As the countdown continues to the May 2018 deadline for GDPR compliance, businesses are urgently looking at how IT can support their GDPR goals. The big questions they are asking are: What is my path towards GDPR compliance? How much will GDPR compliance cost my business? Will it hold us back? Find out how Microsoft Office 365 can support GDPR compliance while setting you up for increased productivity and growth.

“Keep your face to the sunshine and you cannot see a shadow.” ~ Helen Keller

GDPR: what you need to think about

It’s understandable to feel a bit overwhelmed with the looming shadow of the General Data Protection Regulations (GDPR) kicking off for serious in May 2018, with all the potential financial and reputational repercussions for non-compliant organisations. But what if this cloud has a silver lining?

Once you’ve grasped (hopefully sooner rather than later) that Brexit is likely to have zero impact on GDPR, you’ll need to consider the implications of GDPR on your business in the following terms:

• What is your path to GDPR compliance?
• What investment is required?
• What do you need to change – particularly in terms of IT and data?

The cloud paradox

While a handful of traditional IT users may remain sceptical about the compliance and security advantages of cloud IT, the ambitious financial and professional services have been investing in it for years. And cloud software and services continue to get better and better as more people are moving more areas of their business to the cloud. Initially, perhaps, to address regulatory requirements for better business continuity, then to improve productivity, and finally to have a more agile business with cloud infrastructure itself.

So, here’s the thing. With Office 365, you can address the first two of those stages when it comes to addressing GDPR compliance and increasing your people productivity.

How Office 365 helps increase productivity

Let’s briefly look at the productivity aspect. Microsoft Office 365 gies you access to your business email, shared calendars, instant messaging, conferencing and file collaboration – wherever you happen to be. And the security aspects that address GDPR issues – more below – mean that your business can embrace BYOD, allowing your people to work on their preferred devices. All of these elements lead to a happier and more productive workforce, who can communicate and collaborate wherever and however works for them. And this is the key part – all without putting your customer and business data at risk from non-compliance fines from the Information Commissioner’s Office (ICO) and the inevitable reputational damage that ensues when word gets out.

How Office 365 helps address GDPR compliance

Office 365 helps you with three key aspects of GDPR compliance. It helps you:

The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The legislation itself is complex and, in places, hard to understand.

However, it is underpinned by a set of eight straightforward, common-sense principles. If you make sure you handle personal data in line with the spirit of those principles, then you will go a long way towards ensuring that you comply with the letter of the law.

Does the Data Protection Act apply to me?

This might seem an obvious question. However, the Act applies to a particular activity – processing personal data – rather than to particular people or organisations. So, if you “process personal data”, then you must comply with the Act and, in particular, you must handle the personal data in accordance with the data protection principles. Broadly, however, if you collect or hold information about an identifiable living individual, or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of the Data Protection Act is therefore very wide as it applies to just about everything you might do with individuals’ personal details.

Do I need to notify the Information Commissioner?

If you are processing personal data you usually have to notify the Information Commissioner about this. Failure to notify is a criminal offence.

Notification is how an organisation informs us of certain details about its processing of personal data. The Information Commissioner is required to maintain a register and we use these details to make an entry in the register describing the processing.

The main purpose of notification and the public register is transparency and openness. It is a basic principle of data protection that the public should know (or be able to find out) who is processing personal data, plus other details about the processing (such as why it is being carried out).

So notification serves the interests of individuals by helping them understand how organisations process personal data.

However, it is not intended (nor practical) that the register should contain very detailed information about an organisation’s processing. The aim is to keep the content general, with enough detail to give an overall picture of the processing. You only need to give more detail to satisfy specific statutory requirements or if there is particular sensitivity.

The Act provides an exemption from notification for some organisations. The exemption is available for:

• organisations that process personal data only for:
  • staff administration (including payroll);
  • advertising, marketing and public relations (in connection with their own business activity); and
  • accounts and records;
• some not-for-profit organisations;
• organisations that process personal data only for maintaining a public register;
• organisations that do not process personal information on computer; and
• individuals who process personal data only for domestic purposes.

Are there any other exemptions from the Act?

The Data Protection Act contains a number of other exemptions from the rights and duties in the Act. You must process personal data in accordance with the Act unless one of these exemptions applies.

