fbpx

Case study: Helping a healthcare business build trust

Healthcare

Cyber Essentials certification is becoming ever-more important to the healthcare industry, particularly for those firms looking to work with the NHS. 

So we sat down with Kim-Lisa Gad, Governance, Risk and Compliance Manager at Vula Mobile to discuss how CyberSmart has helped the business complete Cyber Essentials Plus certification.

Vula is a medical referral app and online platform that makes it easy for primary healthcare workers to get advice from and refer patients to specialists.

CyberSmart: What security challenges have you faced as a business? 

Kim: Like many businesses – even those with good physical, technical and administrative security measures in place –  it’s often a challenge to reassure customers and partners that their data is protected and our organisation is secure. 

The Cyber Essentials Plus certification has allowed us to demonstrate to customers and partners that we take security seriously. And, that we’re continually improving and verifying that our security processes are effective and well managed. 

CyberSmart: What prompted you to get Cyber Essentials Plus certification?

Kim: Initially, we were required to get Cyber Essentials Plus to apply for a business tender. However, since then, Cyber Essentials Plus has helped us obtain and move forward with other contracts. Being able to demonstrate our security measures to current and potential customers has proved invaluable. 

The Cyber Essentials Plus certification offered through CyberSmart is an absolute necessity for any business that wants to validate its security commitments.

CyberSmart: How easy was the process from initial enquiry to certification?

Kim: The process was exceptionally quick and seamless, from our initial contact with James (Direct Sales Manager at CyberSmart) to our audit with Glen (CyberSmart’s Head of Cyber Audit) and obtaining our certification. 

The team at CyberSmart were always on hand with information and advice, making the whole process much less stressful. It was also wonderful that they were able to do everything remotely as we are based in South Africa. 

CyberSmart: How long did the process take? 

Kim: The initial questionnaire for Cyber Essentials took around a week to complete. We had our first response back requesting more information on three questions within a day of completing it. I provided the information the same day and we were granted certification later that afternoon. 

We then started Cyber Essentials Plus certification two weeks later, preparing ourselves for the online audit. The audit took around three hours; Glen was exceptional in helping us prepare and very thorough in his assessment. We received our Cyber Essentials certification the same day as the audit which was a very efficient turnaround. 

CyberSmart: How has Cyber Essentials Plus helped your business?

Kim: It’s proved an invaluable way of proving to customers, partners and prospects that our security is effective and follows best practices. Certification has also made the process of submitting tenders and business documentation much easier. The certification itself answers many of the questions we’re asked in potential business agreements. 

Our customers, partners and prospects have really appreciated the additional assurance that certification provides.

CyberSmart: Have you noticed any change in your relationship with customers, suppliers, or prospects since getting certified?

Kim: Our customers, partners and prospects have really appreciated the additional assurance that certification provides. What’s more, their trust in how we manage our business and the services we provide has also increased. 

We find once we’ve submitted our Cyber Essentials Plus certificate to other businesses, they’re generally satisfied and don’t require any further proof of our commitment to security. The certificate provides all the proof they need. 

CyberSmart: Would you recommend Cyber Essentials Plus to other businesses like yours?

Kim: Most definitely. The Cyber Essentials Plus certification offered through CyberSmart is an absolute necessity for any business that wants to validate its security commitments. And, it’s a great way to assure customers and business partners that your organisation is secure.

Finally, it’s also a very methodical approach to ensuring your security measures are well-thought-out, executed properly, and mitigate cybersecurity risks. 

Considering Cyber Essentials Plus for your business? Click here to find out why CyberSmart is the UK’s leading provider of Cyber Essentials certification.

CTA button

Press release: CyberSmart disrupts SME cybersecurity with $10 million Series A funding

Series A funding

CyberSmart, UK leader in simple and accessible automated cybersecurity technology for SMEs, has today announced the completion of a successful over-subscribed Series A funding round, bringing the total raised to over $10 million. Alongside deeptech fund IQ Capital and with the additional support of InsurTech specialist, Eos Venture Partners, and data science-focused Winton Ventures, CyberSmart is set to further disrupt the cybersecurity market. The funding will be used to enhance their product’s capabilities further, invest in channel partnerships as well as scale into the UK and beyond. In this way, playing a fundamental part in the company’s long-term goal to protect and empower SMEs globally.

