Setting up iSCSI with tgtadm (server) and using open-iscsi (client)

service tgt restart

create new target

tgtadm –lld iscsi –op new –mode target –tid {tid} -T {target_name}
tgtadm –lld iscsi –op new –mode target –tid 2 -T 2018.scsi

connect to source

tgtadm –lld iscsi –op new –mode logicalunit –tid 2 –lun 2 -b /root/2018.iscsi
tgtadm –lld iscsi –op new –mode logicalunit –tid 1 –lun 2 -b /dev/sdc

publish target to all interfaces

tgtadm –lld iscsi –op bind –mode target –tid 2 -I ALL

Show targets

tgtadm –lld iscsi –op show –mode
tgtadm –lld iscsi –op delete –mode target –tid {tid}

Setting up the client

apt-get install open-iscsi
vi /etc/iscsi/iscsid.conf

At the end of the file insert as follows:

node.startup = automatic
node.session.auth.username = isky
node.session.auth.password = pesky
discovery.sendtargets.auth.username = isky
discovery.sendtargets.auth.password = pesky
node.session.timeo.replacement_timeout = 120
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.noop_out_interval = 10
node.conn[0].timeo.noop_out_timeout = 15
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.conn[0].iscsi.MaxRecvDataSegmentLength = 65536

/etc/init.d/iscsid restart

Discover

iscsiadm -m discovery -t sendtargets -p ipaddress
iscsiadm -m discovery -t st -p localhost

Show available

iscsiadm –mode discovery –type sendtargets –portal localhost

Show credentials

iscsiadm –mode discovery –type login –portal localhost

Log in

iscsiadm –mode node –targetname 2018.scsi –portal localhost –login
iscsiadm –mode node –targetname 2018.scsi –portal localhost –logotime

Sources

https://www.hiroom2.com/2017/07/11/ubuntu-1604-tgt-en/
https://www.cyberciti.biz/faq/howto-setup-debian-ubuntu-linux-iscsi-initiator/
https://www.cyberciti.biz/tips/howto-setup-linux-iscsi-target-sanwith-tgt.html
http://inqbus-hosting.de/support/dokumentation/docs/target-daemon-tgtd-tgtadm

Configure Ubuntu To Serve As An iSCSI Target

Set up OpenWRT as routed wifi client

Sometimes you need to attach a wired-only device to a wifi network, or like happened to me recently, a client’s wifi printer was not working well with the AP, so kept losing it’s wireless connection. I found that any other device was solid on this wifi AP, so just needed to relay the dhcp issued by the main Wifi AP to the wired LAN.

These instructions are for setting this up via LuCi (the openWRT web interface), and I am using a Linux distro, if your going to use Windoz then you’ll need to search for equivaent commands from Windows terminal (cmd)

Start by identifying  the SSID and WPA key for the wifi network you want to connect to, test the connection to ensure you have the correct details.

An example configuration:

  • IP address obtained from attaching to the target wireless AP, I called it upink_ssid: 192.168.1.134 (use dhclient -v eth0)
  • IP address of the internet uplink: 192.168.1.1 (find this with bash: route -n or cmd: route print)
  • LAN IP address to be assigned to manage the openWRT: 192.168.2.1 (up to you but must be different subnet to the IP address issued by wifi AP). In future if you want to manage the openWRT you’ll need to manually set you IP to the same subnet with [ifconfig eth0 192.168.2.23 up netmask 255.255.255.0) .

Install OpenWRT on your device (see Openwrt hardware database for compatible devices)

Connect your LAN cable to that of the OpenWRT LAN port  and connect to LuCi via your browser with: http://192.168.1.134/cgi-bin/luci/

There you should set a first password and configure ssh access, install your ssh key or just ssh allow password access – this device is in the same zone as your LAN printer so probably you need not be so security aware. If your managing this device remotely set up a reverse tunnel (which will make management tasks a lot easier). In that case enforce the use of ssh keys for root login.

Set up relayd

Log in to OpenWRT with:  ssh root@192.168.1.134

Update: opkg update

Install relayd: opkg install luci-proto-relay

The rest can be done via LuCi, browse to: http://192.168.1.134/cgi-bin/luci

Configure Interfaces and Firewalls

In Network | Wifi see listed the default wifi AP, press Scan and join uplink_ssid (enter password on request)

Accept the default for this interface but set Firewall Zone to be lan

In Network | Interfaces | edit lan and set IP4 Gateway and DNS server address to 192.168.1.1. Disable DHCP for the Interface (ignore interface).

In Network | Firewall, edit lan zone to Accept Forwards, choose lan and wwan to be the covered networks.

