A Subject Access Request (SAR) is the Right of Access allowing an individual to obtain records to their personal information, held by an organisation. GDPR, which became applicable in May 2018, provides individuals with the right of access to information.

It is essential that your organisation is aware of the basics of SARs and can handle them effectively to avoid large fines. In this blog post, we provide a six-step practical guide on how you can deal with subject access requests under the GDPR in 2023.

1. Recognise the request

The first step to responding to a SAR is to identify it. The GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or verbal, and it can be made to any part of your organisation including social media.

Therefore, it is best to assume that if an individual asks you for their personal data, regardless of the channel or mode of communication, it constitutes a valid subject access request under the GDPR. It is advised that basic training on the GDPR should be provided to all staff members and managers within an organisation.

Your employees should be able to recognise a SAR and pass it on to the relevant focal person who can handle the request.

2. Understand the time limitations

The GDPR requires you to respond to a SAR within one month i.e. 30 days of its receipt. You must get back to the individual with the requested information without undue delay.

However, you can extend this time period to up to three months if the request is complex, or if the same individual has made a high number of requests. In this case, you must inform the individual that you need more time within one month of the request to avoid any legal issues.

3. Dealing with fees and excessive requests

You cannot charge a fee for providing information to individuals in response to a subject access request. However, there is one exception to this rule. If you receive a SAR that is ‘manifestly unfounded or excessive’, you can charge a reasonable fee to deal with the request or refuse to provide information at all.

There is still some speculation over what requests can be considered manifestly unfounded or excessive and therefore, it is advised that you take caution when refusing a SAR. Similarly, there is no certain threshold for the reasonable fee that you can charge. The ICO guidance suggests that it must be charged on the basis of the administrative costs associated with the retrieval of the requested information.

To be on a safer side, it is best not to charge a fee or refuse a SAR at all. But, if you choose to refuse to deal with a repetitive SAR then you should inform the individual within one month of the receipt of the request with the reasons for refusal.

4. Identify, search, and gather the requested data

The most time-consuming and labour-intensive part of responding to a subject access request is gathering the requested data. If an individual makes a broad request for access to all their personal data, then it can take weeks to identify and search for the information.

Personal data is defined as any information relating to an identifiable natural person under the GDPR. This broad definition makes it difficult to identify the information that you need to provide.

The ICO states that if an organisation processes a large amount of personal information, then it should ask individuals to clarify their request for information. Therefore, a good approach is to ask for additional parameters or specific pieces of information that individuals need from the SAR. However, it is important to understand that you will need to comply with the SAR even if the individual refuses to provide additional parameters.

It is advised that organisations should allocate someone to be in charge of coordinating the process of gathering requested personal data. Document management providers can help you carry out effective searches for data using the right date range and keywords. Even though these services can increase costs, it ensures that your organisation can comply with the information needs of a SAR in time and correctly.

5. Learn about what information to withhold

A challenging aspect of responding to a SAR is to decide what information to withhold from the requester. After you have gathered all the requested information, the next step is to filter out the information that you can legally hold back.

One particular concern is to ensure that when responding to a SAR, you should not disclose the personal data of other individuals. The Data Protection Act (DPA) 2018 states that you should not comply with a SAR if it would require you to disclose information about another identifiable individual.

The exceptions are when the other individual has given their consent to the disclosure, or the organisation finds it reasonable to comply with the request without the consent of the individual. When deciding whether you disclose the information about the third party, you should balance the GDPR’s right of access against the third party’s rights.

Other than this, Section 45(4) of the DPA 2018 specifies special cases when you can withhold personal data of an individual. These include cases when non-disclosure leads to obstruction in an official or legal enquiry, or protection of public or national security.

Therefore, you should be careful about the information that you provide when complying with a subject access request. It is important to understand what information you can withhold to prevent a breach of other’s privacy or to support the public or national interest.

6. Developing and sending a response

Once you have all everything you need for the subject access request, the last step is to develop and send a response to the individual. Organisations need to provide the following information to the requester:

• Legal basis for and purpose of processing the personal data of the individual.
• Third-parties to whom the personal data has been disclosed.
• Existence of the requester’s rights to the information including the erasure of the personal data and restriction of the processing of the personal data.
• Expected period for which the personal data will be stored.
• Categories of personal data.
• Information about the origin of the personal data.

Most organisations will have provided much of the information above in their privacy policy already and so can reuse it from there.

For sending out the response in 2023, the GDPR requires that you provide the information in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. Secure online portals or encrypted email are recommended ways to deliver the response securely and efficiently.

