Home Resources News

Data Privacy Week 2023

24 January 2023
This week NQA's Information Security Assurance Manager, James Keenan, discusses his two favourite calendar items in January - Burn’s night and International Data Privacy Week.
This week, from 24th to 28th January, is Data Privacy Week and the second since last year’s extension to Data Protection Day which has been held annually since 2007 celebrating the 1981 signing of Convention 108 - the first international treaty addressing privacy and data protection of individuals regarding the automatic processing of personal data.

The main aim of this week is to raise awareness and educate individuals and businesses across the globe on the importance of good online privacy. It also looks at how poor practices can lead to unauthorised exposure of personal data and cyber-attacks such as the recent high profile Ransomware campaign against the Royal Mail.

Education will always be the foundation to protect data. Technology can only do so much against a highly skilled persistent attacker and instilling strong controls with strong individual personal behaviours by people that understand why they are doing things such as Multi-Factor Authentication (MFA) is the starting point.

Individuals at home and at work combined with the technology that works behind the scenes to keep data secure is the best way to stop breaches. Everyone can help make technology work to its maximum by spotting and reporting things that don’t look right, don’t ignore that phishing email, report it to make sure that it doesn’t land in the next persons inbox where it may not be so easily spotted.

Businesses need to ensure they are processing personal data in line with all the applicable data laws which can seem daunting at first but like individuals the best way is to get the basics right and this is why the Information Commissioners Office has published a 7-step guide to getting started with Data Protection that will also serve as a reminder of the principles of data protection that all businesses should be following:

Getting started in data protection – the ICO’s top tips for beginners in business:
  1. Make a list – Start off by making a list of what personal information you hold or plan to collect. You need to be able to account for all of it.

  2. Ask why – There’s a balance to be made between what you want to do with people’s personal information, the benefits that brings to them and any harm that might be caused as a result. If you’re holding or using people’s personal information, it must always be fair as well as lawful.

  3. Think security - Check your security measures line up with the sensitivity of the information you hold. Put stronger security measures in place if the data poses a higher risk or is sensitive

  4. Be transparent - It’s essential to explain to people: why you hold information about them; what you'll do with it; and how long you'll keep it before safely disposing of it. This should also be recorded in a privacy notice.

  5. Know about subject access requests - People have the legal right to know what personal information you hold about them. Use our step-by-step guide on how to deal with a subject access request.

  6. Have a data breach action plan in place - If you lose personal information and it is likely to result in a risk to the people affected, you’ll need to report to us. Check out our guide on how to respond to a personal information breach so you know what steps to take in an emergency.

  7. Check in with us regularly - The ICO website is updated regularly to help you take simple steps towards improving your data compliance.

Whilst tucking into an early Burn’s supper of haggis, neeps and tatties at the weekend it struck me that haggis can in fact serve as a reminder of good data protection by doing the exact opposite of how most people tell me they consume it... most people don’t want to know what’s in it and never look too closely before enjoying its rich goodness.

If you are processing personal data you must look closely at everything around it, you have to look deeply and properly understand the who’s, what’s, where’s, why’s and how’s. The new ISO 31700 standard which will be released soon, will help businesses develop a Privacy by Design (PbD) framework to protect personal data through its entire life-cycle within a product and I will discuss more about its benefits in an upcoming blog.

If you are trusting people to process your data then it is to your benefit to understand what that person is doing with it, are you comfortable that they are processing it the right way with only the amount of your data they need in order to complete that task? Try requesting access to your data with a Data Subject Access Request (DSAR) to whoever is processing your data to find out it, it is an easy thing to do and will help you decide if your data is safe there.

How can ISO 27701 help your organisation protect data?

ISO 27701:2019 is a data privacy extension to ISO 27001 and provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy.

This standard reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.

Implementing this standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.

Millions of people are unaware of how their digital activity and personal data are being collected and shared. Data Privacy Week gives the power back to the users.