Wizuda Open Second Office in Castletroy, Limerick

Wizuda Limerick Office

Wizuda are delighted to announce the opening of our second Irish office, located in Castletroy, Limerick.  The company has taken the decision to open the Limerick office to service its growing client base outside of the capital.  Speaking about the expansion, Wizuda MD, Danielle Cussen explained, “With new client organisations throughout Ireland coming on stream every month, it makes sense for us to have a second base and the central Castletroy location meets our needs perfectly.”

If you are based in the Limerick/mid-west region and would like to arrange a meeting with a Wizuda team member, please get in touch.

Email Encryption becomes the law in Denmark from Jan’19

The Danish DPA announced, from the 1st January 2019, companies will have to encrypt all emails that are transferring sensitive personal data, or face sanctions.  This new rule is an interpretation of Article 9 (sensitive personal data) of the GDPR legislation.  This will give companies in Denmark or those companies doing business with Danish companies, five months to implement encryption technologies for their email systems.

The GDPR requires data controllers and processors to carry out assessments to examine the safety of personal information held on data subjects. Email encryption must be the default process if an email is holding personal or sensitive data. The Danish DPA states because of the increase in occurrences of emails being sent to the wrong recipients, encryption is the “most appropriate precautionary measure”. It is believed the legislation will apply to a big quantity of mails sent by private sector companies. [Read full article here.]

The Ireland DPC and the UK ICO’s annual reports both show similar trends with regards to the most common data breaches; emails being sent to the incorrect recipients containing sensitive data.  Surely, therefore it’s just a matter of time before these countries follow Denmark in enforcing email encryption?

Wizuda’s CFS has been built with privacy by design and includes safeguards to protect against such data breaches and comes with full end to end automated email encryption as standard. Find out more here.

What if your business was ordered to “Cease All Processing”?

This is the question businesses need to be asking themselves when it comes to GDPR compliance.  Under the GDPR it is mandatory to report a data breach to the Data Protection Authorities within 72 hours of becoming aware of it.  The DPAs then have a responsibility to investigate each breach.  If they find the business has failed to put reasonable measures in place to be able to demonstrate compliant processes and avoid some of the most common breaches, then they will have to issue an enforcement.

Whilst everyone has been talking about the significant fines that can be enforced under the GDPR, the Irish Data Protection Commissioner Helen Dixon has warned that “DPAs have the ability under the EU General Data Protection Regulation to order companies to cease all processing when necessary. This remedy, she stated, may be used more frequently than the infamous administrative fines of up to 4 percent of global turnover. And it may be just as devastating to organizations, if not more so.”  [See full article here.]

For many organisations, being ordered to “cease all processing” would mean shutting down their entire operations and could potentially put them out of business e.g. outsourced services, payroll, financial companies, marketing to name a few.

If you haven’t already, now is the time to make sure you are protected from the most common data breaches such as emailing data to the incorrect recipients and not having adequate security measures such as encryption applied to sensitive data.  For information on how Wizuda can help, click here www.wizuda.com/gdpr-encrypted-email/

Think the GDPR is like Y2K? Think again!

GDPR fine

The 25th of May 2018 has come and gone and most people are asking, “what about all the massive fines we were expecting to hear about?” or, “the GDPR was just another Y2K, there was a lot of hype but we’ve yet to hear of any enforcements, planes didn’t fall out of the sky” etc.

Be warned, just because we haven’t heard of enforcements and fines yet, doesn’t mean they aren’t coming.  An interesting article reported by the IAPP, based on feedback from Data Protection Authorities (DPAs) and rights groups, states that complaints and breaches reported to the DPAs/Supervisor Authorities have to go through a process which can take months before an enforcement is issued, with some DPAs stating they could take a minimum of six months from when the event is reported to when the fine or enforcement is issued. [see full article here].

In July, the Irish Data Protection Commission reported a significant increase in the number of data breach notifications they received since the GDPR came into effect [see here].   This isn’t surprising, given that the Accountability framework in the GDPR requires data controllers to report data breaches to the DPC within 72 hours of becoming aware of them.  Once received, the DPAs have to investigate and respond to each one.

So in applying the minimum six month wait time to these, the earliest we should be expecting to get news of fines and other enforcements such as an order to cease all processing, would be Dec 2018 timeframe.

Ensuring we can demonstrate compliant processes and put appropriate safeguards and technical measures in place to protect us from the most common data breaches reported by the DPAs, such as sending data to the wrong recipients, is the action we need to take if we haven’t already, because the GDPR is the law and unlike Y2K it isn’t going away.

To find out how Wizuda can help you avoid some of the most common data breaches – see here.

