Security guaranteed?

To coincide with London Tech Week 2024, one of the key themes of which is ‘The Future of Security and Data’, and following the revelation in the DSIT Cyber Security Breaches Survey 2024 that few organisations are conducting supply chain risk assessments, Handley Gill’s specialist consultants have published their Helping Hand checklist on conducting data processor / supply chain information security risk assessments which is informed by NCSC guidance.

Nicola Cain12 June 2024Data Protection, Personal Data, UK GDPR, GDPR, General Data Protection Regulation, UK GENERAL DATA PROTECTION REGULATION, Information Security, Cyber Security, Information Security Risk Assessment, Cyber Security Risk Assessment, Cyber Attack, Cyber Incident, Data Breach, Data Controller, Data Processor, Article 28 UK GDPR, Article 28 GDPR, Article 28(1) UK GDPR, Article 28(1) GDPR, Cyber Security Breaches Survey 2024, Department for Science Innovation & Technology, National Cyber Security Centre, NCSC, Supply Chain Risk, Supply Chain Security, Vendor Management, Supplier Management, ICO, Information Commissioner, Information Commissioner's Office, Data Security Incident Trends Report, London Tech Week 2024, LTW, LTW 2024, The Future of Security and Data, Cyber Resilience, Online HarmsComment

Certify...certify me!

Handley Gill’s specialist data protection consultants consider the options and certification requirements for US entities importing personal data from the EEA following the adoption of the European Commission’s adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework, providing a lawful basis for transferring personal data to the US under the GDPR.

Nicola Cain16 July 2023Data Protection, Data Privacy, PERSONAL DATA, GDPR, General Data Protection Regulation, GENERAL DATA PROTECTION REGULATION, Regulation (EU) 2016/679, Data Transfer, Restricted International Data Transfers, Restricted Data Transfer, International Transfers, International data transfers, US Data Transfers, EU-US DPF, EU-US Data Privacy Framework, SCCs, Modernised SCCs, Supplementary Measures, Transatlantic Data Privacy Framework, Trans-Atlantic Data Privacy Framework, Transfer Risk Assessment, Transfer Impact Assessment, Transfer Risk Assessment Tool, Data transfer agreement, TADPF, Trans-Atlantic EU-US Data Privacy Framework, Trans-Atlantic EU-US Data Privacy Framework Principles, DPF Principles, Privacy Shield, Privacy Shield Principles, EU-US DPF Certification, Privacy Shield Certification, Privacy Shield Self-Certification, Schrems II, Personal Data Transfer, Personal Data Export, Data exporter, Data Importer, Safe Harbor, Chapter 5 GDPR, Article 44 GDPR, Article 45 GDPR, Adequacy Decision, US Adequacy Decision, EUROPEAN COMMISSION, C(2023) 4745, TADPF Certification, Data Controller, Data Processor, Data ExporterComment

Freedom from the tyranny of supplementary measures

Handley Gill Limited’s specialist data protection consultants consider the impact of the European Commission’s adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework and the steps controllers and processors should take in relation to transfers of personal data from the EEA and UK to the USA.

Nicola Cain11 July 2023Data Protection, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Transfer, Personal Data Transfer, International Transfers, International data transfers, Safe Harbor, Privacy Shield, EU-US Data Privacy Framework, Transatlantic Data Privacy Framework, Trans-Atlantic Data Privacy Framework, Chapter 5 GDPR, Chapter 5 UK GDPR, Article 44 GDPR, Article 44 UK GDPR, Article 45 GDPR, Article 45 UK GDPR, Article 45(2) GDPR, Article 45(2) UK GDPR, Adequacy Decision, Schrems II, Adequacy Regulations, Section 17A Data Protection Act 2018, S.17A Data Protection Act 2018, S.17A DPA 2018, DPA 2018, Data Protection Act 2018, Standard contractual clauses, Standard data protection clauses, Supplementary Measures, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Transfer Risk Assessment, Transfer Impact Assessment, International Data Transfer Agreement, International Data Transfer Addendum, IDTA, SCCs, Modernised SCCs, Modernised Standard Contractual Clauses, Executive Order 14086, Qualifying State, TADPF, US Data Transfers, UK-US Data Bridge, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, FISA 702, Prism, Upstream, EU-US DPF, Data Controller, Data Processor, Data exporter, Data ImporterComment

A bridge to nowhere?

