Wednesday, 21 November 2018

New GDPR guidance published by the ICO about passwords and encryption under the GDPR

Passwords in online services

At a glance

Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.

You should consider whether there are any better alternatives to using passwords.

Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.

There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.


At a glance

The GDPR requires you to implement appropriate technical and organisational measures to ensure you process personal data securely.

Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.

Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available.

You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.

When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.

You should be aware of the residual risks of encryption, and have steps in place to address these.

Visit the ICO at

Contact Chapter Three Consulting by calling 0330 004 0020 or email us at

Monday, 9 April 2018

GDPR Awareness e-Learning Course

GDPR specialists, Chapter Three Consulting are delighted to announce the launch of the GDPR Awareness e-Learning Course on the Eliademy training platform.
Learning objectives
The EU General Data Protection Regulation (GDPR) aims to give control of personal data back to individuals by addressing modern concerns about data protection in the digital age.
The way we use data has changed significantly over the last 20 years, specifically in relation to how personal data is acquired and dealt with.
Whilst cyber-attacks resulting in data breaches dominate the headlines the truth is that most data breaches occur due to human error:
  •         A dropped memory stick
  •         Sending something to the wrong e-mail address
  •         Adding data to the wrong Dropbox folder
  •         Not following a policy on encrypting data
  •         Not taking care of paper files while out of the office

In the digital age in which we live, the associated reputational damage arising from a data breach can be fatal to any business.
Target audience
The course provides a practical application of the GDPR. On completion students will understand the purpose of the GDPR and the best practice processes and procedures that are required to be followed when handling personal data.
The GDPR requires companies to record and monitor employee training and this is a vital aspect of evidencing that a company is complying with the GDPR. The learning platform is ideal for employees and individuals alike.
Course structure
Everyone needs to understand the care they need to take when handling personal data whether it be in the workplace or in their personal lives.
The course contains 8 Units covering:
  •         An overview of the GDPR and the rights of the individual
  •         The do’s and don’ts for information and Cyber security
  •        Best practice procedures for data access, handling and records management
  •         The risks of mobile working
  •         Employee responsibilities under the GDPR
  •         Incident management and disaster recovery

There are 8 Assessments, one for each Unit and students are emailed a certificate upon successful completion.
All this for only €49! or use this coupon for a 10% discount GDPR10%
Contact Chapter Three on 0330 004 0020 or for group pricing.

Friday, 19 January 2018

Chapter Three Consulting Become ISO 27001 Accredited

Chapter Three Consulting are delighted to announce that they have achieved ISO 27001 accreditation awarded by the British Assessment Bureau.

ISO 27001 is the internationally recognised Information Security Management Standard (ISMS) that proves an organisation’s commitment to the security of their customers. With ISO 27001 in place, Chapter Three Consulting are able to minimise risks to potential data security breaches and reduce errors and costs, while demonstrating credibility and trust.

An ISMS is a set of policies, procedures, processes and systems that manage information risks, such as cyber-attacks, hacks, data leaks or theft. Businesses have been encouraged to identify risks of all shapes and sizes for many years now, and once identified they must be managed, and risk mitigation must be considered.

Cyber-attacks are increasing in volume and strength daily, and the financial and reputational damage caused by an ineffectual information security system can be fatal. Implementing an ISO 27001-certified ISMS helps to protect an organisation against such threats and demonstrates that the necessary steps have been taken to protect the business.

An IBM Survey, allocates 49% of breaches to malicious activity, 23% to system glitches and the remaining 28% to human error.

The Standard is designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the General Data Protection Regulation (GDPR), the NIS Directive and other cyber security laws.

The benefits of certification to ISO 27001 include:
  •         Proving to clients an organisation keeps their information secure
  •         Achieve operational excellence
  •         Minimise risk of potential data security breaches
  •         Protects reputation
  •         Reduces errors and costs
  •         Increases business profitability
  •         Engages employees

The Standard also helps businesses become more productive by setting out clear information risk responsibilities and ensuring continual improvement.

Chapter Three Consulting are a business support consultancy who focus on bringing specialist knowledge and expertise to companies who wish to fulfil their compliance obligations.

Providing specialist compliance knowledge and GDPR expertise to SMEs they are able to assist with auditing, managing and maintaining compliance.

Visit the website or call 0330 004 0020 for more information