Failure to handle Subject Access Requests – #1 Complaint at the DPCs Office

The Irish Data Protection Commissioner, Helen Dixon, has emphasised that the GDPR retains the requirement that DPAs handle every complaint lodged accordingly. This includes the failure to deliver on the rights of access, for example, which already comprise more than 50 percent of the complaints her office deals with now. [See full article here.]

Businesses have one month to respond to Subject Access Requests and need an efficient, transparent and compliant process for managing them.  It’s important that businesses put their customers first and can provide them with this information but they also need to protect themselves.  For instance, businesses should ensure they have;

  • Full audit trails from when the request was received right through to completion
  • The ability to send the data digitally when the request was received digitally
  • The ability to send data securely and encrypt it
  • The ability to demonstrate how the ID was verified

If you haven’t already, now is the time to make sure you put the right processes in place for managing Subject Access Requests efficiently and compliantly. For information on how Wizuda can help, click here.

Data Breach Reports More Than Double Since GDPR

Sharp Rise in Data Breach Reports Since Start of GDPR.

Data breach reports have more than doubled since 25th May 2018. 

According to an article in the Irish Times on 30th July 2018, the Data Protection Commission (DPC) has received 1,184 reports of breaches since the GDPR came into effect on 25th May this year. In the 67 days since the new legislation went live, this averages 18 reports of data breaches per day, 126 per week.

Speaking about the report, Danielle Cussen, Managing Director of Wizuda, said, “The increase of data breach reports comes as no surprise with the rise in the public’s general awareness of data privacy rights and the fact that it is now mandatory under the GDPR to report breaches to the DPC within 72 hours of becoming aware of them.  It will be interesting to see if the types of breaches differ from the previous trends of breaches reported.”

Aside from the increase in breach reports, businesses throughout Ireland are eager to see the consequences under the GDPR, for those who are proven to be in breach.

Looking to the potential penalties for companies Danielle said, “It is expected that the DPC will have to make strict enforcements given the penalties outlined in the new legislation. It’s very useful for businesses to be able to read up on case law and get a practical understanding of the rational that is applied with regards to enforcement.  For instance, the ICO in the UK have a very clear breakdown of the rationale behind the penalties they have applied since the GDPR came in into effect (for further information click here).  This could give us some good insights in terms of what we can expect from the DPC in the coming months.”

The DPC are currently working their way through the increased breach reports. We have yet to be advised on the breakdown and nature of these breaches. However, of the 1,184 data breach notifications since May 25th, it has advised that the regulation applies in 953 cases.

Take a moment to review the most common data breaches reported in Ireland in 2017. Click here.
View Irish Times article here.

 

Abuse Victims Left Exposed by Significant Breach

Buy Wizuda CFS now

Abuse Victim Exposure & £200k Data Breach Penalty Could Have Been Prevented.

Vulnerable abuse victims left exposed by significant breach caused by human error.

According to a report by BBC News in July 2018, the Independent Inquiry into Child Sexual Abuse in the UK has been fined £200,000 after sending a mass email that identified possible abuse victims.

The incident reported an enquiry staff member emailing 90 people using the ‘To’ field instead of the ‘Bcc’ field, which meant the email addresses of the victims were sent to the entire email group.

The Information Commissioner’s Office (ICO) said the incident that occurred in 2017 was a breach of the Data Protection Act.

Commenting on the breach, Danielle Cussen, Managing Director, Wizuda, said “This is a significant error on a number of levels. Most worryingly at a human level given the nature of the inquiry and the sensitivity of the individuals information. A group of vulnerable individuals had their email addresses shared with 90 people and over 50 of the email addresses contained first and second names. Anyone on that list could quite easily identity the individuals through a simple Google or social media search. This is most disturbing.”

She continued, “While this breach was caused by human error it is completely preventable. There are a number of safeguards available to government agencies and organisations that mitigate the risks of human error by implementing purpose-built data compliance measures into easy to use software solutions. Wizuda CFS is specifically designed to prevent this type of breach. When mails are sent with Wizuda, by default, recipients cannot see the email addresses of other recipients. There is also a simple retraction feature in the event of an email being sent to the wrong individual, so the recipient can no longer access the message.  In addition to this, you get full visibility over which of the recipients read or downloaded the message prior to the retraction providing instant visibility over the extent of the breach.”

If we consider the ICO investigation findings and address the compliance measures that could have been prevented with the use of a dedicated IT solution such as Wizuda, we can clearly identify the unequivocal benefit to state agencies and organisations of investing in such inexpensive compliance solutions.