A commitment to establishing a UK-US data bridge, which would take the form of adequacy regulations being issued by the Secretary of State pursuant to section 17A Data Protection Act 2018, has been announced. Since this bridge is likely to be contingent on the European Commission issuing its own adequacy decision, and the draft has recently been rejected by the European Parliament, data exporters will be reliant on the Commission ramming through the roadblock or will find themselves stuck in traffic on the UK-US data flyover.

Nicola Cain18 June 2023Data Protection, Personal Data, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Privacy Shield, Schrems II, Transatlantic Data Privacy Framework, Adequacy Decision, EUROPEAN COMMISSION, Safe Harbor, Adequacy Regulations, UK Adequacy, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, EU-US Data Privacy Framework, UK-US Data Bridge, Chapter 5 GDPR, Chapter 5 UK GDPR, Article 45 GDPR, Article 45 UK GDPR, Article 46 GDPR, Article 46 UK GDPR, Data Protection Act 2018, Section 17A Data Protection Act 2018, s17A Data Protection Act 2018, Qualifying State, Executive Order 14086, TADPF, European Parliament, Committee on Civil Liberties, Committee on Civil Liberties Justice & Home Affairs, LIBE Committee, European Data Protection Board, EDPB, Opinion 5/2023, German-American Data Protection Day, DoJ, Department of Justice, Standard contractual clauses, Standard data protection clauses, Supplementary Measures, Transfer Risk Assessment, Transfer Impact Assessment, Derogation, Data Transfer, Data transfer agreement, US Data Transfers, International Transfers, International data transfers, International Data Transfer Risk Assessment, Data Controller, Data Processor, Data exporter, Data ImporterComment

CrapITa

Handley Gill’s data protection consultants consider recent supply chain cyber attacks, including the unfolding of the recent Capita and Zellis / MOVEit data breaches, and identify the steps data controllers should take when engaging data processors as part of their supply chain or giving third parties access to personal data, and the lessons to be learned for vendor management throughout the data processing lifecycle.

Nicola Cain10 June 2023Data Protection, Personal Data, Information Security, Cyber Security, Cyber Resilience, Cyber Attack, Data Breach, Supply Chain Risk, Supply Chain Security, Vendor Management, Capita, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, Information Commissioner, Information Commissioner's Office, ICO, Pensions Regulator, Financial Conduct Authority, FCA, Data subjects, Compensation, Data litigation, Ransom, Ransom Payment, Department for Science Innovation & Technology, DSIT, Cyber Security Breaches Survey 2023, Article 25(1) UK GDPR, Article 25(1) GDPR, Data Controller, Data Processor, Data Processing Agreement, DPA, Data Processing, Article 28 GDPR, Article 28 UK GDPR, Article 32 GDPR, Article 32 UK GDPR, Cyber Insurance, Cyber Insurance Cover, Liability, Data protection impact assessment, DPIA, Administrative fine, Monetary penalty, Article 82(3) UK GDPR, Article 82(3) GDPR, Regulatory Action Policy, Article 33 UK GDPR, Article 33 GDPR, Article 34 UK GDPR, Data Breach Notification, Breach Response Plan, Incident Response Plan, Injunction, Injunctive Relief, Article 82 GDPR, Article 82 UK GDPR, CVE-2023-34362Comment

Data Downgrade Down Under?

Handley Gill Limited’s data protection consultants consider the implications of the 2021 Free Trade Agreement between the UK and Australia - taking effect on 31 May 2023 - for the protection of personal data and the ease of international transfers of personal data.

Nicola Cain31 May 2023BREXIT, UK, United Kingdom, Australia, Data Protection, Personal Data, Privacy, Data Privacy, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, Section 17A Data Protection Act 2018, Adequacy Decision, Adequacy Regulations, New Zealand, European Commission, Secretary of State for Science Innovation & Technology, Marketing, Direct Marketing, Consent, Marketing Consent, Privacy Act, Privacy Act Review, Foreign Commonwealth and Development Office, Foreign Office, Department for Business and Trade, Department for Science Innovation and Technology, Department for Culture Media & Sport, Data Transfer, Restricted Data Transfer, Restricted International Data Transfers, International data transfers, Standard contractual clauses, Derogations, Data Controller, Data ProcessorComment

New and improved?