Ensure you have saved and applied all the changes, then reboot the openWRT.

Your client on the wired should now obtain an IP from the wireless network. (dhclient -v eth0)

Sources:

https://wiki.openwrt.org/doc/recipes/dumbap

https://wiki.openwrt.org/oldwiki/dmz.example.transparent

https://wiki.openwrt.org/doc/recipes/relayclient

https://wiki.openwrt.org/doc/howto/dmz

 

 

Laptop and portable device encryption guide (GDPR)

Encrypting portable devices for data security and GDPR compliance

1 Introduction

The purpose of this article is to examine the risk of sensitive data being compromised in the event of the loss or theft of a portable device, using encryption to mitigate those risks, assisting with the technical aspects of implementing encryption in portable devices in order that company policies can better comply with the GDPR.

1.1 What is encryption?

Encryption is a means of scrambling data on a device in such a way that makes it unreadable to anyone without a decryption password.

For example, the contents of a Document may be: 

“An individual’s extensive online identity, including bank details, dating profiles, shopping accounts and passport information, can be bought for only £820 on the dark web.” – The Times 28/02/18

An encrypted version of these contents may look like:

èèW`ëç^X²:§1q<87>ÜõÒ<80>ôu!^U²4^Ý^O<8d>^K<9e><8c>^AA.<94>ùXÈç<95>Nj^LtN<9b>G¡Üf$<9d>Æóì<9b>ù’XI=ÛvSÛ%ÊI1!±Ý<8c>öùç*0<8f><84>^G<8b>$f^Tað÷ï^\¸/<81>@<9d>ÕòWuP<8f><8c>üçAN^E<9d>^[ßAyÛâI^Tz\+qùONCá^_-ªÎÙ*<8c>½bÏ£ÙREhäç^Y¿Î”%^XS¬<99><86>å¨<8f>jÖ]¦y<92><91>/ÁCÏ´®èÑÇä\³<8d>V$²e51<9e>Ù<9e>߬î¸<8c>W/~¨1<9a>@ÛpK^\

Content is thus unreadable without the decryption password and decryption key. Modern encryption systems can ensure that revealing the content of encrypted data would take billions of computer hours, and is thus safe for a some period going forward.

1.2 Why is encryption required?

When a device such as a laptop or mobile phone is frequently moved between sites (eg. office to office, home to office) we recommend that it is encrypted, so that if a malicious third party intercepts the device as a result of loss or theft, the data on the device remains inaccessible.

Whilst most of your crucial data will be stored on your server, which is physically secured, laptops and mobile phones can still contain downloaded emails, saved passwords, VPN connection details, and other types of sensitive data that could allow third parties access to your client information, or even your server directly. Because these devices are being moved frequently, the risk of having them stolen from a car, or being accidentally left on on train, is much higher than it would be for a server, or static desktop.

In some cases, encryption may also be desirable for home devices that are shared with friends and relatives, or office devices shared between colleagues. In this case third-party access to the data may not be malicious, but due care and attention is still required.

1.3 My laptop has a password, or my phone has a lock screen. Isn’t it already protected?

Setting a password, PIN or lock screen pattern does not automatically mean a device is encrypted. With only minimal technical expertise, Windows passwords can be cracked. Hard drives can also be physically removed and the data can be accessed from another computer. Likewise, accessing data on an unencrypted, locked phone is a fairly simple process; all that’s really needed is a USB cable.

When a laptop or phone is encrypted, all of its data is unreadable without that master password.

1.4 What does the GDPR say about encryption?

Principle #7 of the GDPR states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

“Unlawful processing” of personal data often occurs after the theft or loss of portable devices such as company laptops and USB sticks. There is a thriving criminal industry around data recovery off lost or stolen devices, providing opportunities for data and identity theft. A lost laptop or phone is likely to be harvested for data before it is wiped and resold on the black market.

In the event of personal data loss, a data processor can be required under the GDPR  to notify the ICO, the Charities Commission and the subject who’s data may have been lost. An embarrassing and fraught process, particularly so if you are not 100 percent sure precisely  which data may have been on that lost device.

The GDPR does not state that encryption of any type of data is essential for GDPR compliance. However it does include it as a recommendation in certain circumstances.Two sections of the GDPR are included here for reference and the key sections regarding encryption are highlighted in bold:

Recital 83 specifically suggests encryption as a means of GDPR compliance. The second section highlighted in bold below refers to “security risk”, which would be considered higher for portable devices like phones and laptops.

In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage

Article 34 deals with your responsibilities should your clients’ data be breached and your obligations in disclosing that breach to the client. If an encryption policy is in place, you should not be required to disclose the data breach, as you would have “implemented appropriate technical and organisational protection measures” to ensure protection of the data.

