Understanding how GDPR fits into the new normal.

Home Office GDPR

The new normal of living in a Covid19 world brings with it some important questions about how you’re going to manage your business’s data security.

If you’ve changed how and where your workers are based, such as home workers or shared work spaces, or have taken on extra measures such as track and trace or monitoring your staffs health, there are data security measures that you must implement to comply with GDPR and protect the processing of personal data.

Data Protection Impact Assessment (DPIA)

Under the GDPR you need to show that any processing of personal information is being being done in line with the GDPR. You’re responsible for being able to demonstrate your compliance and to show that you’ve considered the impact of the data your processing. It’s recommended that you have a Data Protection Impact Assessment (DPIA) to help demonstrate your assessment.

Making changes to your GDPR policy should only be done after a DPIA is carried out.

The DPIA is not just for large organisations, any business that is processing personally identifiable information is required to be registered with the ICO and to have a GDPR policy in place.

What counts as Personally Identifiable Data?

Any information that can identify an individual is Personally Identifiable Data, the most obvious being peoples names, but other types of data could also be used to identify someone;

  • Names
  • Client Reference ID’s
  • Order Numbers
  • Browser Cookies from websites
  • PAYE information
  • CCTV images
  • Bank Details
  • Mobile Phone Numbers
  • Social Media Details

What counts as Processing Data?

Any time anything happens to the data, it’s processing. With digital data this would include when it’s first entered into your system, if it’s accessed, sorted or looked up and when it’s modified or printed.

It includes the collection of data even if it’s not stored, such as taking temperature readings.

I don’t use a computer for work?

The GDPR covers processing of data in any format, this includes data on your mobile phone (such as contact details, call logs, text messages, WhatsApp messages etc)

I don’t even have a mobile phone

It’s not just digital data that is covered, an form of filing system is taken into account, so an address book, Filofax or even the top drawer of your desk would all fall under the GDPR.

Track & Trace

If you’re recording information for Track & Trace, you are required to follow the GDPR when doing so. You should update your GDPR policy to include the processing of this data and carry out a DPIA to make sure you are following the requirements of GDPR.

You should make sure that individuals know why you are collecting this information, who will have access to it and how long you will retain it for. The data collected must not be used for any other purpose.

You will need to identify the lawful basis for collecting this information. If you have a legal requirement to collect the information, or are doing so because your industry is encouraged to do so, it’s likely that you will be able to use ‘Legitimate Interest’ as the bases. Otherwise you may be required to use individual consent.

You should collect the minimum amount of information needed for the purpose. This would probably be a contact name, phone number and the date, time and duration of their stay at your premises.

The ICO list an ‘ABCDE’ approach to contact tracing:

Ask for only what’s needed
You should only ask people for the specific information that has been set out in government guidance. This may include things like their name, contact details and time of arrival for example.You should not ask people to prove their details with identity verification, unless this is a standard practice for your business, eg ID checks for age verification in pubs.
 Be transparent with customers
You should be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it and what you’ll do with it. You could do this by displaying a notice in your premises, including it on your website or even just telling people.If you already collect customer data for bookings, you should make it clear that their personal data may also be used for contact tracing purposes.
 Carefully store the data
You must look after the personal data you collect. That means keeping it secure on a device if you’re collecting the records digitally or, for paper records, keeping the information locked away.See our guidance on simple security measures you can take here.
 Don’t use it for other purposes
You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling or data analytics.
 Erase it in line with government guidance
You should not keep the personal data for longer than the government guidelines specify. It’s important that you dispose of the data securely to reduce the risk of someone else accessing the data. Shred paper documents and permanently delete digital files from your recycle bin or back-up cloud storage, for example.

Track & Trace QR Code

If you’ve printed out a government Track and Trace QR code, you do not need to include that information on your GDPR as you will not be processing the information in any way.

Get a UK Government NHS Track and Trace QR Code here

Monitoring individuals for signs of Covid-19

(Temperature monitoring, symptom monitoring or asking about their health or the health of household members)

If you’re monitoring individuals (or their household) for signs of COVID-19 you will need to take extra care with the way the data is collected and processed. This type of data is classed as Special Category Data and has extra safeguards offered by the GDPR.