Conclusion

Understanding how to deal with a subject access request is an important part of complying with the GDPR in 2023. We have outlined a step-by-step process that you can use to comply with a GDPR subject access request from individuals.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

One of the five major controls for the Cyber Essentials Scheme is to configure and deploy a network firewall. A firewall is a network security system that creates a buffer zone between your company’s network and external networks. In simple terms, a secure zone is created between devices in an organisation and the internet.

Cyber Essentials requires that all devices that are connected to the internet should be protected with a firewall. We will explain this requirement and how to comply with it from a non-technical perspective.

Types of firewall 

Before we proceed forward, it is first important to understand the two types of firewalls that can be used. A personal firewall can be installed on internet-connected desktops or laptops. Typically, most operating systems come with a built-in personal firewall.

A boundary firewall or network firewall can be used if you have a mix of different devices in your organisation. This provides a protective buffer around your entire network. In most cases, you need to set up a hardware firewall i.e. dedicated firewall machine to deploy a boundary firewall.

Understanding how firewalls work

A point-of-entry for attackers is when devices communicate with other devices and services across networks. If you can restrict access to this communication, the risks of attacks are reduced. Firewalls can help you achieve this by ensuring that only safe and necessary network services can be accessed via external networks such as the internet.

A network firewall is a dedicated network device that restricts the inbound and outbound network traffic to external devices and services. It prevents desktops, laptops, and mobile devices within a network from accessing malicious or harmful traffic.

Firewalls achieve this accomplish this by implementing restrictions that are known as firewall rules. These rules allow or block incoming traffic into a network depending on its source, destination, and communication protocol.

Firewall requirements of Cyber Essentials

The Cyber Essentials certification requires businesses to use and configure a firewall to protect all devices, particularly the ones that are connected to public or untrusted Wi-Fi networks. Every device in this scope must be protected by a properly configured firewall.

To comply with Cyber Essentials, organisations must:

• Disable permissive firewall rules once they become obsolete.
• Make use of personal firewalls on devices that are on untrusted networks such as a public Wi-Fi hotspot.
• Block unauthenticated and untrusted inbound connections by default.
• Ensure that manufacturer passwords and default settings are reviewed and updated according to the organisation’s security requirements.
• Make use of strong administrative passwords for firewalls. This means that the passwords should contain a mix of upper and lower-case characters, numbers, and symbols. Alternatively, remote administrative access should be disabled altogether.
• Use firewall rules that are approved and documented by an authorised individual such as the security administrator.
• Restrict access to the administrative interface. The interface is used to manage and configure firewalls from the internet. If there is a business need to provide the access then the interface should be protected with:
  • Two-factor authentication.
  • An IP whitelist that limits access to the interface from a small number of devices only.

Conclusion

A firewall is used for securing devices within a network and mitigating the risks of outsider attacks.  Setting up a properly configured firewall is one of the first steps towards a Cyber Essentials certification.

If you would like to learn more about network firewalls and how to configure them for Cyber Essentials, contact us right away. CyberSmart partners with you to make your journey towards becoming a secure and compliant organisation simpler and easier.

A major challenge for startups is figuring out how to invest in cybersecurity.

Despite the financial constraints, it is essential for startups to keep their online security in check, because the consequences are frightening. Statistics show that about 50% of all cyber attacks target small businesses and startups. Often, this is because of a lack of written internal policies.

Without a security policy, there is no reference for what needs to be done when a security threat arises within your startup. An information security policy can be complicated and often expensive to develop, but it is a fundamental component of cybersecurity.

In this article, we present a free information security policy guide for startups.

What should the information security policy cover?

There is no single approach to developing an information security policy that fits all organisations. Despite this, there are certain aspects that every security policy for startups should cover:

• The security requirements that are going to be met, compulsory ones like GDPR and then either Cyber Essentials, ISO 27001, or the IASME Governance framework.
• Who is responsible for information security tasks? It can be an internal security expert or a third-party supplier..
• The startup’s long-term commitment to cybersecurity including what they aim to achieve through the introduction of the policy.

What should be included in the information security policy?

Even though there is no fixed format for an information security policy, given below are some key questions that you should consider when framing your security policy.

• Who is responsible for your startup’s security?
• What are your security objectives?
• How are security incidents reported and managed? How can you learn from them?
• What type of information do you handle? Does it involve customer information?
• What ways can you use to protect different types of information?
• How do you measure risks?
• How should internet, email, and other communication channels be managed to minimise risks?
• What training and awareness do the employees need?
• What responsibilities should be given to employees for securing information?