The exemptions either allow for the disclosure of information where there would otherwise be a breach of the Act or allow information to be withheld that would otherwise need to be disclosed. They are designed to accommodate special circumstances, for example when processing personal data:

• in connection with criminal justice, taxation or regulatory activities;
• that is required to be made public;
• where disclosure is required by law or is necessary for legal proceedings; or
• to provide a confidential reference.

It is important to note that each exemption is intended to apply only in very specific circumstances. So just because, for example, you are using personal data in connection with the criminal justice system or for regulatory purposes, you cannot disregard the whole of the Data Protection Act.

Even if you are entitled to an exemption for your processing, this will not be a blanket exclusion of the rights and duties in the Act. You will need to look at the exemption carefully, in the light of your particular circumstances, to see what effect it has.

Do I have to reply to a subject access request?

Yes, unless an exemption applies. One of the main rights which the Act gives to individuals is the right of access to their personal data. An individual may send you a “subject access request” requiring you to tell them whether you are processing their personal data and, if so, to provide them with a copy and with certain other information.

In most cases you must respond to a valid subject access request within 40 calendar days of receiving it. However, you do not have to grant subject access in respect of personal data to which an exemption applies. An exemption might apply because of the special circumstances in which you are processing (see previous page) or because of the nature of the data. This is sometimes the case, for example, with data relating to an individual’s physical or mental health.

In addition, certain restrictions similar to exemptions are built into the Act’s subject access provisions. For example, there are restrictions on the disclosure of personal data about more than one individual.

Subject Access Request Summary

What should I do if an individual complains about what I am doing with their personal data?

You should carefully consider such a complaint. It is good practice to provide a reasoned response to all complaints and, depending what the complaint is about, the Data Protection Act may require you to do so. The Act may also require you to stop, or change, what you are doing with an individual’s personal data following a complaint. In particular, you might have to:

• correct or delete information about an individual which is inaccurate;
• stop processing their personal data for direct marketing; or
• stop processing their data completely or in a particular way (depending upon the circumstances).

What does “fair processing” mean?

The first data protection principle requires you to process personal data fairly and lawfully. Ensuring fairness in everything you do with people’s personal details is central to complying with your duties under the Data Protection Act. In practice, it means that you must:

• have legitimate reasons for collecting and using the personal data;
• not use the data in ways that have unjustified adverse effects on the individuals concerned;
• be open and honest about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
• handle people’s personal data only in ways they would reasonably expect; and
• make sure you do not do anything unlawful with the data.

Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. Assessing whether the information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.

What is a privacy notice?

One of the requirements of the Act’s fair processing provisions is that certain information is given to the individuals concerned. The oral or written statement that individuals are given when information about them is collected is often called a “privacy notice” or a “fair processing notice”.

In general terms, a privacy notice should state:

• your identity and, if you are not based in the UK, the identity of your nominated UK representative;
• the purpose or purposes for which you intend to process the information; and
• any extra information you need to give individuals (in the circumstances) to enable you to process the information fairly

When deciding how to draft and communicate a privacy notice, try to put yourself in the position of the people you are collecting information about. Ask yourself:

• do they already know who is collecting the information and what it will be used for?
• is there anything they would find deceptive, misleading, unexpected or objectionable?
• are the consequences of providing the information, or not providing it, clear to them?

Can I use personal data for a new purpose or disclose it to a third party?

It depends. You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.

As you develop the goods and services you offer, you should think about whether your customers are likely to reasonably expect you to use their personal data to offer them these products. If you are unsure about this, you should explain your intentions and, at the very least, give your existing customers an easy way to opt out. If you intend to make a significant change to what you do with personal data, you will usually need to get your customers’ consent.

Individuals should generally be able to choose whether or not their personal data is disclosed to another organisation, unless one of the Act’s specific exemptions applies. If you did not make your intention to disclose information to a third party absolutely clear at the outset, at a time when the individual could choose not to proceed, then you will usually need to get the individual’s consent before making such disclosures.

Can I send personal data overseas?

You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK. However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.

Must I encrypt all the information I store on computer?

Not necessarily. The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction. Encryption might be a part of your information security arrangements – for example, in respect of confidential personal data stored on laptops or portable storage devices. On the other hand, you might not need to encrypt data which always remains on your premises, provided you have sufficient other controls on who can access it and for what purpose. Even where you do encrypt personal data, you will probably need to take additional steps to comply with the Act’s information security requirements

What should I do if I lose personal data?