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.</p>

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

1.5 How do I encrypt my devices?

Mobile phones, laptops and portable USB media can all be encrypted to ensure data security. There are varying types of encryption, and the recommended means of encryption varies between device and platform. The rest of this document deals with types of encryption available for varying devices, and our recommendations.

2 Laptops

2.1 Overview

It is strongly recommended that you adopt a policy of encrypting laptops within your organisation, as the risk of loss or theft is relatively high. Methods of encryption are for laptops are:

  • Windows laptops: encryption with Bitlocker recommended
  • Apple laptops: encryption with Filevault recommended
  • Linux laptops: encryption methods vary according to distribution

2.2 Windows laptops

Windows Professional and Enterprise editions contain a built-in encryption tool called Bitlocker which is available with all  (not Windows Home). It is strongly recommended that this is setup for all laptops in use by your organisation.

Bitlocker, once configured, is very straightforward to use, and simply requires the end-user to enter a decryption password or PIN to use the device.

It is generally recommended when first setting up Bitlocker to backup any existing data and completely reinstall Windows on the laptop, as this removes any bloated programs that are shipped by the manufacturer, and leaves a much cleaner, faster Windows install. This procedure is essential if the laptop ships with Windows Home Edition, as the Home Edition does not include Bitlocker.

We offer an encryption service for Windows laptops which includes a complete reinstall of the Windows operating system, and removal of all junkware and bloatware. Please see Our Services for details.

2.3 Apple laptops

Apple operating systems since OS X 10.7 (Lion) have contained a built-in encryption tool called FileVault 2. If you are running this version of OS X or later, Apple have created a good quality how-to explaining how to encrypt your device which is included in section 5.

Whilst encryption tools are available for users running earlier versions of OS X, there are significant limitations to these and they are not recommended. If you are running an earlier version of OS X and you are concerned about the data security on this device we recommend upgrading to a later model.

2.4 Linux laptops

Most common Linux distros (eg. Ubuntu, Linux Mint) contain a method of encryption at installation time. It is less straightforward to encrypt a Linux installation after the fact and is generally not recommended. However, distros and encryption methods vary widely, so please contact us to discuss your specific requirements if you are using Linux.

 

3 Mobile phones and tablets

3.1 Overview

Mobile phones and tablets should generally be encrypted, especially where mobile devices are used for work emails. However for peace of mind it is strongly recommended to encrypt all phones and tablets, unless they are always kept on the same locked premises at all times.

In the descriptions below I refer to encrypting “phones” only, as these will be the devices that most commonly contain sensitive data, and are generally carried on and off site with regularity. However the information applies the same to tablets or phablets that run Android or any iOS operating system.

If you have a phone, tablet, phablet or other portable device that does not meet any of our descriptions here, please let us know so we can give you a risk assessment.

For hybrid devices, such as the Microsoft Surface range, please see the advice given under laptops. The are devices which can be used as both laptops and tablets, and often have detachable keyboards.

3.2 Apple devices

If you are using an iPhone 4S or later, then your device is encrypted by default. However you still need to take some steps to ensure your data is secure.

  • Make sure you have a strong PIN in place to unlock the phone. Without it your phone will technically be encrypted, but you will have no real protection.
  • Make sure you are running iOS 8 or later, as this is the operating system for which encryption was introduced.
  • Note that iPhones prior to the 4S did not support any meaningful form of encryption, you should upgrade these handsets if security is a concern.
  • Similarly, the first generation iPad does not support iOS 8, and therefore also does not support encryption. The iPad 2 and onwards is fine as long as it runs iOS 8 or later and is protected with a PIN.

3.3 Android devices

Whilst all Apple devices that support iOS 8 and above are automatically encrypted out of the box, the situation for Android devices is slightly more complicated due to the large number of manufacturers who use the Android operating system, and the variations in the underlying hardware.

Google has required encryption to be enabled out of the box for all new devices that shipped with Android version 6 or higher, regardless of manufacturer. However, this does not mean your phone or tablet is necessarily encrypted if it is running Android version 6. Devices that originally shipped with Android version 5 or lower, and were later upgraded to version 6 do not have encryption enabled by default. In some cases, the same phone model may have encryption enabled or disabled out of the box, depending on when it was manufactured.

Most Android devices are straightforward to encrypt manually if required, and a how-to is provided in section 5.

