descriptions here, please let us know so we can give you a risk assessment.
For hybrid devices, such as the Microsoft Surface range, please see the advice given under laptops. The are devices which can be used as both laptops and tablets, and often have detachable keyboards.
If you are using an iPhone 4S or later, then your device is encrypted by default. However you still need to take some steps to ensure your data is secure.
3.3 Android devices
Whilst all Apple devices that support iOS 8 and above are automatically encrypted out of the box, the situation for Android devices is slightly more complicated due to the large number of manufacturers who use the Android operating system, and the variations in the underlying hardware.
Google has required encryption to be enabled out of the box for all new devices that shipped with Android version 6 or higher, regardless of manufacturer. However, this does not mean your phone or tablet is necessarily encrypted if it is running Android version 6. Devices that originally shipped with Android version 5 or lower, and were later upgraded to version 6 do not have encryption enabled by default. In some cases, the same phone model may have encryption enabled or disabled out of the box, depending on when it was manufactured.
Most Android devices are straightforward to encrypt manually if required, and a how-to is provided in section 5.
3.4 Windows Phone
Encryption is available for Windows 10 mobiles. This uses the same technology as Bitlocker on Windows laptops and is a strong form of encryption. However, information on performance and reliability of Windows phone encryption is not as extensive as that for Android and Apple devices. Eg. older Windows 8 phones appear to report encryption support, but Microsoft’s own documentation does not support this. There have also been reports of email syncing issues when using an encrypted Windows phone. If this is of particular concern we recommend switching to an Android or Apple device.
However, the process of encrypting a Windows phone is straightforward for a non-technical end-user, and a link to a how-to is provided in section 5.
4. Portable media
Portable media in the form of USB flash drives present a distinctive security challenge. Our experience shows that they are frequently used to transfer data between computers, and very often the files that are copied are never deleted from the device. Furthermore, being so small USB sticks are very easily mislaid. Unlike with a phone or a laptop, the loss of a USB stick containing sensitive data may not be noticed by the person using it for weeks or months.
USB removable disks refer to USB flash drives, USB hard disks, USB SSDs, or any kind of writeable USB device.
The most user-friendly way to ensure the security of these devices is to purchase a USB disk or USB key with a hardware decryption feature. This usually comes in the form of physical buttons you have to press to enter a PIN which will decrypt a USB device before it can be used in a computer. These cost more than standard USB devices but are very user-friendly, and can be used with any platform (Windows, Apple or Linux). Searching for “encrypted USB” or similar on Amazon will return a huge number of types of these devices. We do not recommend any specific model but do recommend you go with a reputable brand.
A second user-friendly option is to encrypt your USB disk using Bitlocker. This may be a more practical option if you need to use a 1TB or 2TB encrypted hard disk. The cost of a larger USB disk that supports hardware (PIN) encryption is very high – over £200 for a 1TB disk. If you want to use Bitlocker we recommend you send the disks to us for encryption, as the initial setup should be done by an engineer. Afterwards the disk can easily be decrypted by an end-user with the correct password. However, the disks will only be usable in PCs running Windows Professional Edition or higher, this includes:
Windows 7 Professional, Windows 7 Enterprise and Windows 7 Ultimate
Windows 8.1 Professional and Windows 8.1 Enterprise
Windows 10 Professional and Windows 10 Enterprise
You can check which edition of Windows you are running by going to the Windows menu and typing “winver” (no quote marks) and then pressing enter.
In the vast majority of cases, when not moving data across a network, data will be moved between computers on a USB device of some kind, as has become the norm. In a few exceptional cases, other forms of portable media may still be in use for moving data between PCs which could pose a GDPR compliance risk if not encrypted. Some examples are given below:
In all of the above cases we would recommend cessation of the use of these types of media for sensitive data transfer, as encryption is either impossible or highly impractical for these types of media.
If your organisation has a need to transfer sensitive data using one of the above, or some other type of media not mentioned in this article, please contact us. We will be able to suggest an alternative solution in many cases.
Some devices (eg. Android phones, iPhones, Macbooks) can be straightforwardly encrypted by end-users. We have included how-to instructions for these devices in this section.
Please note: encrypting the devices listed here is generally a very straightforward process, and will not require technical expertise. However, it is not completely risk-free and precautions should be taken. Please read these instructions carefully, Comm-Tech cannot accept any responsibility for loss of data. We do provide a safe and efficient Encryption service for devices, please contact us for more information.
To check whether your Android phone is encrypted:
If your phone is not encrypted, but gives an “Encrypt Phone” option or similar in settings, read on before you go ahead, or you may lose your data or even worse “brick” the phone.
Risks to be aware of:
To encrypt the phone:
Many Android devices support the use of an external SD card to expand their storage capacity. By “external” here we do not literally mean outside of the phone, but simply separate from the phone’s main storage.