If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on your systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. You will need a strategy for dealing with the breach, including:

• a recovery plan, including damage limitation;
• assessing the risks associated with the breach;
• informing the appropriate people and organisations that the breach has occurred; and
• reviewing your response and updating your information security.

Published with thanks to the Information Commissioner’s Office.

Greetings from Washington DC, where I’ve just seen Microsoft CEO Satya Nadella announce a fantastic new product that we’ve been developing with them from the UK. It’s called Microsoft 365 Business, and small-medium organisations concerned about cyber-attacks such as ransomware can now sleep soundly at night. But it’s not just that. With Microsoft 365 Business, they can also boost productivity, team collaboration and really nail successful remote working and BYOD.

We’re at Microsoft’s global partner conference, Inspire, where I’ll be picking up from Satya’s Microsoft 365 announcement today during two breakout sessions on Tuesday and Wednesday. I’ll be sharing the story of our work with customer The Association for Consultancy & Engineering (ACE), one of the first UK companies to adopt Microsoft 365 Business.

ACE were particularly concerned about security and data protection following Petya and WannaCry, the two recent ransomware cyber-attacks that knee-capped the NHS and threatened a UK advertising business, so they were doubly keen to join us in the trials. I think the growing number of cyber-attacks have left particularly small-medium sized businesses feeling deeply vulnerable. Unfortunately, that’s mainly because they are. Here’s an alarming stat for you:

“72 per cent of all cyber-attacks occur in businesses with fewer than 100 employees. Two thirds of those businesses (60 per cent) are likely to be out of business within six months.” – SmallBiz Trends

What is Microsoft 365 Business?

Let me explain what Microsoft 365 Business is and what it can do as succinctly as possible. Designed specifically for small-medium businesses (SMBs), Microsoft 365 Business is as a cloud technology geared towards delivering a complete, intelligent and secure solution to empower employees. Always-on security backed by Windows Defender guards against cyber-attacks such as the ones I mentioned earlier. It also helps SMBs manage the changing compliance requirements surrounding the new General Data Protection Regulations (GDPR). So Microsoft 365 Business gives them back control over their devices and data.

Why did ACE like Microsoft 365 Business?

We worked with Sebastian Ailioaie, group digital manager at ACE, who highlighted three key areas where the business has enormously benefited from Microsoft 365 Business surrounding 1) remote working/BYOD, 2) data security, and 3) being ahead of the competition. Let me pull out a quote from our press release:

“We now all enjoy working from our preferred machines and devices – whether we’re in the office or not – without worrying about leaving company data vulnerable. It’s good to feel confident that we’re always working with the latest, up-to-date technology. I feel like we’re leading the way in our industry now.” – Sebastian Ailioaie, group digital manager, The Association for Consultancy and Engineering (ACE).

What’s next with Microsoft 365 Business?

Today, Satya also announced that Microsoft 365 Business would extend from private to public preview from 2^nd August 2017. So, here’s where this news is even better for our customers. Because we’re one of only three UK partners involved so deeply with Microsoft on Microsoft 365 Business, we can now offer preferred pricing to customers prior to full public launch, which I should think will be some time around end 2017/beginning 2018.

When we’re back in the UK next week, Charlotte Margree, our product manager, and I will be hosting a webinar where we’ll share in more detail how you can ‘Be better with Microsoft 365 Business‘. And we’ll talk a bit more about where it’s helped ACE with their business challenges, too. Please get in touch if you’re interested.

Talk to a Microsoft 365 expert

Concerned with the increasing threat of cyber-attack, The Association for Consultancy & Engineering (ACE) is one of the first UK companies to adopt Microsoft’s newly announced Microsoft 365. ACE is piloting Microsoft 365 Business with Microsoft gold partner Cloud Direct, a UK cloud services provider (CSP).

During the past two months, ACE has worked with Cloud Direct providing feedback to Microsoft’s product development team. Designed specifically for small-medium businesses (SMBs) with up to 300 users, Microsoft 365 Business is as a cloud technology geared towards empowering employees, safeguarding the business and simplifying IT management. Always-on security guards against cyber-attacks such as Petya and WannaCry. It also helps SMBs manage the changing compliance requirements surrounding the new General Data Protection Regulations (GDPR).