The Second Reading of, and first chance for Parliament to debate, the government’s second attempt to reform the UK’s data protection legislation, in what it has described as the “improved” and “common-sense-led” Data Protection and Digital Information (No.2) Bill (Bill 265 2022-23) takes place on 17 April 2023. Handley Gill’s specialist data protection consultants consider its impact on the UK’s existing data protection legislation and identify amendments that would improve the Bill.

Nicola Cain17 April 2023Data Protection, Personal Data, GDPR, UK GDPR, Data Protection Act 2018, Data Protection Reform, PECR, DPA 2018, Privacy and Electronic Communications Regulations, Data Reform Bill, Data Protection and Digital Information Bill, Data Protection and Digital Information (No. 2) Bill, Bill 265 2022-23, DPDI Bill, Data: A New Direction, DPDI2 Bill, Bill 143 2022-23, General Data Protection Regulation, UK GENERAL DATA PROTECTION REGULATION, DPDI(2) Bill, DPDI (No.2) Bill, Information Commissioner, Information Commission, Supervisory Authority, Department for Culture Media & Sport, Department for Science Technology & Innovation, Department for Science Innnovation & Technology, Department for Science Innovation & Technology, Brexit, Innovation, Code of Practice, Statutory Code of Practice, DATA SUBJECT ACCESS REQUEST, Data Subject Rights, Vexatious or excessive, Approved person, Data subject complaint, Data controller complaint, Statement of Strategic Priorities, Enforcement, Regulatory Enforcement, Interview notices, First Tier Tribunal (Information Rights), Notice of Intent, Monetary Penalty Notice, Definition of personal data, Data Controller, Data ProcessorComment

Your money... and your life?

New cyber sanctions imposed by the UK and US governments against Russian nationals expose victims of ransomware, and their individual directors and officers, to criminal liability in the event that ransom payments are made.

Nicola Cain21 February 2023Ransom, Ransomware, Sanctions, Cyber Sanctions, Ransom Payment, Russia, Ukraine, Sophos State of Ransomware 2022 white paper, Information Commissioner, ICO, Home Secretary, Priti Patel, CyberUK Conference 2021, NCSC, National Cyber Security Centre, NCA, National Crime Agency, OFSI, Office of Financial Sanctions Implementation, Cyber Attack, Cyber Crime, Data Breach, Data Loss, Conti, Conti ransomware, Personal Data, Data Protection, UK Sanctions List, Guidance on Ransomware & Financial Sanctions, HM Treasury, Directors Duties, Directors' Duties, Criminal Offence, Criminal Liability, Cyber (Sanctions) (EU Exit) Regulations 2020, SI 2020/597, Sanctions & Anti-Money Laundering Act 2018, Designated Person, Cryptocurrency, Virtual assets, Due Diligence, Trickbot, Ransomware Victim, CPS, Crown Prosecution Service, Malware, Data Controller, Data ProcessorComment

Risky business

New guidance issued by the Information Commissioner’s Office on the approach to assessing the risk of restricted ex-UK international data transfers may ease restrictions on transfers of personal data to the US and presents an opportunity to revisit ex-UK international data transfers that had previously been rejected as non-compliant.

Nicola Cain20 November 2022Data Protection, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Article 46 GDPR, Article 46 UK GDPR, Article 46(2)(c) UK GDPR, Article 46(2)(c) GDPR, DATA PROTECTION ACT 2018, DPA 2018, Data Transfer, US Data Transfers, Restricted Data Transfer, International data transfers, Restricted International Data Transfers, DPC22, Emma Bate, Information Commissioner's Office, Information Commissioner, ICO, EDPB, European Data Protection Board, International Data Transfer Risk Assessment, IDTRA, Transfer Risk Assessment, TRA, Data export, Personal Data Export, Data Exporter, Supplementary Measures, Data Controller, Data Processor, Data Importer, Schrems II, C-311/18, Transatlantic Data Privacy Framework, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, Appropriate Safeguards, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, EDPB Recommendation 01/2020, International Data Transfer Agreement, International Data Transfer Addendum, IDTA, Standard Contractual Clauses, Modernised Standard Contractual Clauses, International Transfers, Privacy, Data Privacy, Human Rights, Transfer Risk Assessment Tool, Data Protection & Digital Information Bill, Adequacy Decision, UK Adequacy, Bill of Rights, Transfer Impact Assessment, TIAComment

See ya SCCs, enter the IDTA

New data processing or other sharing agreements governed by the UK GDPR, which are entered into on or after Thursday 22 September 2022 and which involve the export of personal data from the UK to third countries and will rely on appropriate safeguards under Article 46 UK GDPR in the form of standard data protection clauses, can no longer rely on the standard contractual clauses (SCCs) or ‘model clauses’ issued by the European Commission and valid as at 31 December 2020 and must instead incorporate the International Data Transfer Agreement or modernised SCCs and International Data Transfer Addendum.

