The below Data Processing Addendum as of 16th of May 2018 has been added to our contractual Terms and Conditions
This is our first version and maybe updated as and when we feel it is appropriate
Data Processing Addendum
Nectar Cloud Ltd is providing certain back up and/or disaster recovery services to the Customer that has received and accepted these Data Processing Terms.
This Addendum is entered into by Nectar Cloud Ltd and Customer and sets out the Data Processing Terms applicable to the Services and form part of and are subject to the agreement between Nectar Cloud Ltd and Customer relating to the Services (the “Agreement”).
Terms not defined in these Data Processing Terms shall have the meaning set out in the Agreement.
In these Data Processing Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party;
“Customer Personal Data” means personal data contained in the customers’ files, folders and databases to be backed up through the Services;
“Customer Representative” means the person designated by Customer from time to time who will act as its primary contact regarding the performance of the Agreement;
“Data Processing Terms” means the terms set out in this Addendum;
“Data Protection Legislation” means the GDPR;
“Nectar Cloud Ltd” means Nectar Cloud Ltd Limited
“GDPR” means the General Data Protection Regulation 2016/679 and/or any national implementing law or successor legislation to the GDPR in the UK;
“Services” means the services provided under the Agreement and includes (i) online backup of an encrypted copy of the Customer Personal Data to an off-site location (data centre) via software provided by Nectar Cloud Ltd and installed on the Customer’s personal computers and/or servers that are subject to the Services, (ii) and/ or any disaster recovery services; and includes the technical support services related thereto.
“Sub-Processors” means third parties authorised under these Data Processing Terms to process Customer Personal Data in order to provide parts of the Services and any related technical support.
The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the GDPR.
- EFFECTIVE DATE AND DURATION
These Data Processing Terms shall become effective on 25 May 2018, (the “Effective Date”) and until such time, all existing provisions in the Agreement in relation to data protection and privacy, shall continue to apply between the parties. Upon the Effective Date the provisions of these Data Processing Terms shall supersede and replace (without any further action by the parties) the pre-existing provisions of the Agreement in relation to data protection and privacy.
- NATURE AND PURPOSE OF PROCESSING
The Customer expressly acknowledges and agrees that Nectar Cloud Ltd has no control or influence over the content of the Customer Personal Data, which may include, among other things, personal data and sensitive personal data (as defined under the GDPR) relating to the Customer’s or its customer’s own clients, customers, suppliers, employees, other personnel or other data subjects within the meaning of the GDPR. Should Customer wish to further categorise the data subjects or types of personal data to incorporate into these terms, it may provide such information to Nectar Cloud Ltd at any time.
The provision of the Services will include the collecting, recording, organising, structuring, storing in encrypted form, retrieving, erasing and destroying of Customer Personal Data for the purpose of providing the Services and any related technical support to Customer.
In relation to the provision of the Services by Nectar Cloud Ltd, the Customer or its customer is and shall be a Data Controller and Nectar Cloud Ltd is and shall be a Data Processor. In the event that the Customer qualifies as a Data Processor Nectar Cloud Ltd will act as its sub Data Processor and Customer warrants to Nectar Cloud Ltd that Customer’s instructions and actions with respect to Customer Personal Data, including the appointment of Nectar Cloud Ltd as another processor, has been authorised by the relevant Controller.
Customer instructs Nectar Cloud Ltd to, process the Customer Personal Data in accordance with the Agreement and otherwise on the instructions of the contact persons designated by the Customer or such third party as the Customer has confirmed in writing (including email) is authorised to provide such instructions (an “Authorised Agent”), taking into account the nature of the Services, including any related technical support and for the duration of the Agreement. Nectar Cloud Ltd shall immediately inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation. The Customer remains at all times fully liable for any instructions given by its contact person(s) or an Authorised Agent.
The parties acknowledge and agree that any instructions may be given by email or orally where the Customer or Authorised Agent is using Nectar Cloud Ltd’s technical support team, provided that Nectar Cloud Ltd shall keep a record of such oral instructions.
The Customer further acknowledges and agrees that it (and/or its customer if its customer (also) qualifies as the Controller) is responsible for determining the purposes for and manner in which the Customer Personal Data is processed and hereby undertakes that it and, where applicable, its customer has taken, and shall, throughout the duration of the Agreement, take all measures concerning the Customer Personal Data to ensure compliance with its obligations under the Data Protection Legislation, including the processing activities carried out by the Services and any authorisations required in respect of the provision of such Services by Nectar Cloud Ltd under these Data Processing Terms.
- NECTAR CLOUD LTD PERSONNEL
Nectar Cloud Ltd will impose and maintain appropriate contractual obligations regarding confidentiality on any personnel authorised by Nectar Cloud Ltd to access the Customer Personal Data.
Nectar Cloud Ltd will implement and maintain access controls and policies in order to restrict Nectar Cloud Ltd personnel processing Customer Personal Data to those Nectar Cloud Ltd personnel who need to process Customer Personal Data to provide the Services to the Customer.
- SECURITY MEASURES
Nectar Cloud Ltd has implemented and will maintain appropriate technical and organisational security measures based on ISO 27001 to prevent unauthorised access to the Customer Personal Data, unauthorised or unlawful alteration, disclosure, destruction or unlawful processing of the Customer Personal Data or accidental loss or destruction of, or damage to, the Customer Personal Data, in each case taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing pursuant to the Services.
Customer is solely responsible for its use of the Services, including securing the account authentication credentials, systems and devices (including the Protected Equipment) Customer use to access the Services.
- STORAGE AND TRANSFERS OF PERSONAL DATA
Nectar Cloud Ltd shall store Customer Personal Data in datacentres located in the EEA (and/or the UK following its exit from the European Union).