Sebastian Ailioaie, group digital manager at ACE, said: “We now all enjoy working from our preferred machines and devices – whether we’re in the office or not – without worrying about leaving company data vulnerable. It’s good to feel confident that we’re always working with the latest, up-to-date technology – especially with the alarming increase in ransomware. I feel like we’re leading the way in our industry now.”

Speaking this week at Inspire, Microsoft’s world partner conference in Washington, Will Rowley, Microsoft engagement specialist at Cloud Direct, said: “An alarming 72 per cent of all cyber-attacks occur in businesses with fewer than 100 employees. Two thirds of those businesses (60 per cent) are likely to be out of business within six months. We don’t want that for our customers. Microsoft 365 Business gives them back control over their devices and data.”

Microsoft CEO Satya Nadella today announced at Inspire that Microsoft 365 would extend from private to public preview from 2^nd August 2017. Cloud Direct is one of only three UK partners who can provision a free or subsidised licence to customers prior to full public launch, expected to be announced end 2017/beginning 2018.

Find out more at next week’s webinar: ‘Be better, faster and safer with Microsoft 365 Business‘ on Thursday 20th July. 1.30 – 2.00pm GMT.

Microsoft 365 brings together Office 365, Windows 10 and Enterprise Mobility + Security.

About Cloud Direct

Cloud Direct helps ambitious organisations adopt Microsoft cloud. Our clients know that the right technology can free them to grow – offering increased security, productivity and agility. But they also know caution. So our job is to make their cloud journey safe and affordable.

Since 2003, Cloud Direct has helped numerous organisations move their IT to the cloud. We are a direct gold Microsoft cloud services provider (CSP) partner. We hold ISO 27001:2013 (for security) and ISO 20000 (for service).  At 75% our Net Promoter Score is world-class, and we provide 24/7 support to ensure continual service delivery.

About ACE

ACE is a strong and influential business association. It currently supports approximately 450 member companies, giving them access to a wide range and depth of services including regular industry intelligence; debate and networking opportunities; legal, financial and insurance advice; and, most importantly, a representative voice. ACE’s powerful representation and lobbying of government, major clients, the media and other key stakeholders, enables it to promote the critical contribution that engineers and consultants make to UK’s social and economic infrastructure.

 

Talk to an expert.

Want to find out more about how Microsoft 365 can help your business beat ransomware? Talk to one of our experts today! Simply complete the form below and we will be in touch shortly.

The weekend’s ‘global IT system failure’ will cost British Airways dearly – both financially and in terms of reputation. With aircraft and crew in the wrong places, connections lost, luggage missing and so on, the chaotic ripple effect of BA’s failed IT backup and disaster recovery solution will probably take weeks to resolve. But could it all have been avoided if BA regularly tested their backup and disaster recovery solution?

The disruption affected 75,000 people, with hundreds of flights cancelled from Heathrow and Gatwick, and delays continuing for days. And it’s not the first time that BA customers have suffered as a result of an IT outage. Last September, thousands faced lengthy check-ins, delayed flights and cancellations at London City airport after an overnight IT glitch.

The cost of BA’s IT system failure

On the first day of the crisis, Alex Cruz, British Airways chairman and CEO said: “Today we have experienced a major IT system failure that is causing very severe disruption to our flight operations worldwide. All of our check-in and operation systems have been affected.”

While acknowledging that it’s too early to quantify the cost of BA of this IT outage, the Financial Times (FT) puts the potential financial impact in context, by comparing it to a similar problem Delta, the US airline, experienced last September, which triggered them to cut their profitability guidance for the third quarter. Delta then reckoned knock-on effects of the IT outage would cut pre-tax income by $150 million (£117 million).

So where did BA go wrong?

Back up and disaster recovery – how it works

At the time of publishing, BA is still investigating what caused the power supply problem, which triggered the outage – and what happened with its backup-system, which should’ve kicked in immediately, ensuring failover for near 100% business continuity. Unfortunately for 75,000 Bank Holiday weekend travellers, this was not the case.

Normally, this is how it would work. A business will write a business continuity plan, which will include an IT disaster recovery plan. The very process of doing this will highlight flaws in your IT and processes that need addressing.

For example, consider these 10 questions on disaster recovery planning every manager must ask. You may discover that your existing backup and disaster recovery solutions don’t fully comply with your industry regulations. The Financial Conduct Authority (FCA), for example, has stringent rules surrounding business continuity of banks.