You should carry out a DPIA to ensure you have covered all the legal requirements for processing this kind of information.

The ICO GDPR coronavirus hub ‘Testing’

Individuals who are asked about their health or the health of those they live with, or who are asked to take a test or have their temperature taken, have rights under the GDPR. They are entitled to know at the point of collection;

  • What information is being collected.
  • Why it’s being collected.
  • Who will have access to the data.
  • How long the data will be held for.
  • What the legal basis is for collecting the data.
  • who they should contact if they have any problems or issues.

They will also be entitled to request a copy of the data (Called a Subject Access Request, or a SAR)

Furthermore, they will be required to give specific, clear consent for the collection of this information.

Home workers access to company data

With many organisations now looking at moving to full or part time home workers, you need to make sure your GDPR policy covers the movement of data to and from your remote workers, and the data’s security while off site.

The transfer of data to and from your workforce and your office network should be a closed, secure transfer, either digitally over secured communications channels or physically.

If your workers are in the office or in other company owned premises, the security can be centred around the closed network design, but when your workers are remote or working from a home office, that transfer of data needs to be done via public systems (This could be manual, such as moving paper records and files from the company to the workers, or digitally over the public internet)

If the data falls under the scope of the GDPR, then it is a lawful requirement that you protect the transfer of the data.

For files and paper this could be by using a locked briefcase or storage box, a pre-vetted courier or an employed courier. For digital information, this should include encrypted data over secure connections, such as a VPN (Virtual Private Network) Remote Desktops or secured cloud services.

Passwords

You shouldn’t be letting your staff use weak passwords anyway, but we know in a secure office environment it can happen.

With staff accessing your business network remotely, those passwords suddenly become critically important and must be strong, ideally with 2FA (Two Factor Authentication) in place so any logon attempt needs to be verified by a text message or mobile phone app.

You should have sufficient monitoring of access so you can identify malicious logon attempts and any issues of security.

Data transfer and storage for home workers

You should make sure data is secured during transport, whether digitally over the internet, on USB devices or as paper files.

Once the data has been delivered to the remote worker securely, you need to make sure it’s stored in a secure way.

Paper folders and files should be stored in a secure locked cupboard or filing cabinet in the house for example, it’s not a good idea to leave them in a car or in a garage or shed.

Digital data should ideally be encrypted when not being accessed, and only kept in the remote location for as long as is necessary.

Using a home pc or mobile

If your remote workers are going to use personal devices for processing your organisations data, you should ensure that it meets your data security policy standards.

This should include sufficient secure (encrypted) storage, segregation of data from personal data, robust antivirus measures and secure internet connections as a minimum.

If you already have a Bring Your Own Device (BYOD) policy in your GDPR and IT deployment pack, then you should make sure it’s up-to-date, appropriate for it’s new use and that your employees read it and understand it.

Video Conferencing

Using video conferencing is a great way to keep in touch with staff and clients, but you should cover it’s appropriate use in your DPIA.

You should choose a platform or two that offer corporate level security, two factor authentication, logging and recording facilities and end-to-end encryption and deploy them for use.

You should make sure users are kept updated on proper use, and how to spot improper use or potential scams on the platforms, and you should make sure the end users are keeping their platform client apps up to date.

In your policy file you should include items such as screen sharing, file sharing, remote control and instant messenger chat use.

Office Chit Chat

One of the things people might miss while working from home is the office chit-chat. Not the gossiping at the coffee put for 20 minutes, but the background day-to-day chatter that helps the office function.

To help with this, there are a few digital radio stations and channels that will pay constant background chatter, it sounds odd but having that quite noise in the background can actually make it easier to concentrate on what your’re doing.

For the time when you would just pop your head up and ask a colleague something, you might find it useful to have an ongoing meeting room open between all your office staff. That way they don’t have to start a specific call with someone if they just want to ask a quick question.

tinsleyNET IT Servces Consultants #WeCanHelp

#WeCanHelp

We can help you conduct and write your Data Protection Impact Assessment (DPIA) to make sure you’re protecting personally identifiable data in line with GDPR requirements.

We can help you move your business to an agile, modern IT setup, with remote workers, hot desking and secure digital storage.