Technical support services outside of normal business hours may be provided by a Nectar Cloud Ltd Affiliate located outside of the EEA. Where such services involve the processing of personal data in a jurisdiction which is not covered by Article 45 subsection 1 of the GDPR (being an “Adequate Jurisdiction”), such processing shall be done under another valid transfer mechanism under the GDPR including for example Nectar Cloud Ltd Affiliate entering into the EU Controller-to-Processor Standard Contractual Clauses with Customer at its request.
The Customer hereby specifically authorises the engagement of any Nectar Cloud Ltd Affiliate as a sub-Processor.
Customer also generally authorises the use of third party sub-Processors by Nectar Cloud Ltd, provided that:
- Nectar Cloud Ltd shall restrict the sub-Processor’s processing of the Customer Personal Data to processing that is necessary to provide or maintain the Services;
- Nectar Cloud Ltd shall enter into contractual arrangements with such sub-Processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein to the extent applicable to the processing activities being provided by such sub-Processor; and
Nectar Cloud Ltd shall maintain an up to date list of its sub-Processors relating to any Services it provides to the Customer. Nectar Cloud Ltd shall provide the list to the Customer upon written request.
Nectar Cloud Ltd will, notify the Customer if any new sub-Processor is appointed after the Effective Date and Customer shall have the opportunity to object to the use of such sub-Processor. If the Customer:
- does not respond (in writing) within 30 days from the date of the notification, it will deemed to have given its authorisation to the use of such sub-Processor;
- responds by refusing (in writing) its authorisation and a mutually acceptable resolution to such refusal cannot be agreed, it may terminate the Agreement for convenience or terminate the service or that part of the service which is provided by Nectar Cloud Ltd using the relevant sub-Processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new third party Sub-processor.
Notwithstanding sub-sections 7.1 to 7.4 above, and subject to applicable law, Nectar Cloud Ltd may freely use sub-contractors or suppliers that do not qualify as processors under the Data Protection Legislation, including but not limited to energy suppliers, equipment suppliers, transport suppliers, technical service providers, hardware vendors etc.) without having to inform or seek prior authorisation from the Customer.
Nectar Cloud Ltd will impose and maintain appropriate contractual obligations regarding confidentiality on any sub-Processors authorised by Nectar Cloud Ltd to access the Customer Personal Data.
- ASSISTANCE WITH DATA SUBJECT REQUESTS
The Customer acknowledges and agrees that it shall be responsible for compliance with any requests from data subjects under Data Protection Legislation.
Nectar Cloud Ltd agrees to provide reasonable assistance to the Customer without undue delay, taking into account the nature and functionality of the Services, in respect of the Customer’s or its customers’ obligations regarding:
- requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Customer Personal Data, provided that the Customer acknowledges that Nectar Cloud Ltd only holds the Customer Personal Data in encrypted form and cannot access the data without the Passwords, and any such actions shall therefore be performed by the Customer or an Authorised Agent on its behalf and not by Nectar Cloud Ltd;
- the investigation of any incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alternation of Customer Personal Data and the notification to the supervisory authority and data subjects in respect of such incidents;
- at the expense and cost of the Customer, the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority.
- DATA BREACH
If Nectar Cloud Ltd becomes aware of a security breach in relation to any Customer Personal Data which results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data, Nectar Cloud Ltd will notify the Customer without undue delay, providing sufficient information to enable the Customer to assess the breach and its obligations regarding notifying supervisory authorities or data subject under the Data Protection Legislation. Such notification shall be provided to the Customer Representative. For the avoidance of doubt, Nectar Cloud Ltd shall not be required to notify Customer of any unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
Customer is solely responsible for complying with incident notification laws applicable to Customer under the Data Protection Legislation. Notwithstanding the foregoing, the parties will cooperate and provide all reasonable assistance with respect to complying with third party notification obligations under the Data Protection Legislation.
Nectar Cloud Ltd’s notification of or response to a data breach incident under this Clause 10 will not be construed as an acknowledgement by Nectar Cloud Ltd or any of its Affiliates of any fault or liability with respect to the data breach.
Any claims under this Addendum shall be subject to the same terms and conditions as the Agreement between Nectar Cloud Ltd and the Customer, including but not limited to the exclusions and limitations set forth therein.
- DELETION OF CUSTOMER DATA
Customer herby instructs Nectar Cloud Ltd and any sub-processors to, within three months of the date of termination of the Agreement, delete all Customer Personal Data and upon request provide written confirmation (including by email) to the Customer that it has taken such measures.
By accepting these Data Processing Terms, Customer agrees that save as set out herein, all other terms of any Agreement remain in force. In the event of any discrepancy between these Data Processing Terms and the remainder of the Agreement, these Data Processing Terms shall prevail.
The Mission-Critical Data You’re Probably Not Backing Up
If you’re a backup admin, you’ve got network backup down pat. However, there are two critical data locations that you may not be backing up – either because you’re not sure how, or because you don’t know you should. These areas are SaaS/PaaS and mobile endpoints.
Here’s the problem in the proverbial nutshell:
- Not backing up for data protection.Your users are storing a lot of mission-critical information in your SaaS/PaaS infrastructure, and on their mobile devices. However, your SaaS/PaaS providers are likely not backing up your data past a few days. And you may not be backing up your mobile endpoints at all.
- Not backing up/archiving for eDiscovery and compliance. If you’re not backing up your mobile endpoints, you have no federated search capability. And although users may search their personal SaaS data, admins and attorneys have no federated search or legal hold capabilities.