External SD cards can be encrypted along with the main file system for extra security. Depending on how your device is configured, this is something you may want to consider. For example, if you store your work emails on the external SD card to save space on your main device, the external SD card should be encrypted.
There is usually an option in Android Security settings to encrypt an external SD card in much the same way you encrypt the main file system as above. Please take the same precautions with backing up data and plugging in the phone etc, then choose the option called “Encrypt external SD card”, or similar.
Alternatively, if you choose to format your external SD card as Internal Storage when first putting it into the phone, Android will encrypt the card by default.
Some things to bear in mind when encrypting the external SD card:
Apple have provided a good-quality how-to for encrypting these devices which should be possible to follow for most end-users, it can be viewed here:
https://support.apple.com/en-gb/HT204837
A good encryption how-to for Windows phones can be found here. Please read the caveats carefully before proceeding.
https://www.windowscentral.com/how-enable-device-encryption-windows-10-mobile
AUTHOR: Mark Anthony @ COMM-TECH
COMM-TECH welcome the spirit of transparency and respect for personal privacy represented by the GDPR legislation and believe it to be a positive force that can help to clean up the unequal, distrustful and opaque relationship that big-data have developed with individuals the world over.
Download PDF version (better for printing)
The GDPR applies to any business or public body that stores or processes the data of EU residents. This includes every employer in the EU, businesses that offer products and services to EU citizens and residents, and companies that process personal data on behalf of other organizations. The new legislation replaces the Data Protection Act, 1998 prescribing how you as an organisation and your staff manage the personal data of your donors, service users, beneficiaries, stakeholders and anyone else working with your organisation.
A copy of the full legislation can be found here
GDPR legislation defines this as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Employee records, donor mailing lists, membership databases, even your visitors book.
One of your staff will need to take responsibility for GDPR compliance, to do this they need to be given the authority to do so effectively and they need to train in the knowledge required to maintain compliance. This guide will give them the tools required to guide other staff.
To comply with the GDPR’s accountability principles, you need to know your data well. Document what personal information you hold, where it resides, where it came from whom you share it with and your purpose in processing it. You need to know precisely what regulated information you hold and document the risks involved to the data subjects in the event of said data being compromised.
Document and explain the legal basis for processing the personal data. You must maintain documentation of the legal bases with regard to all types of information. If your legal basis is explicit agreement (consent) you must have documented evidence that consent was given and that the request for consent is clear and concise.
Under the GDPR individuals have certain rights that you must uphold, such as the right to access their personal data (called a Subject Access Request or SAR), the right to correct inaccuracies, and the right to have personal information erased. You need to make sure that you have procedures in place to address such requests from data subjects promptly.
You will need to let your subjects know what data you hold about them and update your Privacy Policies to suit the new legislation. Whenever you collect data you will need to explain clearly to subject why it is being collected and for what purpose it will be used.
Ensure that the sensitive data is stored in a way that only those of your staff who need to have access to it. Also ensure that you or your IT Support company have a compliant Data Protection Policy in place, covering security, retention, breach notification procedures and backups.
“Personal data shall be processed fairly and lawfully”
You must:
You need to choose at least one lawful basis (a-f) to process personal data. Identify one of the following bases and ensure it can reasonably be applied to your use. In every case you need to document which basis you have applied and keep a record of it.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
This may apply for example for solicitations for support from donors, or for invitations to events. To comply you will need to obtain specific consent from individuals to collect and use their personal data for this purpose. Be transparent about what the data consists of, how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
The GDPR standard for consent is very specifically “opt-in”. You can’t use pre-ticked boxes to obtain consent and you need to very clear about what they are consenting to. Emailing your mailing list with notification that if they do nothing they will continue to be on the mailing list is not sufficient – you will need to get them to pro-actively re-join the mailing list. You also need to be clear that they can opt-out at any time and give clear instructions on how to do so. Keep a record of how you obtained this consent and when.
(b) Contract: the processing is necessary for a contract you have with the individual, or
because they have asked you to take specific steps before entering into a contract.
Cases where this might apply could be for instance event bookings, where an individual can reasonably expect you to store and process data necessary for you to fulfill your role as event organiser.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
This seems to be the most flexible definition, but you need to be able to prove that you have legitimate grounds for collecting and using the personal data; Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance.
Be aware of working with “Special Category” data. The GDPR says these types of data need extra protection, so if you want to process any of the following data you will need to prove that you have special reasons for doing so, and take extra steps to ensure the data is protected.
• ethnic origin;
• race;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics;
• health;
• sex life; or
• sexual orientation.
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”
Inviting a database of people who attended an event to another event of similar nature is likely to be compatible with the original purpose for which you gathered the data. Soliciting the very same database for donations however might be considered “incompatible” or “unfair” to the data subject.
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”
To comply here you should identify the minimum amount of personal data you need to properly fulfill your purpose. You should hold that much information, and no more.