We can also help you with IT Support for your remote workers, making sure your agile workforce are getting the support they need in this new way of working.

If you need help with setting up remote workers, GDPR Policy files, DPIA’s or any other IT support issues #WeCanHelp

https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/

Small Business IT Support

SharedITSupport Feature
SharedITSupport Material 256

IT Support for SME’s

We understand that for many Small Businesses, IT is something that you just need to work. But having a full-time in-house IT support department is too expensive.

We can help you with local, friendly and reliable IT support managing your IT.

We can be on-site, remote or a mix of the two, whichever works best for you and your business.

And if you decide to take on in-house IT support, we can ensure a seamless and smooth transition and handover so you don’t need to worry about starting from scratch.

IT Support for Very Small Businesses

It may be that you only need occasional IT support, when something goes wrong for example. We can accommodate IT support for very small businesses and work from home users with our flexible support plans.

Support can be offer remotely or on site to suit your needs. We can offer IT advice for when you purchase new IT equipment, end user support and we can offer training to help you make your business flourish.

Just because your small…

It doesn’t mean your IT needs are any less important or require less technical support than a big business.

You may be a sole trader or a small team of workers, but you still need you IT to work.

We can support you whatever your size.

tinsleyNET IT Servces Consultants #WeCanHelp

#WeCanHelp

We can provide all the technical knowhow you need you keep your business running, without the cost of a full time in-house IT person.

IT Support for small businesses. #WeCanHelp

Windows Support Call Hoax

tinsleyNET Security Services

Keeping the hoax callers busy…

It’s Monday morning, about 10am and I get a call on my home land line. The lady explains that her name is Shirley and she’s calling from Microsoft about a security issue on my computer.

Well, already I know it’s a hoax and I know what ‘Shirly’ is going to ask me to do, it’s the same old script but I do notice a few improvements this time that could mislead an unsuspecting user, even if you don’t give over control of your computer.

First up, she’s introduced herself adding a bit of a personal touch, not sure if the criminals have been studying psychology or if by accident, but introducing yourself as a person with a name is known to help foster a sense of trust. Secondly, she said she was from Microsoft. This is the first time I have heard Microsoft used, previously they have said they are from ‘Windows’ which is of course a product line, not a company.

So I’m intrigued by how many other changes they might have made, and I feel it’s my little way of helping the community by keeping their phone operative busy for as long as I can.

Shirley asks me to startup my computer. Well I’m actually working on my computer at the time but I don’t tell her that, instead I startup VirtualBox and load a virtual computer running Windows 7, I also startup a Linux Virtual Computer that can act as a Gateway configured so I don’t disclose my real IP details.

Once up and running I tell Shirley that I am logged on and she instantly falls back to the old script; “Click the Windows Key + R” (this opens the RUN dialogue box)
“Type in EVENTVWR and press enter” (Windows Event Viewer, this is where the OS and installed apps log events that help diagnose issues on your computer, NOTE: It’s completely common for there to be 10’s of thousands of log messages, with lots of red crosses and yellow triangles. If you are worried about anything you see in the Event Viewer, contact us and we can tell you if it’s something that needs urgent attention)

Windows Event Log, especially when filtered, can look very scary, but don’t let that fool you. While these are errors that probably need attention, they are not an indication of a virus.

I’ve duly opened up the event viewer and Shirley asks me to click on the FILTER CURRENT LOG and to tick the WARNING and ERROR boxes, this is another new part to the script, as previously I’ve just been asked to read out the NUMBER OF EVENTS listed at the top of the screen. With the log filtered, it’s now a sea of scary looking error messages.

Shirley informs me that those are all infected files, this is a revert to the old script again. She tells me that unless I fix the files in 1 hour, Microsoft will cut off my computer from the internet and I will have viruses that allow people to access my computer.

Well, obviously I don’t want a virus riddled computer that been disconnected from the internet, right?

But not to worry, just a few questions and install a file to connect me to the Microsoft central computer and I’ll be fine to go about my business.

Shirley asks me if I use online banking, I say ‘yes’ and she asks me who I bank with. I don’t know why but the first bank I can come up with is Deutsche Bank. I get asked a series of questions that will help ‘them’ find out where the viruses came from. In reality what these questions are doing is helping to build a list of information they need to get from me or my computer, and a list of files they will be looking for when they eventually get onto my PC.