Data protection and searchability are hard-wired into network backup. With 70% of organizations having either apps or infrastructure running in the cloud, per IDG, why is there a lack of backup for SaaS/PaaS and mobile endpoints?
The Challenge of SaaS and Mobile Endpoint Backup
Aren’t your SaaS and PaaS providers backing up your data? Not really. They’re doing a good job at keeping it available. Backing up? Not so much. Yet there is a lot of risk to your online data.
Millions of people use Office 365 for mission-critical work, and many organizations are only relying on Microsoft’s geo-distributed Database Availability Groups to protect against data loss from user error, ransomware, and other threats. This backup exists primarily so Microsoft can restore massive data volumes in case of a catastrophic event. This gap in its native capabilities can cause a multitude of operational, security and legal headaches down the road.
Microsoft does backup user data to a point. For example, SharePoint Online data is available up to 29 days. And under certain conditions and within 90 days, Office 365 users can restore deleted messages and mailboxes. But after those time periods, you are out of luck unless you have set up complicated policies on your Office 365 account.
“As you move to cloud applications, unless you’re using one of the few SaaS data-protection solutions, your data has just gone from well protected to unprotected.” – Jason Buffington, Senior Analyst, Enterprise Strategy Group
To be fair it’s not only Microsoft but rather most SaaS services like Box, Salesforce, Google Apps, etc. suffer from the cloud backup gap. Although their cloud data is protected in case of corruption, this does not mean that your SaaS provider will be able to restore content in a way that meets your needs or internal service level agreements. Nor do they create individual customer archives for long-term data retention and searches. You will need to look to a cloud to cloud (C2C) backup offering to get the protection your data needs.
It’s the nature of the beast that employees will store data on laptops, tablets, desktops, and smartphones – yet mobile devices are at constant risk of damage, loss, and theft. Multiply that risk by the sheer number of devices out there: an average of 3 devices per employee. That’s a lot of mobile endpoints to protect. And BYOD (Bring Your Own Device) exacerbates the problem. How do you secure and protect an individual’s personal device without compromising personal information?
“… the dispersion of data — which can now be stored across millions of endpoints and cloud applications — is causing heightened concern within the enterprise. The decentralized nature of the modern enterprise is great for increased productivity among the workforce, but it has created a nightmare for business executives in terms of security and risk.” — IDC
Yet backing up endpoint devices is critically important to your business. You need a solution that will protect corporate data on employee mobile devices by capturing it, backing it up to the cloud, rendering searchable backup/archives, and enabling RTO/RPO in case of data loss or corruption.
Best Practices for SaaS/PaaS Backup and Endpoint Protection
Whether you are backing up from SaaS/PaaS or from mobile endpoints, look for the following capabilities in your solutions:
- Combine multiple views and backup administration in a centralized management console.
- Provides integrated data protection across hybrid clouds and multiple clouds.
- C2C should at least support Office 365, not only Exchange but also SharePoint Online and OneDrive.
- Extra points for additional SaaS support like Salesforce or Google Apps. And your mobile endpoint solution should cover laptops, tablets, smartphones, and desktops.
- Enable federated searchable archives. This capability supports eDiscovery projects and legal holds, as well as compliance investigations.
- Granular solution that backs up and restores files, folders, and volumes. Enable IT to assign different backup policies to differing RTO/RPO requirements.
- Highly secure cloud infrastructure with SAS-70, SSAE-16, or SOC1 certifications. Multi-zone redundancy is optional but attractive. Secure encryption at-movement and at-rest; robust user access security.
- Optimize WAN utilization with fast high-volume data transfers between the SaaS provider and backup cloud, and from mobile endpoints to the backup cloud.
- Remember AWS backup for long-term data protection and management. Public clouds are highly concerned with availability, but not with individual customer backup past 30-90 days.
There are several solutions out there that have these capabilities but differ in execution. Some offerings are SaaS offerings themselves and run exclusively from the cloud. Others are backup products that add C2C backup capabilities to their on-premise offerings. Some backup mobile endpoints only, others SaaS/PaaS only, and some do both.
Choose the solution or combination of solutions that work best for your data protection and business needs. To be sure, choosing and deploying the solutions you need can be time-consuming and complicated. Uncomplicated it by partnering with a trusted provider for comprehensive C2C and endpoint backup.
by Trenton Baker
How to Keep Your Data Fit and Healthy in the Cloud
The importance of working with a cloud backup service that uses the best equipment, knows the right drills, and keeps your data active.
In the same way that simply signing up for a gym membership won’t get you into shape, the act of sending your data to a cloud backup service won’t, by itself, ensure that your data remains secure at all times, stays free from corruption, and survives any disaster.
When it Comes to Backing Up Your Data, the Details of Your Service Can Be as Mission-Critical as the Data Itself
So, you’ve backed up your company’s data to a cloud provider. Does that mean you can forget about it, cross off “Protect Corporate Data” from your to-do list, and promise your executives that you have the company’s mission-critical digital assets protected against all threats? Not even close.
Answers You Need Before Committing to a Cloud Backup Vendor
- To be able to promise your executives that their data is secure in the cloud, you need to know:
- Does the cloud backup system you’re using keep all versions of your archived data? Or do they erase previous versions to save space?
- Can your backup vendor guarantee that the terabytes or petabytes of data you are backing up with their service will be in the same condition when you retrieve it as on its original backup date?
What processes does this backup service have in place to ensure your data won’t be corrupted over time, as it sits passively on one of the company’s servers?
Nectar Clouds “Active” Approach to Data Backup
Your data is always on a rigorous fitness schedule, constantly kept “active” in our online backup vaults.
These vaults are like the strictest fitness trainers, keeping your data healthy 24/7 by continually checking for signs of corruption and, if they ever detect a problem with even a single file, jumping into action immediately to repair the file or sending an order to Production to re-seed it.
