One morning you arrive at work early and see an email from your manager, who is overseas on a business trip. She wants you to have a quick look at slides for a presentation that she’s delivering the following week. All you have to do is tidy up the presentation a little bit; an easy task, you think to yourself.
The presentation file has been shared via the cloud rather than attached to an email, so you need to log in to get access. You enter your log in details, but an error page displays. No one from IT is in yet, so it looks like that presentation is going to have to wait. You long for the days of simple email attachments, or better still, paper filing cabinets.
The thing is, there is no error. There is no presentation. No email has been sent by your manager. That log in page wasn’t a real log in page. You’ve just become the latest victim of a phishing attack. You’ve just provided the attackers with your work log in details and you’re blissfully unaware as you decide to wait until after lunch before tackling the presentation again.
Your email and password let attackers gain access to your company systems. As you work in the finance department, they have access to financial information on all the company’s employees as well as lots of other sensitive business information. Worse still, you use that same password for many of your personal accounts.
In summary, an innocuous-looking email from your manager has ended up costing tens of thousands of pounds, not to mention the stress and anxiety caused by having your identity stolen. The upcoming General Data Protection Regulation (GDPR) could make these consequences far greater.
Do you think this scenario sounds far-fetched? Think again. You and your manager are connected on LinkedIn. She is an active user and frequently posts details of her whereabouts and doings. Your company email system uses the fairly standard [email protected] format.
It’s easy for attackers to use this freely accessible information to set up a spoof email account in your manager’s name, guess your email address at the company, and send you a realistic-sounding email. Worse still, your manager frequently emails from her personal email accounts when abroad or using her mobile, so you weren’t even suspicious.
A 2016 study carried out by Verizon, the global communications company, revealed that 30 per cent of recipients opened phishing emails, while 12 per cent clicked links on the attachments that launched the attack.
So, what’s all this got to do with the GDPR? The new general data protection regulation comes into effect on 25 May. It’s not coming as a surprise. Pretty much every business is aware of it and emails asking about readiness appear in inboxes daily. Why all the fuss?
The GDPR will bring about the biggest change to data protection law since the Data Protection Act 1998. Individuals, organisations and companies that control or process personal data will be covered by the GDPR. Both personal and sensitive personal data are covered. Personal data is any data that will identify an individual. This could be a name or address, but it could also be an IP address, a computer name or an employee reference number. Sensitive personal data encompasses genetic data, information about religious and political views and sexual orientation, for example.
One of the biggest and most talked about elements of the GDPR is the power for regulators to impose fines: fines for not processing data correctly, fines for not having a data protection officer, and as in the case above, fines for a data breach. These fines are much greater than before, with a current maximum of up to 20m euros or four per cent of annual global turnover, whichever is greater. A breach may not be as sophisticated as a phishing attack; it could simply be sending an email to the wrong person by mistake.
Other changes the GDPR brings include access to your data. Previously, a company could charge an individual £10 to show what information they held on them. Under the GDPR, that information must be given free of charge and within one month.
There’s also a requirement to obtain consent to process data in some situations. When relying on consent as a legal basis for processing, the consent must now be a positive opt-in. No more pre-checked boxes and no more assumed consent. If the consent can’t be proven, it doesn’t exist. Additionally, organisations can’t contact individuals to ask for consent if consent doesn’t exist.
There is a lot of hype and misinformation about the GDPR, but there are also some incredibly useful resources. The full regulation can be found on the European Commission’s website. It is almost 100 pages long and contains the full 99 articles of the regulation. The Information Commissioner’s Office (ICO) has also produced a useful guide, which can be found on its website.
The British Safety Council has created a new digital learning course to enable organisations to make all employees who come into contact with personal data aware of their new responsibilities. This is a general awareness course and takes employees on a data journey looking at internet and password security, previous data protection law and its evolution into the GDPR.
It also looks at the six bases for processing data and details the consequences of non-compliance. The course contains knowledge checks throughout and an assessment at the end. We have made a commitment to continually revise and update the course as companies are preparing for and adapting to life under the GDPR. We will also be adding sections on the new Data Protection Bill due to come into force in the next year or so. Yes, that’s right, the GDPR is only the beginning.
GDPR information available at: eugdpr.org
Courses and course demos available at: britsafe.org/products/data-protection-gdpr/
James Mansbridge is head of digital learning at the British Safety Council
By Ravi Govindia, Wandsworth Borough Council on 09 July 2020
Leader of Wandsworth Borough Council Ravi Govindia sets out how Wandsworth has met the challenge of coronavirus.
By Charlie Mullins, Pimlico Plumbers on 03 July 2020
As a responsible employer and as the founder of a business that works in people’s homes, health and safety is an absolute priority.
By Chris Power, SOCOTEC UK on 10 July 2020
With many buildings across the UK temporarily unoccupied as a result of the Covid-19 lockdown, property owners and responsible persons must do everything possible to prevent the risk of fires starting and spreading.