How many people use the computer for online banking, online shopping or online gaming?
Do I use any other computers?
How often do I change my passwords?
Do i use the same password on many sites?
Do I have any antivirus software?
… and so on…

Log Me In & TeamViewer

Once I have given satisfactory answers to the questions, I am directed to the Team Viewer website and asked to download the app so they can connect me to the ‘Microsoft Central Computer’, which sounds very exciting. But I have to be quick as I might get my computer cut off soon.

I have been trying to waste their time without arousing suspicion, so I gave VERY long detailed answers to the questions, including why I bank with a German bank (and my fictitious 2 years in Germany helping the Kremlin to move funds and gold into off-shore banks based in Panama) and asking for everything to be spelled out in the phonetic alphabet, but then mixing up my phonetic names ‘H’ for Hoax, ‘S’ for Scam)

Eventually I start to download TeamView…. and then the internet breaks!! My ISP has an outage and I am left unable to finish the download. I could switch to my 4G account, but I have used TeamViewer lots of times in the past, I can bluff this!

I pretend the download has finished and I have installed the application, Sheila asks me to read out the 9-digit user ID (good job she told me how many digits as I couldn’t remember!) “it’s 456 123 789” I say, and the pass-code “that’s 654321” I tell her…. a pause, then “can you read that out again, it’s says it’s not recognised”

At this point, Sheila was hopeing to log into my computer and take control over it. Probably she would have tried to make copies of the files in the folder I keep on the desktop called “Bank Account Details” (the contents of which are two word documents, one infected with a macro script that renders the boot disk of the infected computer un-bootable, the other is full of apparently random data that spells out “Who watches the Watchers” in long hex) maybe install a cryptoware or keylogger app and setup a backdoor so others could log on in the future, and download anything else that might be of use to them.

But instead she spends about 20 minutes trying to figure out why the number I have given her is not working, which is not helped by me changing the numbers around each time.

Eventually she gives up and moves onto www.support.me (Log Me In) again witout any actual internet access I know I can’t start this, but I bluff and ask her for the session code, she gives me a code and I write it down, making a note of the exact time so I can email it to the LogMeIn abuse email account once I have access.

I manage to make this last another 10 minutes before saying that my computer is restarting after doing Microsoft updates. Shirley is getting quite impatient with me now but doesn’t give up. She almost shouts at me that i am going to get my computer cut off and all these viruses are going to infect my other computers.

After nearly 2 hours (I think this must be some record) I am the one who admits defeat, well actually I am getting peckish and feel I have done my bit for the day, so I ask Shirley if she can call me back after I have been to the pub, thinking she will realise I am winding her up, but Shirley is not going to give in so easily. She tells me she will call me back after I have been to the pub!! and she does. But it’s her home time now and she can’t fix my computer today so she is going to call back tomorrow to try again.

Microsoft won’t call you

If you get an unsolicited call from Microsoft, McAfee, Apple or anyone else telling you that you have a virus on your computer, it’s most likely a scam. Take a note of the callers name and company name, and ask them for a phone number. Check out the details online to put yourself at ease, or contact us and we will check up on them for you.

#WeCanHelp

tinsleyNET Fraud Prevention

Don’t let the hoaxers catch you out. No matter how convincing or how insistent an unsolicited caller is, never take their word for anything. This applies to banking calls as well as these hoax support calls. If a caller asks you to provide some information to confirm you are who you say you are, don’t until they have proven they are who they say they are.

Never download or go to websites that allow remote access unless you know 100% who it is you’re talking to. Tricksters will always try to sound convincing and will use any means they can to get you to lower your guard.

If you suspect your computer may have been infected or compromised, or you think you may have fallen victim to a scam, you should alert the police cyber crime department, and if you have online banking you might need to alert your bank too.

 

 

tinsleyNET IT Services Consultants07825650122 | it@tinsleyNET.co.uk | @tinsleyNET | +tinsleyNETcouk | www.tinsleynet.co.uk | Facebook | #Stuff4Steph
tinsleyNET LTD | IT Services Consultants
Offering IT Services to businesses and home users across the UK
#WeCanHelp