In other words, even though there is only a slim chance that your data could become corrupted, we are still monitoring it and keeping it active and healthy around the clock — just to be sure.
And, just as a good trainer won’t sign you up for any programs or recommend any expensive equipment you don’t need, Nectar cloud also continually analyses your data to ensure your compressed versioning takes up the least amount of space needed in the Nectar Cloud vaults.
Finally, to complete this trifecta of healthy data, our systems can test-restore every single file — and every version of every file — in the Nectar Clouds vaults.
Yes, cold storage and backup can be cheap. But when the weight of your organization is on your shoulders, don’t entrust your mission-critical data to anyone but fitness-crazed, “active” backup providers like Nectar Cloud.
by Peter Ely Posted 10/10/2017
Agent Based or Agentless Backup, Which is Right for You (Part 1)
The Pros and Cons of Going Agentless and Working with Agents, Part 1 of 2
Contrary to what you might have heard, there is no one-size-fits-all answer to the question of whether to go agentless or to use agents in your backup installation. Under certain scenarios, it makes sense to deploy an agent-based backup configuration; in others, agentless is the way to go. Both sides of this argument can be correct, depending on the circumstances
The good news is, Nectar cloud can provide both agent-based and agentless backup installations — and, where it benefits our customers, we even deploy solutions using a combination of both configurations in tandem.
To help you decide which backup configuration makes the most sense for your business, I’m going to walk you through some of the pros and cons of working with agents versus deploying an agentless solution. Before we begin, here’s a brief explanation of what these terms actually mean.
What Do We Mean by Agentless and Agent-Based Backup?
In a backup solution, agents are the always-on background programs (running as a service or daemon), which automatically and at regular intervals package all of a system’s data files into a backup job — either as a single object or a set of objects. The server that the agent is running on is able to authenticate itself and does not require a username and password. If the backup solution is running across multiple production servers, these agents need to be installed on each piece of hardware.
Agentless backup, by contrast, involves the replication of data without the use of a service, daemon or similar process running in the background to enable the automatic backup jobs. Agentless backup also does not require the installation of these background programs (agents) on every server storing the data that needs to be backed up. But unlike agent-based backup, an agentless configuration typically does require the creation of a password-protected user account on each machine.
The Pros and Cons of Nectar Cloud Agent-Based Backup
Below outlined the primary positives and negatives of working with an agent-based solution for backing up your business data. In the next post, I will do the same for agentless backup installations. Keep in mind, this discussion is specifically for Nectar Clouds industry-leading online backup solutions — and other platforms will differ.
Positives of Agent-Based Backup:
- You can perform image-based backups. The big advantage here is that all of the information — all data, apps and even Operating System files — can be collected and backed up in a single backup set. Also, restoring a server in its entirely takes only a few clicks.
- The agent is scanning or detecting block-level change using resources on the target server and not the backup server or network.
- You can still do single-file restores with our image-based backup for the typical restore scenario of a single file.
- Your Recovery Time Objectives (RTOs) for entire servers or systems are easier to meet with image-based, warm-standby features.
Negatives of Agent-Based Backup:
- You will have to manage more software, because you will need agents installed on all production servers where you have data that needs backing up.
- Reboots are required for installs and agent upgrades, which can result in downtime.
- The agent will need to be constantly running and checking in with the backup server/repository. This can be a good thing, but it can also drain needed resources if the target server is under-specked or over-allocated with production processes.
- You cannot install an agent on a storage appliance. This means SAN and NAS devices cannot be protected with agent-based backup. Of course, if your SAN or NAS devices present direct, attached storage to your production servers, this will not affect your backup ability.
As you can see, there will be scenarios where an agent-based backup configuration will be all that your business needs to effectively and reliably back up (and be able to restore) your data.
But if any of the negatives listed here concern you, Part 2
by Peter Ely Posted 10/10/2017
Agent Based or Agentless Backup, Which is Right for You (Part 2)
The Pros and Cons of Going Agentless and Working with Agent, Part 2 of 2
In part 1 of this 2-part series, I introduced the concept that there is no single, always-correct answer to the question of whether to deploy and agent-based or agentless backup solution. Each type of configuration can make sense for different companies’ backup needs — and in some cases, what a company will need is a combination of both agent-based and agentless solutions.
I also discussed the primary positives and negatives of deploying an agent-based backup system. In this post, I’ll walk you through the pros and cons of agentless-backups. Bear in mind, though, that these refer specifically to Nectar Clouds industry-leading online backup solutions — other backup platforms will differ.
Before we delve into the pro-con discussion of agentless backup, let me briefly recap the definitions of “agent” and “agentless” in the context of data backup.
An Overview of Agentless and Agent-Based Backup
In data backup, an agent is an always-running software application on a server, which packages data files into a single backup job. An agent can automatically authenticate the server, without the need for a username and password. But to perform companywide backup, agents must be installed on each production server.
Agentless backup is a solution that backs up data without an agent running in the background. This means you will not need to install a separate piece of software on every production server to perform regular, automatic, companywide backups of all of your data, applications and OS files. But unlike agent-based backup, an agentless configuration typically requires the creation of a password-protected user account on each machine.
The Pros and Cons of Nectar Clouds Agentless Backup
Here are the primary positives and negatives of working with an agentless solution for backing up your business data. (Please see the previous post for a pro-con discussion of deploying an agent-based backup.)
Positives of Agentless Backup:
- Agentless backup requires only admin/root credentials to perform application-aware backups. This means you will not need to install backup agents on each production server or other target system.
- Because you won’t need to install or manage agents on your servers, you won’t need to perform any reboots of your servers after installing backup software.