Or perhaps, like Crondall Energy, you realise that hard copy tape backups just aren’t practical or secure enough for your business, and you should think about cloud backup. Or, like BA, the financial and reputational costs of business downtime might just be too much to risk not having a reliable disaster recovery solution in place.

Test, test, test: the importance of testing your disaster recovery plans

But it doesn’t stop there. It’s one thing having a top-notch disaster recovery plan in place. It’s entirely another thing to make sure that it works – and continues to work as your business and IT systems and processes grow or morph. And that’s where testing is business critical. After all, what’s the point in paying for disaster recovery if it’s not going to ensure business continuity?

Four key repercussions of failing to test your business continuity and disaster recovery are:

Cyber apocalypse averted, it’s now time to take stock of last weekend’s global Wanna Decryptor ransomware cyber-attack, and work out how you can make sure your business doesn’t end up in the same state of crisis as the NHS did.

How the NHS fell victim to ransomware

It was no secret that the NHS was vulnerable to attack. UK defence secretary Michael Fallon has said the NHS was warned on “multiple occasions”. The NHS’s own head of security, Dan Taylor, last year highlighted the risks of unsupported operating systems and reduced funding. And ransomware attacks are nothing new for the NHS. Even before this weekend’s attack, around 30 NHS trusts in England had already been held ransom to cyber blackmail.

Dan Taylor highlighted seven known data security challenges in the NHS:

• Unsupported OS browsers
• Inappropriate staff training
• Poor leavers, movers and changes processes for staff
• Too many privleged system accesses
• Significantly reduced investment funding
• Limited situational awareness of cyber preparedness locally
• Social engineering – sophisticated spear phishing

In this instance, it was the NHS’s failure to apply the March Windows OS update that left them exposed to Wanna Decrpytor. Unfortunately, this is unlikely to be the last of such attacks on the NHS.

What is ransomware?

Ransomware is used by blackmailers to demand payment from their victims in return for the release of their hijacked computers or systems. It can spread in many ways such as a link in an email or PDF, or a password-encrypted ZIP file which contains a PDF. These emails are sent under various guises, such as fake invoices, job offers, security warnings and undelivered email. Basically, the blackmailers encrypt your files so you can’t access them, then demand payment for the encryption key.

Our top 10 Ransomware tips to keep your business secure

On 25th May 2018, today’s Data Protection Act (DPA) will be replaced with the new General Data Protection Regulation (GDPR). This checklist highlights the 11 most important steps you can take now to make sure your data and processes remain compliant.

According to the Information Commissioner’s Office (ICO), if you’re already DPA compliant, then most of your approach to compliance will remain valid come May 2018. However, there are some differences in GDPR, which means you’ll have to do certain things for the first time and some other things differently. Before we get into the specifics, here’s an overview of the GDPR and what it means for businesses and individuals.

What is GDPR?

The point of the GDPR is to provide clarity and consistency for the protection of personal data. It imposes new rules on organisations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents, no matter where they’re located. The GDPR establishes:

• Enhanced personal privacy rights
• Increased duty for protecting data
• Mandatory breach reporting
• Significant penalties for non-compliance

What are the key changes with the GDPR?

There are four key focus areas of difference between GDPR and DPA compliance.

Personal privacy

With GDPR, individuals have the right to:

• Access their personal data
• Correct errors in their personal data
• Wipe their personal data
• Object to processing of their personal data
• Export personal data

Controls and notifications

The new regulations are amended in terms of:

• Strict security requirements
• Breach notification obligation
• Appropriate consents for data processing
• Confidentiality
• Recordkeeping

Transparent policies

GDPR requires that organisations provide transparent and easily accessible policies regarding:

• Notice of data collection
• Notice of processing
• Processing details
• Data retention/deletion

IT and training

Businesses will need to invest in:

• Privacy personnel and employee training
• Data policies
• Data Protection Officer (if your business has 250+ employees)
• Processor/vendor contract

So what do you need to do to make all this happen? We have supported businesses of all sizes become GDPR compliant. Find out how we can help your business. 

Here are 11 areas the ISO flags as being key areas to review. We also help businesses similar to yours stay compliant

11 things you must do now for GDPR compliance

1. Raise awareness across your business

The ICO urges businesses to start planning for GDPR as soon as possible, so you have time to address budgetary, IT, personnel, governance and communications implications.