“Personal data shall be accurate and, where necessary, kept up to date”
Don’t miss “where necessary”, obviously if you have a database that is currently in use, you are obliged to keep it updated and accurate in order for it to stay fit for purpose. If a database is out of use, you do not need to maintain it. Keeping unused databases however can mean extra work complying with #6 (responding to subject access requests), which you will have to whether or not the information is accurate.
You should:
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”
Where personal data is held for more than one purpose, there is no need to delete the data while it is still needed for any of those purposes. However, personal data should not be kept indefinitely “just in case”, or if there is only a small possibility that it will be used in future.
• review the length of time you keep personal data;
• consider the purpose or purposes you hold the information for in deciding whether (and
• for how long) to retain it;
• securely delete information that is no longer needed for this purpose or these purposes;
• update, archive or securely delete information if it goes out of date.
You may have invested heavily in some information, such as in a detailed survey the data from which could be used for as yet unknown purposes and for this reason you might like to keep the raw data. You can maintain compliance by removing any PII (personally identifiable information), even without which you will still be able to extract useful statistical information from the database.
A policy of regular data-audits appear to be the focus of compliance in this principal, such audits should assess:
• the current and future value of the information;
• the costs, risks and liabilities associated with retaining the information;
• the ease or difficulty of making sure it remains accurate and up to date.
Where personal data is shared between organisations, those organisations should agree about what to do once they no longer need to share the information. In some cases, it may be best to return the shared information to the organisation that supplied it, without keeping a copy. In other cases, all the organisations involved should delete their copies of the information.
“Personal data shall be processed in accordance with the rights of data subjects under this Act”
The rights of individuals that it refers to are:
The first and third elements will be the most common encountered, so these should be explained further.
A subject access request requires that within 1 month of their request:
The Act allows you to confirm two things before you are obliged to respond to a request.
First, you can ask for enough information to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.
The second thing you are entitled to do before responding to a subject access request is to ask for information that you reasonably need to find the personal data covered by the request.
Again, you need not comply with the subject access request until you have received this information. In some cases, personal data may be difficult to retrieve and collate. However, it is not acceptable for you to delay responding to a subject access request unless you reasonably require more information to help you find the data in question.
The SAR service needs to be provided free, and if a request is considered “manifestly unfounded or excessive”, you can charge a maximum fee of £10.
Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay. Provided you have done so, the 1 month period for responding to the request does not begin to run until you have received the appropriate fee and any additional information that is necessary.
Clearly any organisation holding data is exposed to the risk that administration work servicing SAR’s can be massive. This risk can be reduced by implementing stricter policies under principle #5 such as deleting or anonymising data rather than archiving it.
“Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for direct marketing. Any individual can exercise this right, and if you receive a notice you must comply within a reasonable period.”
Direct Marketing includes communications by ANY means, for example: letter mailshots, emails, faxes or SMS. It includes the promotion of particular viewpoints or campaigns.
You do not need to respond directly to the individual (although it may be good public relations to do so), but you you need to take action within 28 days. The industry standard is simply to prevent their systems from including that individual in marketing, but you need to delete their personal information if they request that you do so.
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Ensure that:
Some of the data protection aspect of this Principle concerns your IT systems and the IT support you receive from your IT support company. COMM-TECH have always designed our client systems and support packages to:
To this end we also:
IT systems that are too proscriptive about the way staff can operate may end up restricting staff in their ability to function efficiently, which may result in subversion. However IT systems that are too flexible can also be subverted, particularly from within. A middle ground is necessary, where some aspects of data protection responsibilities are assumed by staff.
To facilitate this an organisation should show due diligence with regard to their IT security by assigning clear responsibilities and adopting a written IT security policy. The minimum required is as follows:
Ensure that staff understand the importance of protecting personal data, are familiar with your organisation’s security policies, and that they are trained to implement said security policy. In addition to familiarising staff with the Security Policy wording, training should cover:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Other than EEU countries the only ones who are certified to protect data adequately are: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland Uruguay. At this time Canada is also considered partially adequate. Depending on the nature of the data you hold, “adequate” is subjective, so you should probably exercise additional discretion.
Ensure that you do not store personal data in countries outside the EEU apart from those considered “Adequate” above. When assessing compliance take into account the following:
Most of our clients host their data either in their own offices or in our cloud systems which are hosted strictly in the UK. Those using Microsoft Office365 or Google For Business will have chosen in which countries the provider is allowed to store that data.
When using 3 rd party Apps such as image-to-pdf, photograph processing etc, think about the implications first. Where (in terms of compliance) is the data going for processing and why?
COMM-TECH are providing an ongoing GDPR support service to assist our client DPO’s. Please contact privacy@comm-tech.org to arrange time with us. The service is supplied on an hourly basis at Project rates.
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
The information in this document is issued to our clients as part of our support services only and is not intended to be, nor does it constitute, legal advice
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
If you have any questions, please email privacy @comm-tech.org and we’ll do our best to advise.
AUTHOR: Alan Buchel @ COMM-TECH, May 2018
Download PDF version