The company drives value for customers and partners through its ‘golden triangle’ approach; supporting SMEs in protecting their data, assuring their security posture and providing tailored and affordable insurance coverage. CyberSmart’s intuitive online platform automatically and continuously assesses personal and company devices in real-time, alerting users when security and compliance standards have not been met. SMEs benefit from 24/7 monitoring and protection, government-grade assurance via Cyber Essentials certification and ongoing support with training, compliance, policies and procedures.

CyberSmart is collaborating with a number of insurance companies and strategic corporate partners across Europe, including Aviva and Starling, to ensure SMEs are protected and covered, whilst benefiting from reduced insurance premiums and policy excesses.

“The amount of support we have received thus far is humbling, and just goes to show the gap there is in the market for our offering. Cybersecurity solutions are often tailored to large enterprises with extensive teams and resources, whilst SMEs are left behind. With the help of our investors, we are challenging this mentality"- Jamie Akhtar, CEO and co-founder of CyberSmart

It is this comprehensive approach to cybersecurity and a focus on accessibility, both in terms of cost and functionality, that distinguishes CyberSmart from the crowd. This has driven an influx of capital and a wide variety of enthusiastic investors, with many current investors and angels doubling down on their commitment to the company.

“The amount of support we have received thus far is humbling, and just goes to show the gap there is in the market for our offering. Cybersecurity solutions are often tailored to large enterprises with extensive teams and resources, whilst SMEs are left behind. With the help of our investors, we are challenging this mentality,” said Jamie Akhtar, CEO and co-founder of CyberSmart. “Staying true to our mission of empowering SMEs to tackle cybersecurity is paramount. As such, despite the overwhelming interest we received from investors, we have been selective in determining who comes aboard as we define this new category for ourselves.”

“We are very excited to partner with Jamie and the brilliant team at CyberSmart. We’ve been impressed by the scalability of the technology, which is helping a fast-growing number of SMEs build their digital presence while staying secure”, said Antoine Pechin, Vice President of Winton Ventures. “We also think that CyberSmart can play a key role in developing the SME cyber insurance space.”

“We are very excited to partner with Jamie and the brilliant team at CyberSmart. We’ve been impressed by the scalability of the technology, which is helping a fast-growing number of SMEs build their digital presence while staying secure”- Antoine Pechin, Vice President of Winton Ventures

“Cyber risks, particularly ransomware and malware attacks, are an ever-increasing threat to small businesses globally, with many SMEs facing a protection gap and lacking the knowledge, expertise, insurance coverage, and access to tools and resources to help protect their organisations, ” said Carl Bauer-Schlichtegroll of Eos Venture Partners. “The CyberSmart platform is a complete solution to easily support and protect businesses, demonstrated by strong early traction with thousands of customers and large corporate partners already leveraging the platform. We are excited to partner with this exceptional team and co-investors, and look forward to working with the Company to build on their achievements to date, further cementing their position as a leader in the cybersecurity sector.”

“IQ Capital has supported CyberSmart since their seed round and we are tremendously proud of CyberSmart’s rapid growth within the underserved SME cyber protection market,” said Kerry Baldwin, Managing Partner at IQ Capital. “We are pleased to continue working closely and to support the team on their growth and international expansion alongside the new investors.”

CTA button

Cybersecurity in hospitality – a growing issue?

Cybersecurity in hospitality

COVID-19 has brought with it a notable rise in attacks on all businesses. Research from Deloitte reveals that the last 12 months have seen a sharp increase in ransomware, phishing attacks and attempted hacks. 

But there’s one industry that’s right on the frontlines of the fight against cybercrime: hospitality. Why is the industry so at risk? And what can be done to improve cybersecurity in hospitality? 

What are the risks? 

While hospitality businesses face many of the same cyber risks as other industries, they’re also at risk from a few that are fairly unique to the sector. 

There are the risks associated with the contact tracing requirements for COVID-19 that every hotel, bar or restaurant has to abide by. But there are also a few other threats that particularly impact hospitality: 

DDOS (distributed denial of service) attacks

The CCTV and surveillance systems many hotels and restaurants are reliant upon for customer safety are particularly vulnerable to this type of attack. 

Human error

With staff often handling dozens of transactions in a day and constantly juggling tasks, the risk of human errors that lead to breaches is high. 

DarkHotel

DarkHotel is targeted spear-phishing spyware that attacks high-profile business customers through the hotel's in-house WiFi network.

Alongside these threats, phishing and ransomware attacks are also very common amongst hospitality businesses. 

What evidence is there of the risk to cybersecurity in hospitality? 