- Agentless backup does not require or drain as many resources on your target servers when the system is running its automatic backups.
- Unlike with an agent-based configuration, you canback up storage appliances such as your SAN or NAS devices.
Negatives of Agentless Backup:
1 Agentless-backup does not currently support image-based backups — only bare metal. This means the recovery time can be a bit longer. Of course, this might not be a problem for your less critical systems, or if your organization has a longer Recovery Time Objective (RTO).
- Network usage will be higher with an agentless backup solution than with an agent-based configuration, because the system’s regular scanning for changes in your data (which it will automatically back up) happens over the network.
As I hope I’ve made clear in this and my previous post, most small and large networks could benefit from using both agentless and agent-based technologies in different circumstances. When you find that perfect solution for your business, make sure you have the freedom to grow your backup environment with agentless and agent-based backup.
Nectar Cloud offers both — and we make sure that our clients are implementing the right technology in the correct places. The freedom to use one solution or both will make things a lot easier for your business, and your IT team, in the ever-evolving corporate backup game.
by Peter Ely Posted 10/10/2017
MiFID II regulations (Call Recording)
What does your organisation need to record?
Currently the FCA mandates say that fixed line and mobile calls must be recorded. However under the new MiFID II regulations, its be required that all conversations ‘that are intended to lead to a transaction’ must be recorded, broadened from the previous mandate of ‘client orders and transactions.’ MiFID II also includes other communications such as mail, fax, email or audio recording of client orders placed during face-to-face meetings that are intended to result in a trade
Storage of the recorded calls for your Organisations?
At present with the MiFID II regulations recordings must be stored for a minimum of five years from the date the record was made, and in some cases seven years. All records must be kept in a ‘durable medium’ so that they can be effectively monitored for compliance, it also needs to be replayed or copied if required easily. The original recording cannot be deleted or altered it must be stored in a way that makes them accessible and readily available to the FCA on request.
You will need all your recordings to be monitored on a periodic bases within the new rules. The monitoring is specified as ‘risk-based and proportionate.’ Organisations will also need to prove that the appropriate policies, procedures and management of recording rules are in place and that management have clear oversight of these. Organisations must then periodically re-evaluate the effectiveness of their recording procedures and adopt alternative or additional measures if necessary.
The original MiFID II proposals would have made all retail financial adviser firms and corporate finance boutiques record telephone conversations with clients and prospects,
Advisers and industry bodies had lobbied against these plans, saying that they were disproportionate and would be difficult for smaller advisers to comply with.
Now however the Authority had asked for consultation feedback on the new rules, and the statement released this week says that ‘Having considered consultation feedback in the context of MiFID requirements, the FCA agrees that the business model of many of these firms means that a full taping obligation may not always be appropriate’.
Retail financial advisers will now be able to choose whether they tape all relevant phone conversations or, alternatively, take a written note of them.
Does the changes apply to all MiFIDII firms?
The flexibility only applies to smaller firms, and not to ‘MiFID investment firms who can be characterised as retail financial advisers’.
The full detail around what is required in the notes is still being determined.
Record-keeping to be tightened up
However firms choose to comply, the FCA made it clear in its statement that the notes will need to meet the objective of ‘advancing our consumer protection objective. Firms will not be able to rely solely on their current record keeping requirements to meet this objective’.
So more rigour around phone call record-keeping will be needed, however you choose to approach the regulations.
The regulator will include its finalised rules on taping in a policy statement scheduled to be published in June.
On the above article
This article may now not be up to date, therefore the information and advice in the above article might be out of date .You should contact the appropriate governing body for further updates / advice or contact Nectar Cloud if you have any questions on the storage of call recording
The WannaCry Ransomware Virus: What You Need to Know
Is Your Data Secure?
The recent ransomware attack labeled “WannaCry,” or “WannaCrypt,” is now being called one of the worst and most widespread pieces of malware ever seen by security experts, according to CNN.
The virus has already caused some UK hospitals to cancel outpatient appointments, while close to 30,000 institutions in China as well as global firms such as Fedex also report being infected.
Cybersecurity researchers indicate the virus is supported by some of the same code used in the 2014 hack of Sony Pictures, raising the possibility that the hackers have a connection to North Korea.
So far most attacks have occurred in Taiwan, Ukraine, and Russia, according to cybersecurity firm Avast.
The ransomware works by locking all the files on infected computers and servers, and demanding $300 in bitcoin in order for users to regain control.
U.S. Homeland Security reports that only about $60,000 (US) has been paid in ransom thus far – an indication that the hackers are relatively unsophisticated; however, no evidence yet exists that any payment has led to data recovery, suggesting they are simply absconding with the money.
Researchers from across the world now report more than 300,000 computer and server infections in approximately 150 countries.
According to the Los Angeles Times, the virus exploits a vulnerability in the Windows operating system first developed by the US National Security Agency and later revealed to the world by hackers who stole the information from the NSA.
Groups as disparate as Microsoft executives and Russian President Vladimir Putin, whose Interior Ministry has been reported to be a victim of the attack, have therefore blamed the U.S. government for creating the ransomware virus.
The virus is spread through a vulnerability in the Windows OS known as “Eternal Blue,” for which Microsoft released a patch last month but computers not updated with the patch remain vulnerable to the virus as it travels the Internet searching for hosts.
As of this writing, the virus is still spreading, though it has slowed considerably as users hasten to install the Microsoft update patching the vulnerability.
Are You At Risk?
The WannaCry virus is particularly insidious since it means users don’t need to click on a phishing email to get infected. It’s not just a virus, it is also a worm. WannaCry can simply slip into your Windows PC or server through the unpatched gap in your Microsoft OS.