Key people and decision-makers need to be aware of the new legislation, so they can understand the potential impact and identify areas that require attention for compliance. Start by looking at your risk register, if you have.

2. Audit all personal data

Document what personal data you hold, where it came from and who you share it with.

The GDPR updates rights for a networked world. It makes organisations responsible for proving they comply with the data protection principles, for example by having effective policies and procedures in place.

For example, if you become aware that you’ve shared inaccurate personal data with other organisations, it is your responsibility to inform the other organisation about this inaccuracy so it, too, can correct its own records.

3. Update your privacy notice

When you collect personal data, you probably use a privacy note containing DPA compliant information such as your identity and how you intend to use their information. Under the new regulations, you’ll have to tell people some additional things compared to the DPA. For example, you’ll need to explain:

• your legal basis for processing the data
• your data retention periods
• their right to complain to the ICO if they think there’s a problem with how you’re handling their data

So you’ll need to review your current privacy notices and put a plan in place to make any necessary changes by May 2015.

4. Review your procedures supporting individuals’ rights

The new legislation covers the same principles as the DPA, but with significant enhancements. The key thing here is to make sure you have the procedures in place so you can comply with, for example, an individual’s request to provide them with the data you have on them electronically and in a commonly used format.

The main rights for individuals under the GDPR are to:

• allow subject access
• have inaccuracies corrected
• have information erased
• prevent direct marketing
• prevent automated decision-making and profiling
• allow data portability (as per the paragraph above)

5. Review your procedures supporting subject access requests

Depending on the type and size of organisations, subject access requests could generate a logistical/administrative headache for many businesses.

Under the new rules, you are unlikely to be able to charge for complying with requests, and will have just a month to comply, rather than the current 40 days. There are also different grounds for refusing to comply with a subject access request, and if you refuse a request you need to have policies and procedures in place to demonstrate why the request meets these criteria.

You may want to consider conducting a cost/benefit analysis for providing online access to individuals.

6. Identify and document your legal basis for processing personal data

Under the GDPR, some individuals’ rights will be modified, depending on your legal basis for processing their personal data. For example, they could have their data deleted where you use consent as your legal basis for processing. So you need to understand the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

7. Review how you seek, obtain and record consent

If you rely on individuals’ consent to process their data, make sure it meets the standards required by the GDPR. If not, alter your consent mechanisms or find an alternative to consent. The GDPR is clear that data controllers must be able to demonstrate that consent was given. So you may need to review the systems you have for recording consent and ensure you have an effective audit trail.

8. Review the data you hold on children

For the first time, the GDPR will bring in special protection for children’s personal data. So if your organisation collects information about children under the age of 13, you will need parental/guardian consent to process their data lawfully.

9. Establish procedures to detect, report and investigate a personal data breach

The GDPR requires that all organisations notify the ICO of all data breaches where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. So you need to set up processes to detect, report and investigate breaches.

Note that failure to report a breach could result in a fine, as well as a fine for the breach itself.

10. Review your processes around Data Privacy Impact Assessments (DPIAs)

You may be required to carry out a privacy impact assessment (PIA) in a high-risk situation such as a new technology deployment, or where operations are likely to significantly affect individuals.

To prepare for such an eventuality, the ICO recommends you familiarise yourself with their PIA Code of Practice so you can work out how best to implement DPIAs in your organisation. Think about where it might be necessary to conduct a DPIA in your organisation. Who will do it? Who else needs to be involved? Should the process be run centrally or locally?

11. Appoint a Data Protection Office (DPO)

If your organisation employees 250 or more people, is a public authority or is involved in the regular and systematic monitoring of data subjects on a large scale, you should appoint a data protection officer. The DPO should take proper responsibility for data protection compliance and have the knowledge, support and authority to do so effectively.

To find out how cloud IT can help you streamline your processes for GDPR, check out this blog: How cloud IT can help you prepare for GDPR

 

Talk to a GDPR expert.

Want to find out how you can keep your business GDPR compliant? Complete the form below and a member of our team will be in touch shortly.

Protecting vital information is critical to your survival—no matter what the size or type of your business. Recent studies show that 93 percent of organisations that lose data because of a disaster go out of business within two years. Increasingly, businesses are adopting cloud backup solutions to address data protection challenges. Why?

The reason is simple: protecting data is difficult, expensive, unreliable, and unmanageable with traditional tape backup methods.