3.4 Windows Phone

Encryption is available for Windows 10 mobiles. This uses the same technology as Bitlocker on Windows laptops and is a strong form of encryption. However, information on performance and reliability of Windows phone encryption is not as extensive as that for Android and Apple devices. Eg. older Windows 8 phones appear to report encryption support, but Microsoft’s own documentation does not support this. There have also been reports of email syncing issues when using an encrypted Windows phone. If this is of particular concern we recommend switching to an Android or Apple device.

However, the process of encrypting a Windows phone is straightforward for a non-technical end-user, and a link to a how-to is provided in section 5.

4. Portable media

4.1 Overview

Portable media in the form of USB flash drives present a distinctive security challenge. Our experience shows that they are frequently used to transfer data between computers, and very often the files that are copied are never deleted from the device. Furthermore, being so small USB sticks are very easily mislaid. Unlike with a phone or a laptop, the loss of a USB stick containing sensitive data may not be noticed by the person using it for weeks or months.

4.2 USB removable disks

USB removable disks refer to USB flash drives, USB hard disks, USB SSDs, or any kind of writeable USB device.

4.2.1 USB hardware encryption

The most user-friendly way to ensure the security of these devices is to purchase a USB disk or USB key with a hardware decryption feature. This usually comes in the form of physical buttons you have to press to enter a PIN which will decrypt a USB device before it can be used in a computer. These cost more than standard USB devices but are very user-friendly, and can be used with any platform (Windows, Apple or Linux). Searching for “encrypted USB” or similar on Amazon will return a huge number of types of these devices. We do not recommend any specific model but do recommend you go with a reputable brand.

4.2.2 USB Bitlocker encryption

A second user-friendly option is to encrypt your USB disk using Bitlocker. This may be a more practical option if you need to use a 1TB or 2TB encrypted hard disk. The cost of a larger USB disk that supports hardware (PIN) encryption is very high – over £200 for a 1TB disk. If you want to use Bitlocker we recommend you send the disks to us for encryption, as the initial setup should be done by an engineer. Afterwards the disk can easily be decrypted by an end-user with the correct password. However, the disks will only be usable in PCs running Windows Professional Edition or higher, this includes:

    • Windows 7 Professional, Windows 7 Enterprise and Windows 7 Ultimate

    • Windows 8.1 Professional and Windows 8.1 Enterprise

    • Windows 10 Professional and Windows 10 Enterprise

You can check which edition of Windows you are running by going to the Windows menu and typing “winver” (no quote marks) and then pressing enter.

4.3 SD cards, optical media, and others

In the vast majority of cases, when not moving data across a network, data will be moved between computers on a USB device of some kind, as has become the norm. In a few exceptional cases, other forms of portable media may still be in use for moving data between PCs which could pose a GDPR compliance risk if not encrypted. Some examples are given below:

  • SD cards: small, portable flash media. They are generally used in digital cameras or as expansion storage for mobile devices (see section on mobiles).
  • Optical media such as CDs, DVDs and Blu-rays
  • Floppy disks
  • Tape drives

In all of the above cases we would recommend cessation of the use of these types of media for sensitive data transfer, as encryption is either impossible or highly impractical for these types of media.

If your organisation has a need to transfer sensitive data using one of the above, or some other type of media not mentioned in this article, please contact us. We will be able to suggest an alternative solution in many cases.

5. Encryption how-tos

Some devices (eg. Android phones, iPhones, Macbooks) can be straightforwardly encrypted by end-users. We have included how-to instructions for these devices in this section.

Please note: encrypting the devices listed here is generally a very straightforward process, and will not require technical expertise. However, it is not completely risk-free and precautions should be taken. Please read these instructions carefully, Comm-Tech cannot accept any responsibility for loss of data. We do provide a safe and efficient Encryption service for devices,  please contact us for more information.

5.1 Android phones and tablets

To check whether your Android phone is encrypted:

  • Go to Settings / Security / Encryption
  • If your device is not encrypted, you will see an option here that says “Encrypt phone” or similar. If so then skip to the how-to below.
  • If you do not see an option in this menu to encrypt the device, it either means your phone is already encrypted, or does not support encryption. If this applies, follow these steps:
  • Go to Settings / About Device (this option might also be called About Phone, or similar).
  • Check for the Android version, which will give some more information.
    • If your phone runs Version 6 or higher then it may be encrypted out of the box. Double check there is no “Encrypt phone” option in Settings / Security / Encryption. If there is no option listed then the phone is probably encrypted already. However you should use Google to check whether your model is encrypted out of the box or not. Be especially cautious with Android Version 6, as most phones running this version will not have encryption setup by default. If you are sure the phone is encrypted, then make sure you set a strong PIN, and you are good to go.
    • If your device runs Version 5 then the device should support encryption, but will not be encrypted unless it has been done manually by you or someone in your organisation.
    • If your device runs Version 4 it might support encryption. Double check there is no “Encrypt phone” option in Settings / Security / Encryption. You will need to Google your device model to see if it supports encryption or not.
    • If it is Version 3 or lower it will not support encryption.
    • If you are running a device with Android Version 3 or lower (or Version 4 with no encryption option) and you use the phone for sensitive data, such as work emails, we recommend upgrading to a new device.