Unfortunately, we’re not short of evidence on the risks to the hospitality sector. 

In the last few years, hospitality only ranks behind fiance and retail as the industry most targeted by cybercriminals. In 2018 alone, almost 514 million hotel data records were stolen or lost worldwide. The trend continued throughout 2020, with both Mariott and Prestige Software’s Cloud Hospitality platform both suffering massive breaches. 

Why is hospitality under attack? 

Like most industries regularly attacked by cybercriminals, hospitality is seen as an easy target. A recent study into hacker forums revealed that hospitality chains Hilton and Marriott were included in 31% and 28% of mentions respectively in discussions on easy targets.  

What’s more, it’s borne out by the figures. To date, 423 million U.S. travellers have been victims of a cyberattack through their business with hotels. And 70% of hotel guests believe that hotels don’t invest enough in cybersecurity protection. 

70% of hotel guests believe that hotels don’t invest enough in cybersecurity protection. 

So what’s going wrong?

A breakdown of hotel data breach areas revealed that 64% of breaches occur via corporate internal networks and 18% in both e-commerce and at point of sale. This suggests that the problem in hospitality is largely one of employee education and poor cyber hygiene. 

So is contact tracing safe for customers and businesses? 

With the adoption of contact tracing throughout the hospitality industry during the coronavirus pandemic, hotels, restaurants and bars have become a target. This is partly down to their large databases of customer information, but it’s also due to the relatively weak cybersecurity employed by most. 

Using the COVID-19 Guardian tool, cybersecurity experts assessed 40 contact tracing apps around the world to be of risk to users. 72.5% of these apps had a least one insecure cryptographic algorithm and 75% contained a tracker that sent data to third parties. 

72.5% of contact tracing apps have a least one insecure cryptographic algorithm

However, it’s worth noting, despite the risks, all of the apps save Kyrgyzstan’s ‘Stop COVID-19 KG’ were free of malware. We’ve written at length about why the benefits of contact tracing far outweigh the risks here. But, in short, the privacy concerns relating to contact tracing are relatively minor and should be easy to iron out.  

What can be done to improve cybersecurity in hospitality? 

The good news is that the current baseline for security levels in the industry is low. This means that achieving better protection is relatively simple. 

Simply put, hotels, bars, and restaurants need to be better at the basics. This might sound easier said than done. After all, hospitality businesses tend to be populated by staff with great people skills, not cybersecurity experts. 

However, the five technical controls laid out in the Cyber Essentials certification process don’t require expertise and would dramatically improve most businesses’ security. These are: 

  • A secure internet connection
  • Control over data and services
  • Regular updates,
  • Anti-virus and malware tools
  • Using the most secure settings on every device

In fact, it’s estimated that implementing these five steps can protect an organisation from up to 98.5% of the most common cyber threats. 

Beyond technical precautions, there’s another thing hospitality businesses could be doing better.  As we mentioned earlier, the majority of attacks on hospitality businesses stem from internal networks or at the point of sale. This suggests that staff either aren’t cyber aware enough to know a threat when they see them or they’re engaging in risky behaviour themselves.  

The key to fixing this is employee education. If your people aren’t aware of which behaviours are harmful and risk a breach, they can’t correct them. And it doesn’t have to be complex or require a computer science degree. Even the most basic education on proper cyber hygiene, using secure passwords, for example, could mitigate most of the risks hospitality firms face. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

What can the UK learn from the US cyber insurance market?

Cyber insurance

Why is the US streets ahead of the UK when it comes to businesses adopting cyber insurance? And what can we learn from our American cousins? 

Why is cyber insurance important? 

To illustrate why cyber insurance is important, let’s compare it to a business insurance policy. It’s widely accepted that any organisation operating without business insurance is at best foolhardy and at worst crazy. There are so many potential things that could go wrong. 

You could be the victim of fraud, a workplace accident could lead to legal action against you, or an electrical fire could turn your hardware into a husk of melted plastic. The possibilities are endless and any one of them could seriously damage or even end your business.

It’s vital for your business’s health (and a good night’s sleep) to know you’re covered should the worst happen. 

The same is true of cyber insurance. We’re unused to thinking of it in the same way as business cover, but cyber insurance is becoming increasingly necessary. Up to 88% of UK companies have suffered breaches in the last 12 months, according to Carbon Black. Meanwhile, Hiscox reports that a UK SME is successfully hacked every 19 seconds. 

Up to 88% of UK companies have suffered breaches in the last 12 months.