The National Cyber Security Centre has created this guide on how to deploy the latest security patch.
Particularly vulnerable are computer networks such as those found in schools, hospitals, and businesses. Security researchers say the ransomware is spread through standard file-sharing technology used by PCs called Microsoft Windows Server Message Block.
How to Protect Your Business
Presently, the only known way to protect against the WannaCry virus is to download the latest Windows software update to install the patch. Additionally:
• Be sure you’re running anti-virus software.
• Implement an off-site backup and recovery solution for critical data.
• Filter for .exe attachments in emails.
• Encrypt sensitive data.
EU General Data Protection Regulation (GDPR)
Everything you need to know about GDPR & compliant data backup for EU businesses
Guide to the new EU Data Protection Legislation (GDPR)
What you need to know what you need to do to ensure compliance
Introduction and overview
Expected to come in to effect in the very near future, the EU Data Protection regulation will have far-reaching consequences for anyone working with personal data in the EU and beyond. The legislation has been developed with a specific goal in mind. It is intended primarily to harmonise legislation across the EU and remove unnecessary obstacles that are currently in place due to multiple legislation. It’s anticipated that this regulation could simplify the legalities surrounding cloud computing, reducing administrative issues. Cloud computing is becoming more attractive to more businesses and the arrival of a solid legal framework is a welcome addition for businesses of all sizes. Reviewing your operations with this legislation on the horizon is very important. You must ensure that your organisation is extensible and agile enough to handle any changes like this. By setting up your system to be ‘designed by default’ in this fashion, this will mean you won’t be forced into making poorly thought-out changes too quickly. Overall, the law reaffirms the protection of the consumer’s personal data as well as reducing administrative red tape for companies of all sizes. There are serious implications for organisations who process European citizens’ data and do not react to the legislation. And with fines up to €1,000,000 or up to 2% of the annual worldwide turnover for those who don’t comply, you need to start planning your strategy now. In this paper, we’ll assess the major elements to the legislation and what it will mean for your business. We’ll consider it in the context of the 3rd Platform and identify how strategic application of cloud services like storage and sharing can ensure a secure and successful transition to compliance. Considering the increasingly crucial role of the cloud provider, we also assess the criteria for choosing your cloud provider or data processor.
Defining the terminology
As with any legal document, the precise wording is very important. In the paragraphs below, we’ve outlined the three core issues at hand and we address their relevance in straightforward terms.
Art 4.1 and 4.2 ….define ‘Personal Data’ In this context, all information that relates to a person who is identifiable, directly or indirectly is classed as personal data. It is information that is likely to be used by a cloud services provider or a data controller. This personal data is likely to be identifiable through the use of a reference number like an account number or location data like an IP address or any type of information that could confirm the identity of the person in question.
Art. 4.3 …define ‘processing’ Relevant to this legislation, ‘processing’ refers to any sort of operations or systems that are designed to collect, record, organise or store personal data for authorised or unauthorised people. This may happen by automated means or not. Any function that is performed on the data may also include if the data is adapted, altered, disclosed by tr
Art. 4.6 ….define ‘personal data breach’ This phrase simply refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as described above.
The major changes – What you must know about this new law
Now that the legislation is firmly on our horizons, it’s crucial that you understand what is going to happen next. Below, we’ll outline the major changes that the law will bring and why these are relevant to your business. One continent and one law In what was previously a patchwork of laws and practice right across Europe, this legislation has addressed this directly through the application of one single set of data protection rules. By dealing with one law and not 28, you’re eliminating lots of expense and administration. Here, the EU is simply trying to keep up with the shift of more data to the cloud. And with this shift, more data is now being managed by a third party. The cloud provider must now protect the information it handles and stores on behalf of the data controller.
The issue of consent will further strengthen the trust citizens will have in their data processor. As confirmed under Article 7, consent must now be explicitly obtained. ‘Assuming’ consent will be a thing of the past.
Protection of Personal data
According to Article 30 in the legislation, personal data must now be protected from destruction, loss, alteration, unauthorised disclosure, dissemination or access. The infamous ‘right to be forgotten’ facility will be made available to all EU citizens. This means that when they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. And the person or business will be allowed to move data from one cloud provider to another.
Data Protection by design and by default
The legislation also seeks to encourage the formation of internal frameworks to facilitate the right to have personal data protected. In this context, organisational and technical procedures for compliance must be implemented. Businesses now must document all personal data treatment procedures and implement technical and organisational processes that ensure compliance with the regulation (Articles 22 and 28). More specifically, Article 23 states that the personal data must be taken into account from the design stage of any process.
Outsourced data processing
If part of the data process is outsourced, all elements of the outsourcing chain must vouch for, or guarantee the security of the data, as referenced in Article 24. If the processing of data is to be carried out on behalf of your business, you need to choose a processor (or what might be a cloud services provider) that you are sure can meet the requirements of the legislation, as referred to under Article 26.
Monitoring of data and more
Under Articles 30 and 31, this new law now requires businesses to implement ways to verify the integrity of personal data. The onus is on you to not just monitor the data at every part of the process but also ensure its integrity is not compromised. Setting up data audit systems will enable you to identify data breaches if they occur. And if data integrity is compromised, you must notify the authorities within 24 hours. Any longer and you need to demonstrate appropriate justification.
Appoint a data protection officer
If your organisation is a public body, has more than 250 employees or its main activity is focussed on processing or monitoring personal data, a Data Protection Officer is required under Article 35. This officer is responsible for data security initiatives, and will need to coordinate the design of data protection processes, and will have to carry out privacyimpact-assessment initiatives. They will also have a big input into training and must ensure that your organisation has adopted solid data governance policies and procedures. But careful, even if you don’t fall into one of the categories outlined above and you are not obliged by law, it’s best to have one person responsible for data protection issues in your business.