5.1.1 How to manually encrypt an Android phone

If your phone is not encrypted, but gives an “Encrypt Phone” option or similar in settings, read on before you go ahead, or you may lose your data or even worse “brick” the phone.

Risks to be aware of:

  • Encryption means your phone’s CPU will have some extra work to do, and some users have reported significant degradation when encrypting older models. If your phone is already sluggish or you are otherwise concerned about this you might want to consider upgrading your phone instead.
  • If the phone loses power halfway through the encryption process it may completely break the phone and render all data on it unreadable. Most commonly this will happen when the phone is not plugged in and runs out of battery power, but in very rare cases an underlying hardware problem (eg. overheating) may cause the phone to reboot in the middle of the process. If your phone regularly powers off or reboots of its own accord, or has other significant issues you should not attempt this process.
  • After encryption, booting up will take a lot longer, at least twice as long as what it takes your phone to start up without encryption. Even on higher end devices, starting up an encrypted phone can take around 5 minutes.
  • If you have rooted your phone, you must unroot it before continuing.
  • If your phone supports an external SD card for expanded storage and it is plugged in, you may need to take an addition step (see below).

To encrypt the phone:

  • Make sure all data on the phone is fully backed up before proceeding. Emails are nearly always backed up to a server unless using POP (very rare nowadays), but things like photos, text messages, phone logs, etc. may need to be backed up manually.
  • Connect your phone to a reliable charger and keep connected for the entire encryption process, which usually takes about 1 hour.
  • Go to Settings / Security, and find the lock-screen options. You should set up a strong lock screen password, PIN, or pattern, and also require this to be entered when the phone first boots up. Note that even with a fingerprint reader, you can’t use a fingerprint to unlock a device on first boot, you’ll have to put in the password, PIN, or pattern. After the device has been decrypted with the correct security unlocking method, the fingerprint reader can be used to unlock the screen moving forward.
  • Go to Settings / Security / Encryption
  • Choose the option that says “Encrypt phone” or “Encrypt device” or similar.
  • You will usually be presented with two warnings which let you know about the encryption process and what to expect afterwards. Read these carefully and proceed when ready.
  • After clicking through all the screens the phone will begin the encryption process, do not interrupt this or attempt to use the phone in any way until it prompts you further.
  • All being well, the phone should reboot and prompt for your PIN (or other unlock option) when complete.

5.1.2 How to manually encrypt an external SD card on an Android

Many Android devices support the use of an external SD card to expand their storage capacity. By “external” here we do not literally mean outside of the phone, but simply separate from the phone’s main storage.

External SD cards can be encrypted along with the main file system for extra security. Depending on how your device is configured, this is something you may want to consider. For example, if you store your work emails on the external SD card to save space on your main device, the external SD card should be encrypted.

There is usually an option in Android Security settings to encrypt an external SD card in much the same way you encrypt the main file system as above. Please take the same precautions with backing up data and plugging in the phone etc, then choose the option called “Encrypt external SD card”, or similar.

Alternatively, if you choose to format your external SD card as Internal Storage when first putting it into the phone, Android will encrypt the card by default.

Some things to bear in mind when encrypting the external SD card:

  • Once encrypted, the SD card can only be read from within your phone. You cannot remove it and connect it to a laptop, PC or other device, as only the phone contains the decryption key.
  • External SD card encryption is not always reliable when the SD card is already in use, you may need to backup any data on the card, format it using the Storage part of the Settings menu, and then setup SD encryption before any data is transferred on to it

5.2 Apple Macs and Macbooks

Apple have provided a good-quality how-to for encrypting these devices which should be possible to follow for most end-users, it can be viewed here:

https://support.apple.com/en-gb/HT204837

5.3 Windows phones

A good encryption how-to for Windows phones can be found here. Please read the caveats carefully before proceeding.

https://www.windowscentral.com/how-enable-device-encryption-windows-10-mobile

AUTHOR: Mark Anthony @ COMM-TECH

GDPR Handbook – A guide to compliance for non-profits

A not-for-profit Guide to The General Data Protection Regulation or GDPR (EU) and The Data Protection Act 2018 (UK)

COMM-TECH welcome the spirit of transparency and respect for personal privacy represented by the GDPR legislation and believe it to be a positive force that can help to clean up the unequal, distrustful and opaque relationship that big-data have developed with individuals the world over.