All this means that UK SMEs are experiencing double the number of cyber risks that they did in 2018 with the average cost of a breach also quadrupling. There’s a clear case for widespread cyber insurance adoption,  so how are UK businesses doing? 

What does the cyber insurance market look like in the UK?

Given the risks we’ve just outlined, you might think that British businesses are clamouring for cyber cover. But, unfortunately, cyber insurance adoption is relatively low in the UK. 

There are a couple of reasons for this. The first is a simple case of awareness. As we mentioned earlier, getting business insurance is considered common sense by most organisations. However, awareness of the need for cyber insurance lags some way behind. We simply aren’t used to considering it as an everyday business cost. After all, if you’re lucky enough to have never been successfully attacked, why would you?

The second reason is the cost. A Deloitte survey, looking at 504 middle-market commercial insurance buyers, found that 41% of businesses claimed insurance costs were too high. And 33% of organisations reported ‘dissatisfaction with the service.

41% of UK businesses claim insurance costs are too high.

However, it’s not all bad news. 41% of businesses still purchased cyber insurance after conducting a risk assessment. What’s more, a further  41% were prompted to buy a standalone insurance product by attacks on other industries. 

Why is the US ahead?

There’s an old adage that ‘everything’s bigger in America’. It’s usually said sarcastically by embittered Europeans, but when it comes to cyber insurance it's true.  

Despite net premiums being low for an insurance market ($1.94b in 2018), the US market is growing fast. 40% of US businesses purchased cyber coverage in 2018, with a further 40% buying for the first time in 2019. During the same period, the average US cyber claim size shot up to around $181k for an SME and over $5.5m for a large business. 

So why is the US market more advanced than what we’re currently seeing in the UK?

It’s partly because the US is at the forefront of the fight against cybercrime. The US currently leads the world in data breaches with an average breach cost of $8.64 million and is the second most attacked country on earth after Germany. So for companies based in the US, cyber threats are seen as part and parcel of business. 

The average cost of a data breach in the US is $8.64 million.

However, it’s also down to public perceptions of cybercrime. Many of the most high-profile cyberattacks have been on large American companies such as Twitter, Microsoft and Marriott, meaning cybercrime is given loud and regular media coverage. This makes the threat appear much more immediate than elsewhere.

What can the UK learn from the US?

Before we delve into what the UK can learn, it’s important to note that the US market has its limitations. As recently as 2017, 75% of SMEs in the US didn't have cyber insurance, meaning adoption hasn’t always been as widespread as figures suggest. And there’s still some mistrust of the industry.  For evidence, look no further than US Pharma Giant, Merck which found itself at the centre of a media storm after being denied a payout following a breach. 

But for the time being, at least, the US remains ahead of the UK market. So what can we learn? 

Close the expectation gap

First, UK insurers need to close the expectation gap between service and consumer within the industry. Many small businesses view themselves as not ‘valuable enough’ to be attacked. And insurers need to do more to convince SMEs that they’re being threatened because they’re 'vulnerable rather than valuable'. 

Update the industry model 

One of the biggest barriers to greater adoption of cyber insurance is the perception among SMEs that it’s expensive. 

The current cyber insurance model was created in the early 2000s, aimed at multinationals and large tech firms on the west coast of America. The world has changed a lot since then. In an age where even the smallest businesses are online, a new approach is needed. Insurance professionals need a better understanding of the financial limitations of their market and a pricing structure to suit.

Make it easier to address cybersecurity concerns 

Perhaps the greatest difference between the US and the UK market is how proactive US insurers are. In the UK, we tend to focus on educating businesses on the importance of cybersecurity rather than helping them to get cyber secure.

Cybersecurity can be confusing and for a small business owner, the prospect of going it alone can be daunting. So more needs to be done to guide businesses along the path to better cyber hygiene. For example, recommending all clients get Cyber Essentials certified is a great start. 

What does the future hold? 

Although the UK is currently behind the US, things are unlikely to stay that way for long. The US market is slowing. Meanwhile, many insurance brokers in the City of London are targeting cyber insurance as a key area for growth post-covid. 

So are we about to enter a future where cyber insurance becomes as commonplace as business or contents insurance? That depends on insurers adapting the current, dated model in favour of an approach that supports SMEs. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cyber hygiene.

CTA button.

The Cyber Essentials questionnaire: are you prepared?