Privacy Impact Assessments
Article 33 of the regulation would make Privacy Impact Assessments (PIAs) mandatory for those data controllers whose processing operations present specific risks to data subjects (individuals). These organisations will now be required to conduct Privacy Impact Assessments and they must include risk evaluations, measures to confront risks and security measures to safeguard the protection of personal data.
Freedom of circulation for personal data
The legislation also demands that data will now be able to move unrestricted within the EU. But, as referenced in Article 40, data transfers to third party countries will be heavily regulated. Simply put, EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
The regulation also puts in the place the building blocks for a new certification system. Similar to the ISO framework, this approach will further document the shift towards data protection standards and is referred to under Article 39.
Consequences of non-compliance
If you don’t comply, you’ll be leaving your organisation open to regular periodic data protection audits. And most importantly of all, as stipulated in Article 79, you can be fined up to €1,000,000 or up to 2% of the annual worldwide turnover, whichever is greater.
The road to compliance – best practices to address the challenges
Now that you understand the major changes, the next step is to know how to react. Different stages of your data processing ‘process’ will require different levels of focus in line with what this new legislation requires. Below, you’ll find best practices outlined, equipping you with the knowledge and direction needed to ensure you are firmly on the road to compliance when it comes to EU data protection. So whether you are storing or collecting data, or transmitting or monitoring it, how you react to this legislation will have genuine consequences for your organisation in the future.
‘Consent’ is a major aspect of this legislation so if you do collect data, you must get explicit consent for processing it. Make sure you have informed the people appropriately and explain clearly how the data was going to be processed. And if you need to, you must also review whether your documents and forms of consent are adequate. Also, keep in mind that consent can no longer be relied on in any case where there is a significant imbalance between the position of the data subject and the controller (like a manager/ employee context). For example, if you use personal data for direct marketing, you must offer a very clear right for the data subject to object to processing.
Everyone stores data in the digital age, and you must establish whether or not you have legitimate grounds for its retention. Data retention starts with data classification – in other words, how data is organised in your business. It’s very important that the right people have access to the right data at the right time. Thinking along these lines will eventually allow organisations to only store the right data in the right place, with the right level of security, and for the right duration. To prepare in more practical ways, you must store your data in secure locations with appropriate security measures. At a basic level, this means locked filing cabinets but also should include technologyspecific solutions like encrypted electronic files and indeed your organisation’s firewall. Backup is also a crucial part of your data storage plan-of-action. An off-site backup solution is something that must be invested in. Data backup is vital and you need to ensure that in the case of natural disasters like fire and flooding, your data is not going to be destroyed. The advantages of adopting an online solution as an off-site backup are numerous. From saving time when it comes to monitoring, to saving money on upfront costs or ongoing software costs, online backup is the preferred option for so many. Keep in mind that you need to make sure that your solution provides built-in encryption. If you plan to use a cloud solution, you need to ensure that your data centre is located within the EU and that it is secure enough to avoid data breaches. As required under this legislation, your cloud solution should also enable you to verify the integrity of your data and alert you to any data breaches.
If you transfer data across countries or continents, you now must have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation. If you work with sensitive information, using a secure form of communications is your first priority. Electronic (or digital) documents are now the norm in today’s businesses, and some of them may contain information that falls into the definition of Personal Data. So those documents, whether they are faxes, email attachments, digitally shared, or processed in some other digital form, need to be transmitted through a secure medium, ensuring the information is encrypted and protected. Even more, if you regularly deal with digital documents with sensitive information, you should consider implementing a process that allows you to control the itinerary of the data and who has access to it at all times.
Preventing Data Loss and Monitoring Data
Data integrity will now be more important than ever and you should use data processing solutions that guarantee data integrity and that also will allow you to closely monitor its effectiveness. You also need to be more vigilant when it comes to your back up and this data needs to checked and tested regularly. Your staff will play a key role and it’s imperative that they have the right tools to do the job. This is about up-skilling and giving your team the tools they need to prevent data breaches.
Procedures in place to demonstrate compliance
Getting on the road to compliance is not just about fulfilling the legal requirements. It’s also about developing and enacting best practice in the context of data protection. With this in mind, you should appoint someone in your organisation that is responsible for data protection. Even though the law only requires you to do this if you are a public body, have more than 250 customers or the main purpose of your company is treating personal data, we recommend that it is still the best approach to take in all businesses. It’s not just what you do internally that matters and as highlighted in other areas, the compliance of your partners is also vital. You should request that your partners’ documentation shows how their activity is also compliant with the regulation. Overall, you should choose solutions that allow you to keep an audit trail on all data processing. Then, if you are required to show integrity of the data in any step of the process, it can be demonstrated with ease.
Choose your data processor or cloud services provider wisely
Picking the right cloud services provider has been a priority for many organisations for a few years now as cloud computing has quickly become the platform of choice for businesses in every sector. The introduction of this new legislation has now made this selection more important than ever before. Not only does it make solid business sense to choose your cloud provider carefully but now there is a legal imperative to ensure you make the best choice possible. With this in mind, we’ve outlined some key questions you should consider when making that decision.
Do they give you what you need?
What specific services does your company require? From IT networking to storage and function-specific software platforms, it’s imperative that your provider can give you the services you need and demonstrate their track record in having done this before.
How secure is your provider?
Your cloud provider should have several layers of security built-in to the core aspects of their service and infrastructure. Your data simply must be encrypted and you need to ensure access is restricted. Authentication protocols should also be place and it’s very important that your cloud services provider can guarantee the integrity of your data in line with the requirements of the new legislation. As part of the shift toward data protection, establishing an audit trail is crucial and your provider’s audit capabilities must be considered.