And the explosive growth of business data only increases the problem.

Cloud data protection solutions that combine the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organisations fast and assured recovery of their critical enterprise data, while reducing costs and freeing the IT staff to focus on more mission-critical projects.

Cloud server backup solutions also reduce the burden of tape management and backup operations, by automatically storing the data safely offsite to protect for disaster-recovery purposes. Consider these ten reasons to move to the cloud for data backup and storage:

1. Achieve disaster recovery with secure, offsite cloud backup

You think you’re doing everything right. You back up your data on a regular basis. You check to see that your backup equipment and configurations are up-to-date and working properly. You test your restores. Yet, when a pipe bursts in your building and spills water over your servers and backup media, you still lose all your critical data in one night. Even if you’re extremely careful about backing up your data, that’s only half of the process.

To truly protect your backup data, you also must move it offsite. Too many organisations store their backup media onsite, needlessly exposing their data to risk from fire or flood. The time and money that you must spend to recreate lost data can be costly, not only in terms of lost productivity, but also in terms of lost revenue and customer good will.

On the other hand, disk-based cloud server backup uses the cloud to automatically transfer data offsite for disaster recovery. Your backup data is immediately off-premises only minutes after being updated. No matter what type of disaster strikes your organisation, you can restore data from moments before the disaster occurred.

2. Free yourself from manual and complex tape backup tasks

The unpleasant reality is that tape-based backup is time-consuming and tedious. While organisations know that they must protect their data, those with limited IT staff would prefer to focus their time on more strategic projects central to the business, rather than monitoring the progress of manual backups, reviewing logs, and troubleshooting problems. “Set-it-and go” cloud backup solutions reliably and automatically offload these functions, freeing staff to work with a more direct impact on your business—competitive advantage, productivity, and profitability. These solutions also standardise and automate the backup process throughout your organisation, without requiring IT staff at each location. A single backup application can protect both virtual and physical servers.

Besides freeing IT staff from manual chores, these solutions also provide IT with Web-based tools to manage and monitor all aspects of their server data protection. In addition, these solutions remove the burden of managing both a backup infrastructure and data protection process.

You can implement cloud backup solutions on a subscription basis from reliable third parties who offer them as managed services. The best of these managed services offer cloud backup with 24×7 coverage, proactive monitoring of data, instant scalability, predictable pricing, and no capital investment in traditional backup and recovery technology.

3. Get predictable costs and simpler budgeting

Cloud backup services are uniquely suited to address server data protection, including predictable monthly budgeting, and costs. The service is completely automated, providing immediate backup of server data to an offsite location, and leveraging the vendor’s infrastructure and expertise. This also frees IT personnel to become better aligned with business goals.

The charge for cloud backup is a known monthly service fee, rather than the capital cost of acquiring software licenses for specific servers. This allows for simpler budgeting and predictable monthly costs. There are no costs for software, backup hardware, maintenance, or media with cloud backup. The service provider bears the cost of the infrastructure and storage devices—now and in the future—as its customers grow.

4. Count on reliable, guaranteed data recovery

If lightning strikes your building tonight, you must ensure that you can restore that day’s data. Unfortunately, if you rely on a nightly backup process, restoring that data completely is impossible.

How often do you test your internal backups? Could you fully recover your data?

Cloud backup solutions solve this problem by automatically transmitting changes in files and databases to a secure, off-site facility for more continuous backup. Your staff can achieve this level of backup with minimal effort—just set it and go—greatly increasing reliable protection of your organisation’s data.

The best cloud server backup solutions not only protect recently changed files that are closed, but also capture changes in open files and databases, which can represent some of your most important enterprise data. Such solutions do so without disrupting your process flow. In addition, they provide guaranteed recovery in their Service Level Agreements (SLAs).

5. Minimise the risk and cost of downtime

Data protection is not a single activity or a one-time event. It’s a complex workflow of interconnected processes that extend far beyond simple onsite backup, including the following steps:

Backup replication of critical data to another device

Transfer of the replicated data to an offsite location to protect it from human-made or natural disasters

Storage that both protects and organizes the data so that you can recover it easily and quickly

Recovery of replicated data from storage whenever and wherever needed.