Download PDF version (better for printing)

1. The new Data Protection Act

The GDPR applies to any business or public body that stores or processes the data of EU residents. This includes every employer in the EU, businesses that offer products and services to EU citizens and residents, and companies that process personal data on behalf of other organizations. The new legislation replaces the Data Protection Act, 1998 prescribing how you as an organisation and your staff manage the personal data of your donors, service users, beneficiaries, stakeholders and anyone else working with your organisation.

A copy of the full legislation can be found here

1.1 The definition of “Personal Data”

GDPR legislation defines this as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

1.2 Examples of “Personal Data” you may be processing

Employee records, donor mailing lists, membership databases, even your visitors book.

2 How to comply with the GDPR

2.1 Appoint a Data Protection Officer

One of your staff will need to take responsibility for GDPR compliance, to do this they need to be given the authority to do so effectively and they need to train in the knowledge required to maintain compliance. This guide will give them the tools required to guide other staff.

2.2 Organize an information audit

To comply with the GDPR’s accountability principles, you need to know your data well. Document what personal information you hold, where it resides, where it came from whom you share it with and your purpose in processing it. You need to know precisely what regulated information you hold and document the risks involved to the data subjects in the event of said data being compromised.

2.3 Identify the legal basis for processing any personal data

Document and explain the legal basis for processing the personal data. You must maintain documentation of the legal bases with regard to all types of information. If your legal basis is explicit agreement (consent) you must have documented evidence that consent was given and that the request for consent is clear and concise.

2.4 Be prepared to uphold your subject’s rights

Under the GDPR individuals have certain rights that you must uphold, such as the right to access their personal data (called a Subject Access Request or SAR), the right to correct inaccuracies, and the right to have personal information erased. You need to make sure that you have procedures in place to address such requests from data subjects promptly.

2.5 Notify your subjects

You will need to let your subjects know what data you hold about them and update your Privacy Policies to suit the new legislation. Whenever you collect data you will need to explain clearly to subject why it is being collected and for what purpose it will be used.

2.6 Protect their data

Ensure that the sensitive data is stored in a way that only those of your staff who need to have access to it. Also ensure that you or your IT Support company have a compliant Data Protection Policy in place, covering security, retention, breach notification procedures and backups.

2.7 Apply the eight principles of Data Protection

3 The eight principles of data protection

3.1 Ensure you act lawfully

“Personal data shall be processed fairly and lawfully”

3.1.1 In Practise

You must:

  1. have legitimate grounds for collecting and using the personal data;
  2. not use the data in ways that have unjustified adverse effects on the individuals concerned;
  3. be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
  4. handle people’s personal data only in ways they would reasonably expect;
  5. make sure you do not do anything unlawful with the data.

3.1.2 Choosing a lawful basis

You need to choose at least one lawful basis (a-f) to process personal data. Identify one of the following bases and ensure it can reasonably be applied to your use. In every case you need to document which basis you have applied and keep a record of it.

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
This may apply for example for solicitations for support from donors, or for invitations to events. To comply you will need to obtain specific consent from individuals to collect and use their personal data for this purpose. Be transparent about what the data consists of, how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;

The GDPR standard for consent is very specifically “opt-in”. You can’t use pre-ticked boxes to obtain consent and you need to very clear about what they are consenting to. Emailing your mailing list with notification that if they do nothing they will continue to be on the mailing list is not sufficient – you will need to get them to pro-actively re-join the mailing list. You also need to be clear that they can opt-out at any time and give clear instructions on how to do so. Keep a record of how you obtained this consent and when.

(b) Contract: the processing is necessary for a contract you have with the individual, or
because they have asked you to take specific steps before entering into a contract.

Cases where this might apply could be for instance event bookings, where an individual can reasonably expect you to store and process data necessary for you to fulfill your role as event organiser.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

This seems to be the most flexible definition, but you need to be able to prove that you have legitimate grounds for collecting and using the personal data; Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance.

3.1.3 Special Case Categories.

Be aware of working with “Special Category” data. The GDPR says these types of data need extra protection, so if you want to process any of the following data you will need to prove that you have special reasons for doing so, and take extra steps to ensure the data is protected.

• ethnic origin;
• race;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics;
• health;
• sex life; or
• sexual orientation.