Areas to cover in an information security policy

There are five general subject areas that should be addressed in an information security policy for startups:

1. Security measures: Guidelines for virus protection, passwords, confidentiality of data, and levels of access to information.
2. Disaster recovery: Instructions on how to recover from a disaster such as a data breach. Methods of data backup, including how often they should be made, should also be included.
3. Standards for technology: Details about the types of hardware, software, and other digital systems that can be purchased by the startup. This area will also cover a list of trusted partners or vendors from where systems are to be bought.
4. Acceptable use of technology: How should technology such as smartphones, desktop computers, email, and the Internet be used. What are the results of misuse and how can security be improved by limiting access to such technology.
5. IT services: Information about who will be responsible for providing technical support to employees. Often, this is a member of the IT team, but can be an external partner as well. Guidelines regarding planning, installation, and maintenance of computer systems should also be covered in this area.

Conclusion

Startups are at a constant risk of cyber threats, particularly because of a lack of an effective information security policy. It is important to not only have a security policy in place, but to make sure that it addresses the specific needs of your startup and employees. If you have not developed an information security policy yet, you should consider doing so right away to minimise loss.

CyberSmart recognises the budget and time constraints that most startups have when developing their information security policy. By subscribing to one of our plans you will get access to our free policy packs, sign up today for access. We look forward to assisting you in designing a cost-effective information security policy for fortifying your startup’s security.

An information security policy is a set of rules and guidelines that an organisation issues for securing its confidential data. Employees of the organisation should understand and follow the information security policy.

In this article, we list effective ways that you can use to develop a information security policy, or beef up your organisation’s existing information security policy.

1.     Address the problem of password management

Many organisations, despite knowing about the existence of their security issues, are often confused on how to address them. It might sound obvious, but this is where most of a company’s security failings can be resolved.

For instance security policies must pay much attention to password management. Employees choose their own passwords and are then responsible to manage and control them. However they should be provided with the tools to create, store and access the range of passwords they may need to use.

According to a report by Verizon published in 2017 on data breach investigations, is where things take a turn for the worst. It says that more than 4 out of 5 data breaches are happening due to compromised or weak passwords. In addition, a survey has reported that almost 80% of employees find password management a hassle. An issue that can be easily solved with a password manager.

The scale of the problem here demands that organisations address the clear problem of password management in their information security policy.

2.     Use a holistic approach

As a modern business you should understand the barrier between work life and personal life is becoming more and more indistinct. This idea extends to information security as well. Technology departments must tailor security guidelines around the modern employees work behavior.

Concepts such as BYOD (Bring Your Own Device) are gaining traction nowadays. Organisations need to take a more holistic approach to their information security policies, which involves looking beyond employee work logs and company related passwords.

A single employee, whether in-office or remote, can put the entire organisation’s information security at risk. This makes every employee a possible point of failure for the entire network. The information security policy should take this into consideration and adequately address the risks associated with BYOD. Doing so will allow them to protect the company’s information against attackers.

3.     Educate the employees

Educating employees about information security is an important process when it comes to protecting your organisation’s data.

Regular training sessions that stress the basic concepts of security such as the risks of public networks and password management should be conducted. These sessions can be delivered by internal security experts or third-party security services, depending on the resources available to your organisation.

The most common types of data breaches are caused by the lack of education of employees. Therefore, you should incorporate training and awareness in the organisation’s information security policy. For instance, a security training program can be introduced that requires employees to attend monthly security sessions held within your organisation.

4.     Automate and simplify

Simplify what you can, and automate what you cannot. This simple rule can help you improve your organisation’s information security policy significantly.

A simple information security policy will go a lot further than a binder filled with complex security procedures. This is because employees are more likely to circumvent a complex security measure than a simple one.

You should first attempt to simplify anything that you can within the security policy. For instance, make it clear what the minimum length for passwords should be, rather than just suggesting the use of strong passwords.

For things that cannot be simplified, such as the process of validating online websites, you can make use of tools such as firewalls to prevent employees from violating the policy.

Conclusion

For businesses, information security in today’s world is more of a necessity than a luxury. It is important for an organisation to make a holistic yet simple changes in their approach to information security policies, to address concerns related to cybersecurity.

CyberSmart understands that managing your information security policy can be an excruciating task. If you would like to learn more about how to improve your information security policy, get in touch with us right away. We would love to help you polish your security policy for mitigating risks of cyber attacks.

Here’s what everyone should be doing in 2018 in terms of cybersecurity and data protection:

(more…)