If your current data protection solution doesn’t address all of these steps, your organisation risks unacceptable exposure from partial protection that easily could result in costly, crippling downtime and the loss of irreplaceable data. Cloud server backup solutions offer a single low-overhead solution that addresses each step in the data protection workflow—and actually reduces the risks and cost associated with each step. These solutions provide the following benefits:

Is Arnie our friend?

Whenever I speak to someone outside the tech industry about AI, they often tend to fear the idea. This is mainly due to blockbuster movies, typically portraying a self-conscious robot disobeying its creators and transcending its coded boundaries of morality and discipline.

“Listen, and understand that Terminator is out there. It can’t be bargained with, it can’t be reasoned with, it doesn’t feel pity or remorse or fear. And it absolutely will not stop…” – Kyle Reese

The Terminator, i-Robot, Ex Machina to name a few. Beings created by humanity, to serve humanity but ultimately aiming to destroy it.

Why is it that the created wants to destroy its creator? Can we assume that having a higher level of intellect or being higher in the evolutionary tree would cause this? Probably not. Perhaps this view stems from the fear that artificial intelligence would exhibit its creators own violent nature. Either way, AI is cropping up everywhere in the real world and will continue to weave its way into our everyday lives.

The weak versus the strong

First, let’s clarify the difference between AI in the real-world and AI in the films. Cinematic AI is known as ‘Strong AI’. It’s self-aware and exhibits the same (or advanced) capabilities of the human mind. We’re not even remotely close to being able to create such a mind. Without being able to fathom our own consciousness yet, how can we contemplate the creation of another?

‘Weak AI’ is in your everyday life.

For example, maybe you’re asking Siri, Alexa or Cortana (no bias) to research something for you. You could be searching for your favourite video online, using the vaguest description on Google. Or you might be calling your bank to pay off your credit card over the phone, using an automated system.

It can process and complete a variety of tasks based on a set number of rules, inputs and outputs. Using copious amounts of data, it has a defined and finite intelligence, providing convenience to end users.

Great! But what does the future hold?

From automated chat bots driving marketing reach and autonomous network monitoring increasing levels of digital security, through to automatic cross-referencing and data analysis reducing workloads in any industry, AI is making headway in improving business lives.

AI has been around for a while but it’s starting to come in to its own – currently par/sub-human capabilities are being implemented to improve business or lifestyle. But what’s interesting is the ‘high/super-human’ capabilities we’re seeing creep in.

In March 2016 AlphaGo (Google’s Deepmind) beat the top human ‘Go’ player in the world, Lee Sedol, 4-1 in a game of ‘Go’ under Chinese rules.

Although an amazing technological accomplishment, this isn’t much use in the real world, unless you’re in the industry of ‘Go’. But if similar methodology is applied to another strategy based activity, (war for example), we could see significant impact.

War, in its rudimentary form, is a game of at least two sides, each opponent using strategy, wits and cunning (alongside some form of rules), to battle it out until one is reigned the winner. Although a slightly disturbing thought, progression in drone capabilities, autonomous vehicles and hydraulically activated robots means the idea of robots fighting and implementing strategy in war, is no longer a theory dreamt up by Hollywood directors.

On a less morbid note, we’re already seeing AI being used to develop medical treatments, processing and analysing data faster than a human’s mind. As development continues, AI will be able to diagnose and discover disease, conduct research and produce suggested treatments. All it will need is data.

Improved healthcare, improved security, improved efficiency and best of all, no human error. Yes, machines may malfunction from time to time, but artificial intelligence based purely on perfect code and perfect algorithms, can’t fault if produced without human error.

I admit Cortana, Siri or Alexa may not understand what you’re asking but this is due to end user mis-communication or the Weak AI not having been fully developed by its human creator. Through machine learning and further development, Weak AI will slowly but surely have more super-human capabilities. How we choose to apply those is ironically limited by our own intelligence.

Use your head

I guess the point of this article is to urge you to embrace and think about AI. The next time you’re sat on a train with a moment to spare, why not jot down how AI can replace or improve something you do at work or home? Or let your mind drift to something AI could do that humans can’t.

There are several services you can try out – Caffe, Microsoft Cognitive Toolkit DMTK, Deeplearning4J, the list goes on. If you think of an idea and fancy something new, develop it!

We know that the development of today’s artificial intelligence and its industry is lessened by our own limitations. Until we discover how to make Strong AI, we’re on our own. So, we may as well go alone, together. Let’s share our ideas and help make the world more convenient.

For all of humanity.