3.2 Have a specific purpose

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”

3.2.1 In practise

  1. Be clear to subjects about why you are collecting personal data and what you intend to do with it;
  2. comply with the Act’s fair processing requirements – including the duty to give privacynotices to individuals when collecting their personal data;
  3. ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

3.2.2 What does “fair” or “incompatible” mean?

Inviting a database of people who attended an event to another event of similar nature is likely to be compatible with the original purpose for which you gathered the data. Soliciting the very same database for donations however might be considered “incompatible” or “unfair” to the data subject.

3.3 Adequate and relevant

“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”

3.3.1 In Practise

  • you may hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual;
  • you do not hold more information than you need for that purpose.

3.3.2 Practise data minimisation

To comply here you should identify the minimum amount of personal data you need to properly fulfill your purpose. You should hold that much information, and no more.

3.4 Accuracy and maintenance

“Personal data shall be accurate and, where necessary, kept up to date”

Don’t miss “where necessary”, obviously if you have a database that is currently in use, you are obliged to keep it updated and accurate in order for it to stay fit for purpose. If a database is out of use, you do not need to maintain it. Keeping unused databases however can mean extra work complying with #6 (responding to subject access requests), which you will have to  whether or not the information is accurate.

3.4.1 In practise

You should:

  1. take reasonable steps to ensure the accuracy of any personal data you obtain;
  2. ensure that the source of any personal data is clear;
  3. carefully consider any challenges to the accuracy of information;
  4. consider whether it is necessary to update the information.

3.5 Retention

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”

Where personal data is held for more than one purpose, there is no need to delete the data while it is still needed for any of those purposes. However, personal data should not be kept indefinitely “just in case”, or if there is only a small possibility that it will be used in future.

3.5.1 In practise

• review the length of time you keep personal data;
• consider the purpose or purposes you hold the information for in deciding whether (and
• for how long) to retain it;
• securely delete information that is no longer needed for this purpose or these purposes;
• update, archive or securely delete information if it goes out of date.

3.5.2 Anonymising data

You may have invested heavily in some information, such as in a detailed survey the data from which could be used for as yet unknown purposes and for this reason you might like to keep the raw data. You can maintain compliance by removing any PII (personally identifiable information), even without which you will still be able to extract useful statistical information from the database.

3.5.3 Audits

A policy of regular data-audits appear to be the focus of compliance in this principal, such audits should assess:
• the current and future value of the information;
• the costs, risks and liabilities associated with retaining the information;
• the ease or difficulty of making sure it remains accurate and up to date.

3.5.4 Special case – shared information

Where personal data is shared between organisations, those organisations should agree about what to do once they no longer need to share the information. In some cases, it may be best to return the shared information to the organisation that supplied it, without keeping a copy. In other cases, all the organisations involved should delete their copies of the information.

3.6 The subject’s rights

“Personal data shall be processed in accordance with the rights of data subjects under this Act”

The rights of individuals that it refers to are:

  1. a right of access to a copy of the information comprised in their personal data (SAR);
  2. a right to object to processing that is likely to cause or is causing damage or distress;
  3. a right to prevent processing for direct marketing;
  4. a right to object to decisions being taken by automated means;
  5. a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
  6. a right to claim compensation for damages caused by a breach of the Act.

The first and third elements will be the most common encountered, so these should be explained further.

3.6.1 Subject access request (SAR)

A subject access request requires that within 1 month of their request:

  1. you inform an an individual whether any personal data is being processed;
  2. give them a description of the personal data, the reasons it is being processed, and
    whether it will be given to any other organisations or people;
  3. given a copy of the information comprising the data; and given details of the source of the data (where this is available).

3.6.2 Verification

The Act allows you to confirm two things before you are obliged to respond to a request.

First, you can ask for enough information to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.

The second thing you are entitled to do before responding to a subject access request is to ask for information that you reasonably need to find the personal data covered by the request.

Again, you need not comply with the subject access request until you have received this information. In some cases, personal data may be difficult to retrieve and collate. However, it is not acceptable for you to delay responding to a subject access request unless you reasonably require more information to help you find the data in question.

3.6.3 Fees

The SAR service needs to be provided free, and if a request is considered “manifestly unfounded or excessive”, you can charge a maximum fee of £10.

Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay. Provided you have done so, the 1 month period for responding to the request does not begin to run until you have received the appropriate fee and any additional information that is necessary.

3.6.4 Reducing risk

Clearly any organisation holding data is exposed to the risk that administration work servicing SAR’s can be massive. This risk can be reduced by implementing stricter policies under principle #5 such as deleting or anonymising data rather than archiving it.

3.6.5 Preventing direct marketing

“Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for direct marketing. Any individual can exercise this right, and if you receive a notice you must comply within a reasonable period.”