In 2015, a research team at Lancaster University concluded that 99% of cyber risks could be avoided through following a set of surprisingly simple security measures. These measures, or controls, make up the basis of the government's standard for security certification, Cyber Essentials, which is what we help businesses achieve here at CyberSmart.

However, there's a lot you can do on your own to prepare yourself for the Cyber Essentials assessment or just to improve your general cyber hygiene around its guidelines. We're going to walk you through some of the processes you will need to have in place when you complete the self-assessment for Cyber Essentials before it is reviewed by an assessor.

Keep in mind that the Cyber Essentials questionnaire is asking you to evaluate every device in your company (laptops, personal computers used for work, phones, the works) and whether it complies with the rules. If it is being used for work, it should be included.

Choose the most secure settings for your devices and software

☐ Know what 'configuration' means

☐ Find the settings of your device and try to turn off a function that you don’t need

☐ Find the settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you're still happy with your passwords

☐ Read up about two-factor authentication

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of 'least privilege'

☐ Know who has administrative privileges to your data and on which machines

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a 'sandbox' is

Keep your devices and software up to date

☐ Know what 'patching' is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to 'Automatic update'

☐ List all the software you have which is no longer supported

If you can follow this guidance now, you can pass certification quickly and with flying colours. If you struggle with any of them, CyberSmart has helped guide hundreds of SMEs of all sizes and experience through the same process, so feel free to get in touch. We offer a quick and simple step by step process so you can get Cyber Essentials certified today.

What is Cyber Essentials Plus?

Cyber Essentials Plus

If you’re a UK SME and part of a big supply chain or going for government tenders, you’re likely to be aware of the needs of Cyber Essentials. The original Cyber Essentials certification was designed to provide businesses with the basics of cyber safety and ethical business practices online; from managing firewalls and user accounts to appropriately protecting their business against malware and data theft. To remain compliant with modern UK business requirements, Cyber Essentials is – well, an essential.

But for businesses wanting to go beyond the basics and improve their safety and the security of their business online, Cyber Essentials Plus is the answer. As one of the services we offer our clients, we deliver the Cyber Essentials Plus certification through IASME and know just how important this higher compliance standard from achieving the ‘Plus’ certificate can be to your businesses.

What's the difference between Cyber Essentials and Cyber Essentials Plus?

So what exactly is the difference between the two certifications? It all comes down to the use of an independent auditor. Cyber Essentials Plus requires still requires businesses to comply with the same five factors as the non-plus model. Known as technical security controls, these include:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

In addition to these basic requirements to be certified, Cyber Essentials Plus goes a step further than the self-certification of Cyber Essentials and requires an independent assessment of the business's internal security controls to achieve this higher level full certification.

Why an independent assessment?

Robust credibility is the driving reason why Cyber Essentials plus uses independent assessment as this ensures companies are indeed compliant with the requirements of the Cyber Essentials scheme. The additional step ensures the safety of the business but further helps authenticate the certification. By verifying you are compliant, the resultant certification award is more trustworthy than an in-house DIY version of the Cyber Essentials certificate.

Which form of certification is best for your business? If at all possible, upgrading from Cyber Essentials to a higher-level certification is the ideal choice for any company. Each assessment includes a vulnerability scan to ensure your business data and information is well protected. If you are genuinely committed to safer online and network practices, for your business and your clients, then investing in Cyber Essentials PLUS certification could be your best move.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

GDPR Subject access request (SAR) - 6 steps to deal with it

A Subject Access Request (SAR) is the Right of Access allowing an individual to obtain records to their personal information, held by an organisation. GDPR, which became applicable in May 2018, provides individuals with the right of access to information.

It is essential that your organisation is aware of the basics of SARs and can handle them effectively to avoid large fines. In this blog post, we provide a six-step practical guide on how you can deal with subject access requests under the GDPR in 2023.

  1. Recognise the request

The first step to responding to a SAR is to identify it. The GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or verbal, and it can be made to any part of your organisation including social media.

Therefore, it is best to assume that if an individual asks you for their personal data, regardless of the channel or mode of communication, it constitutes a valid subject access request under the GDPR. It is advised that basic training on the GDPR should be provided to all staff members and managers within an organisation.

Your employees should be able to recognise a SAR and pass it on to the relevant focal person who can handle the request.

  1. Understand the time limitations

The GDPR requires you to respond to a SAR within one month i.e. 30 days of its receipt. You must get back to the individual with the requested information without undue delay.

However, you can extend this time period to up to three months if the request is complex, or if the same individual has made a high number of requests. In this case, you must inform the individual that you need more time within one month of the request to avoid any legal issues.