The ICO found the Inquiry:

  • failed to use an email account that could send a separate email to each participant
    • Sending emails via Wizuda:

      • All recipients are automatically prevented from seeing the email address of other recipients
      • You are automatically prompted to reconfirm the list of recipients prior to sending

 

  • failed to provide staff with any, or any adequate, guidance or training on the importance of checking email addresses were in the “bcc” field
    • Sending emails via Wizuda:

      • All recipients are automatically prevented from seeing the email address of other recipients
      • Fully accessible training guides for all users available in the Wizuda portal

 

  • hired an IT company to manage the mailing list and relied on its advice that it would prevent individuals from replying to the entire list
    • Sending emails via Wizuda:

      • Wizuda includes a ‘no reply’ security feature to prevent this type of breach. This feature can be set as the default for certain cases which cannot be overwritten by the sender, thus removing the risk of human error.

 

The Wizuda ethos is “Because Data Deserves Privacy”. This case in-point is live proof and testament to this.  State agencies and companies throughout the world have significant responsibility placed upon them given the data they hold. A simple email address shared incorrectly can have life changing effects on individuals and their families.

Take control of how your organisation shares files and have peace of mind you are operating compliantly and mitigating future data breach risks. Talk to Wizuda today and let us help you on your road to full compliance.

To read the original article, click here.

 

The 5 W’s To Assess If Your Data Transfers And Sharing Are GDPR Compliant

Wizuda CFS free trial

Just Eight Weeks Ago The Much Anticipated GDPR Legislation Came Into Effect. Companies Across Europe And Further Afield Scrambled To Seek Compliance In What Was Portrayed As More Disruptive Than Y2K.

While the deadline has come and gone, it was merely the start date from which companies need to be able to demonstrate GDPR compliance, and a lot of work is still required as compliance gets embedded further into everyday business processes and operations.

GDPR is not intended to act as a roadblock for business but rather to encourage businesses to drive transparency for data use and governance. It shifts how organisations have been approaching client data and aims to puts the customer back into the forefront.

You May Have Updated Your Privacy Policy, But It’s Not Enough!

Wizuda’s 5 W’s aim to help you evaluate the where, what, who, why and when of your data transfers and file sharing operations.  For example, to assess if your email processes are GDPR compliant?

1.WHAT?

First you need to understand – What personal data you process and store and if it includes special categories of data?

 

2.WHERE?

Next, you must know – Where your data is coming from? Where it is being stored? Where your data is transferred to? This should be considered both internally within your organisation as well as externally to third parties and so on. Is it being transferred outside of the EEA and if so are appropriate safeguards in place such as BCR, model contracts etc?

 

3.WHO?

Then you need to look at – Who has access to this data?  Who is it being shared with? Ensure to look at your entire supply chain e.g. Internal departments, 3rd party data processors etc.

 

4.WHY?

The next step is to understand – Why do those with access to this data, have access? What is the legal basis for them having access e.g. is it for legitimate business purposes? Should this data be transferred or shared with them? Have the appropriate technical and organisation measures been applied e.g. data encryption, data minimisation?

 

5.WHEN?

And finally, you need to review – When were these transfers and data sharing arrangements authorised?  Are they still valid?  Have you got the right technical solutions in place that give you a full audit trail of your organisations file sharing and data transfer activities including the authorisation workflow history for your compliance reporting?

 

Once you have assessed the 5 W’s of data transfers within your organisation, you will need to consider what your next steps should be. There will by many actions you will need to take to address compliance. Remember the GDPR is a regulation and if found to be non-compliant you risk significant fines.

To learn more about Wizuda’s GDPR Compliant solutions, visit https://wizuda.com/gdpr/

Wizuda Feature in the Sunday Business Post GDPR Special

Check out our latest article in the Sunday Business Post. Wizuda’s Managing Director, Danielle Cussen, discusses the importance of putting the right procedures in place to avoid data breaches.

By implementing a secure and compliant file share solution, businesses can demonstrate they are taking GDPR seriously, as well as mitigate against the most common data breach of emailing personal data to the incorrect recipient. Click here to sign-up for your free Compliant File Share trial today.

You can read the full article below.

Sporting Wizuda!

Congratulations to the Portlaoise RFC U-17s who claimed the 2018 Leinster Premier League Title.

In a close battle that saw the first try rule come into play, the Portlaoise U17s saw victory in Naas this week against their Navan rivals.

In an action and highly skill packed game the match was bursting with intensity and kept us all at the edge of our seats. Right up to and beyond the final whistle!

Speaking about the win, Wizuda, Managing Director, Danielle Cussen said, “It’s a fantastic achievement for the guys and we’re very proud to be the team’s sponsors. For the team to have claimed two out of three victories in the provincial competitions is a wonderful achievement.”

Commercial Director Mike Ross, who used to play a bit himself, said, “I’m delighted to see this group of young men win major silverware.  A lot of work goes into achieving something like this, and it’s a credit to them and their coaches.  Hopefully we’ll see some of them go on to wear the blue of Leinster and eventually the green of Ireland!”