Direct Marketing includes communications by ANY means, for example: letter mailshots, emails, faxes or SMS. It includes the promotion of particular viewpoints or campaigns.

3.6.6 How to respond to Prevent Requests

You do not need to respond directly to the individual (although it may be good public relations to do so), but you you need to take action within 28 days. The industry standard is simply to prevent their systems from including that individual in marketing, but you need to delete their personal information if they request that you do so.

3.7 Data must be protected

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

3.7.1 In practise

Ensure that:

  1. only authorised people can access, alter, disclose or destroy personal data;
  2. those people only act within the scope of their authority;
  3. if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.

3.7.2 Compliant IT systems

Some of the data protection aspect of this Principle concerns your IT systems and the IT support you receive from your IT support company. COMM-TECH have always designed our client systems and support packages to:

  1. Protect data against theft via the internet using security patching, server monitoring, firewalls and other security tools such as antivirus to help prevent security breaches arising from malware infections. We apply additional protection proportionate to the sensitivity of the data our client holds.
  2. Support granular file sharing, so that management can ensure staff only have access to data that within their employment remit.
  3. Provide robust backup systems to ensure damaged or deleted data can be recovered, along with SLA’s to ensure business continuity is least affected by systems failures.

To this end we also:

  1. Provide installation services to ensure that new IT equipment is set up in a secure way that protects against security breaches arising from manufacturer default consumer focussed (usually inappropriate) setups.
  2. Provide advice and services for compliant disposal services to ensure data is not harvested from discarded redundant IT equipment.
  3. Ensure that our staff are vetted to the maximum feasible and remain under strict NDA.

3.7.3 Security policies

IT systems that are too proscriptive about the way staff can operate may end up restricting staff in their ability to function efficiently, which may result in subversion. However IT systems that are too flexible can also be subverted, particularly from within. A middle ground is necessary, where some aspects of data protection responsibilities are assumed by staff.

To facilitate this an organisation should show due diligence with regard to their IT security by assigning clear responsibilities and adopting a written IT security policy. The minimum required is as follows:

  1. be clear about who in your organisation is responsible for ensuring information security;
  2. do periodic checks to ensure that the organisation’s security measures remain appropriate and up to date;
  3. include in the security policy a clause that limits access to personal information to those who’s roles make it necessary to have such access;
  4. include in the security policy a clause that limits access to premises or equipment given
    to anyone outside the organisation;

3.7.4 Staff training

Ensure that staff understand the importance of protecting personal data, are familiar with your organisation’s security policies, and that they are trained to implement said security policy. In addition to familiarising staff with the Security Policy wording, training should cover:

  1. inadvertent mishandling of data, such as the practise of emailing personal data, or
    failure to encrypt portable media such as USB sticks or laptops (an encryption policy should be in place for all portable media)
  2. your organisation’s duties under the Data Protection Act and restrictions on the use of personal data;
  3. the responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority;
  4. the proper procedures to use to identify callers; the dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making “phishing” attacks) or by persuading you to alter information when you should not do so;
  5. any restrictions your organisation places on the personal use of its computers by staff (to avoid, for example, virus infection or spam).

3.8 Where the data can be stored

“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Other than EEU countries the only ones who are certified to protect data adequately are: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland Uruguay. At this time Canada is also considered partially adequate. Depending on the nature of the data you hold, “adequate” is subjective, so you should probably exercise additional discretion.

3.8.1 In Practise

Ensure that you do not store personal data in countries outside the EEU apart from those considered “Adequate” above. When assessing compliance take into account the following:

  1. the nature of the personal data being transferred;
  2. the country or territory of origin of the information in question;
  3. the country or territory of final destination of that information;
  4. how the data will be used and for how long;
  5. the security measures to be taken in respect of the personal data in the country or territory where the data will be received.

Most of our clients host their data either in their own offices or in our cloud systems which are hosted strictly in the UK. Those using Microsoft Office365 or Google For Business will have chosen in which countries the provider is allowed to store that data.

When using 3 rd party Apps such as image-to-pdf, photograph processing etc, think about the implications first. Where (in terms of compliance) is the data going for processing and why?

4 Further help

COMM-TECH are providing an ongoing GDPR support service to assist our client DPO’s. Please contact privacy@comm-tech.org to arrange time with us. The service is supplied on an hourly basis at Project rates.

5 Disclaimer

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

The information in this document is issued to our clients as part of our support services only and is not intended to be, nor does it constitute, legal advice

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

If you have any questions, please email privacy @comm-tech.org and we’ll do our best to advise.

AUTHOR: Alan Buchel @ COMM-TECH, May 2018

Download PDF version