  1. Dealing with fees and excessive requests

You cannot charge a fee for providing information to individuals in response to a subject access request. However, there is one exception to this rule. If you receive a SAR that is ‘manifestly unfounded or excessive’, you can charge a reasonable fee to deal with the request or refuse to provide information at all.

There is still some speculation over what requests can be considered manifestly unfounded or excessive and therefore, it is advised that you take caution when refusing a SAR. Similarly, there is no certain threshold for the reasonable fee that you can charge. The ICO guidance suggests that it must be charged on the basis of the administrative costs associated with the retrieval of the requested information.

To be on a safer side, it is best not to charge a fee or refuse a SAR at all. But, if you choose to refuse to deal with a repetitive SAR then you should inform the individual within one month of the receipt of the request with the reasons for refusal.

  1. Identify, search, and gather the requested data

The most time-consuming and labour-intensive part of responding to a subject access request is gathering the requested data. If an individual makes a broad request for access to all their personal data, then it can take weeks to identify and search for the information.

Personal data is defined as any information relating to an identifiable natural person under the GDPR. This broad definition makes it difficult to identify the information that you need to provide.

The ICO states that if an organisation processes a large amount of personal information, then it should ask individuals to clarify their request for information. Therefore, a good approach is to ask for additional parameters or specific pieces of information that individuals need from the SAR. However, it is important to understand that you will need to comply with the SAR even if the individual refuses to provide additional parameters.

It is advised that organisations should allocate someone to be in charge of coordinating the process of gathering requested personal data. Document management providers can help you carry out effective searches for data using the right date range and keywords. Even though these services can increase costs, it ensures that your organisation can comply with the information needs of a SAR in time and correctly.

  1. Learn about what information to withhold

A challenging aspect of responding to a SAR is to decide what information to withhold from the requester. After you have gathered all the requested information, the next step is to filter out the information that you can legally hold back.

One particular concern is to ensure that when responding to a SAR, you should not disclose the personal data of other individuals. The Data Protection Act (DPA) 2018 states that you should not comply with a SAR if it would require you to disclose information about another identifiable individual.

The exceptions are when the other individual has given their consent to the disclosure, or the organisation finds it reasonable to comply with the request without the consent of the individual. When deciding whether you disclose the information about the third party, you should balance the GDPR’s right of access against the third party’s rights.

Other than this, Section 45(4) of the DPA 2018 specifies special cases when you can withhold personal data of an individual. These include cases when non-disclosure leads to obstruction in an official or legal enquiry, or protection of public or national security.

Therefore, you should be careful about the information that you provide when complying with a subject access request. It is important to understand what information you can withhold to prevent a breach of other’s privacy or to support the public or national interest.

  1. Developing and sending a response

Once you have all everything you need for the subject access request, the last step is to develop and send a response to the individual. Organisations need to provide the following information to the requester:

  • Legal basis for and purpose of processing the personal data of the individual.
  • Third-parties to whom the personal data has been disclosed.
  • Existence of the requester’s rights to the information including the erasure of the personal data and restriction of the processing of the personal data.
  • Expected period for which the personal data will be stored.
  • Categories of personal data.
  • Information about the origin of the personal data.

Most organisations will have provided much of the information above in their privacy policy already and so can reuse it from there.

For sending out the response in 2023, the GDPR requires that you provide the information in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. Secure online portals or encrypted email are recommended ways to deliver the response securely and efficiently.

Conclusion

Understanding how to deal with a subject access request is an important part of complying with the GDPR in 2023. We have outlined a step-by-step process that you can use to comply with a GDPR subject access request from individuals.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

CyberSmart Privacy Toolbox

The 5 control areas of Cyber Essentials (minus the technical jargon!)

Step 1 to CE: Boundary Firewalls and internet gateways

A firewall or gateway protects internal networks and systems against unauthorised access from the internet. They are designed to provide a basic level of protection for internet users. All business networks should have a properly configured firewall in place. The firewall monitors all network traffic, whilst identifying and blocking any traffic which can be harmful.

(more…)

Step 1 to CE: Boundary Firewalls and internet gateways

A firewall or gateway protects internal networks and systems against unauthorised access from the internet. They are designed to provide a basic level of protection for internet users. All business networks should have a properly configured firewall in place. The firewall monitors all network traffic, whilst identifying and blocking any traffic which can be harmful.

(more…)

Why every company should get Cyber Essentials