Will your provider deliver full support, management and monitoring?
To manage the processing of what is now considered a valuable asset, your cloud provider should also provide an expert support team. We recommend that you choose a solution that has a built-in monitoring feature, as it will almost certainly save you time and money. If your solution is easy-to-use, your employees will not have to focus so much on training and administration. Solutions that are easier to use will also improve data management and decrease the likelihood of errors.
Do they have the knowledge and expertise you need?
As with any technology platform, knowledge and expertise are key ingredients when it comes to taking on a specialist provider. Because when you’re dealing with sensitive data and stringent compliance mandates, you need qualified experts who are readily available and can comprehensively understand your requirements. If your chosen provider already outsources some of the treatment of data, make sure you are aware of it and that the third party solution being used is compliant. Each and every member of your outsourcing chain need to show the same standard of knowledge and expertise and provide the same guarantees in the areas mentioned above. It comes down to one straightforward concept – their compliance will be your responsibility.
Where will your data be located?
One of the key aspects of the new legislation centres on ‘location’ and more specifically, where the data and data centres are located. Transferring data to territories outside the EU will now be strongly regulated. With this in mind, you must choose solutions that store your data within the EU whenever possible. You should also avoid using digital communication solutions that transmit your data via platforms located outside of the EU.
Summary and conclusions
The arrival of EU-wide data protection legislation represents a genuine change for business and organisations of all sizes right across the EU, and will have implications for others too. Now is the time to start looking at your processes and operations to make sure you comply. If you don’t, you may be fined up to €1,000,000 or up to 2% of the annual worldwide turnover. What’s changed? Individual country laws will be consolidated into one continent-wide set of rules, which will reduce administration and bureaucracy for all organisations working with personal data. Contentious issues like the protection of personal data and ‘consent’ have been settled and companies’ obligations are now clear in this regard and many others. At every stage of the data processing chain, this legislation will have an impact. It’s important you now know what is expected of you in terms of collecting, storing and transmitting data and more. Failure to comply is severe and costly. The responsibility to comply will be on your shoulders but your cloud service provider will play a crucial role in light of this new law. Carefully selecting your cloud provider has now become even more important than ever before and you simply must choose the provider that takes legal compliance as seriously as you do.
Nectar Clouds Post was published 06/06/2017
C2C – We are now able to offer backup for MS Office 365, Google Apps and Salesforce
Backup MS Office 365 and other cloud applications directly to a UK Data Centre
- Agentlessly backup the data in Saas / PaaS cloud to our data center in the UK
- You can choose the frequency and granularity of the backups on a data source by data source basis to ensure data is protected as long as required for compliance and business continuity
- Mass deploy backup rules to hundreds of MS Office 365 of Goole apps user at once, ensuring consistent protection across department with minimal configuration effort
- Set and achieve Recovery Time Objectives and Recovery Point Objectives that meet your organisations needs
- Store all data in a secure, encrypted form so unauthorised user to do not have access to the backup information
- Retain access to your data at all time, even if you’ve cancelled the SaaS / PaaS subscription
- Meet regulatory and compliance requirements
- Compliant to: FIPS 140-2 / Gartner Approved / ISO 27001 Certified
Big Data Can Help Businesses Make Smart Decisions
We all recognise that the amount of data being created is growing at a prenominal rate but the concept of ‘Big Data’ is throwing up as many opportunities as it is difficulties. Key amongst these is having the ability to harvest that data and use it to make smarter decisions. –
Article from Comms.Business
One Way hackers hack your website
This effects Word Press: Through the contact page, by sending a form, the hackers are able to add a hyperlink to your front page and every page – keep a check of your website to make sure this does not effect you.
Big risks for small businesses who ignore data security
By Nicholas Tufnell Business reporter http://www.bbc.co.uk/news/business-27052250 An Interesting article from the BBC about Data Security and more
A report from the BBC
The Heart Bleed Virus
The Heart Bleed virus has affected websites on the Internet for maybe 2 years, The Heart Bleed virus allows hackers to exploit a flaw in the OpenSSL encryption software to steal data like credit card numbers, passwords, and other personal information. The Heart Bleed virus takes advantage of OpenSSL encryption software, which is standard for many websites and designated by the small padlock symbol. Heartbeat is a small packet of data which is sometimes sent to confirm that both computers are still available.
Act quickly if your mobile phone gets stolen or lost
With the festive season in full swing, people up and down the country will be out socialising or hitting the high street to do their Christmas shopping. At this time of year, however, consumers can be particularly vulnerable to mobile phone theft, with opportunist thieves preying on distracted shoppers or partygoers. Not only are many mobile handsets worth hundreds of pounds and costly to replace, thieves can very quickly run up high bills on stolen phones. Ofcom has published advice for consumers on how to reduce the chances of ‘bill shock’ when a phone goes missing. A news release can be found here
17 / 12 / 2013
Nasty Virus Beware
Last month, antivirus companies discovered a new ransomware known as Cryptolocker. This ransomware is nasty because infected users are in danger of losing their personal files forever. Spread through infected websites, this ransomware has been targeting companies through phishing attacks. The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server. Currently, infected users are instructed to pay £180 to receive this private key. Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever. It is possible to recover previous versions of the encrypted files if the data was backed up into the cloud Therefore Cloud-based backup solutions are advisable for business professionals and consumers alike Backup: Also, the existence of malware such as Cryptolocker reinforces the need to back up your personal files. However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC. Cloud-based backup solutions are advisable for business professionals and consumers alike.
09 / 10 / 2013