Nicola Cain20 September 2022Data Protection, Data Protection Act 2018, GDPR, UK GDPR, General Data Protection Regulation, UK General Data Protection Regulation, EUROPEAN COMMISSION, Information Commissioner, SchremsII, Schrems II, Standard contractual clauses, SCCs, Modernised Standard Contractual Clauses, Modernised SCCs, International data transfers, International Data Transfer Agreement, IDTA, International Data Transfer Addendum, International Data Transfer Risk Assessment, Article 46 UK GDPR, Article 46 GDPR, Model clauses, European Commission Decision 2001/497/EC, European Commission Decision 2010/87/EU, Brexit, UK-EU Withdrawal Agreement, Article 46(2)(c) UK GDPR, Article 46(2)(d) UK GDPR, Article 46(2)(d) GDPR, Standard data protection clauses, The Data Protection Privacy & Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), Schedule 21 Part 3 para.7 Data Protection Act 2018, Data transfer agreement, Data exporter, Commission Implementing Decision (EU) 2021/914, Data Controller, Data Processor, Data Exporter, Data ImporterComment

Too Many Phish in the Sea!

DCMS has recently published its Cyber Security Breaches Survey 2022, based on data gathered by IPSOS MORI over winter 2021/22, which reveals that businesses and charities continue to be under prepared to respond to inevitable cyber security incidents and data breaches.

In this post, we highlight some of the key findings of the survey and identify advice, guidance and free solutions to common cyber resilience shortcomings.

Protective MeasuresNicola Cain17 April 2022Handley Gill Limited#CyberSecurity, #DataBreach, #CyberAttack, #Phishing, #Ransomware, #GDPR, #UKGDPR, #DPA2018, #DCMS, #CyberSecurityBreachesSurvey, #CyberSecurityBreachesSurvey2022, #DataBreachStatistics, #Malware, #CyberResilience, #CyberInsurance, #IncidentResponse, #CyberSecurityIncident, #DataBreachResponse, #SMEs, #Charities, #Business, #Charity, #Retail, #Education, #NCSC, #PoliceCyberAlarm, #NPCC, #LawEnforcement, #ActionFraud, #Police, #Sanctions, #SupplyChainRisk, #ThirdPartyRisk, #Training, #Logging, #TechnicalAndOrganisationalMeasures, #Penalties, #Article28, #Article32, #DataProtection, #Compliance, #SupplyChainSecurity, #CyberSecurityStrategy, #IncidentResponsePlan, #Trustees, #BusinessContinuity, #DisasterRecovery, #DataBreachReporting, #CyberCover, #IncidentReporting, #CSuite, Cyber Security, DCMS, Ransomware, Data Breach, Supply Chain Risk, Directors, Law Enforcement, Police, NCSC, National Cyber Security Centre, Cyber Attack, GDPR, UK GDPR, General Data Protection Regulation, DPA 2018, Data Protection Act 2018, Department for Culture, Cyber Security Breaches Survey, Cyber Security Breaches Survey 2022, Data Breach Statistics, Malware, Cyber Resilience, Cyber Insurance, Incident Response, Cyber Security Incident, Data Breach Response, SMEs, Micro Businesses, Charities, Start Ups, Retail, Education, Police CyberAlarm, NPCC, National Police Chiefs' Council, Action Fraud, Information Security, Cyber Crime, Sanctions, Third Party Risk, Training, Logging, Technical & Organisational Measures, Protective Measures, Costs, Fines, Administrative fine, Penalties, Monetary penalty, Data Protection, Article 28 GDPR, Article 32 GDPR, Article 28 UK GDPR, Article 32 UK GDPR, Compliance, Cyber Griffin, Cyber Essentials, Supply Chain Security, Cyber Security Strategy, Incident Response Plan, Breach Response Plan, Data breach costs, Trustees, Business Continuity, Disaster Recovery, Data Breach Reporting, Cyber Insurance Cover, Incident Reporting, C Suite, Data Controller, Data ProcessorComment