Our Data Protection & Privacy lawyers are here to help you navigate the complex landscape of compliance. We have incredible experience in helping you find pragmatic, business-focused solutions. From the moment a new law is suggested through compliance programmes to privacy disputes and litigation, and in case of enforcement actions by authorities, we can help.
Whether its GDPR or other privacy laws, data breaches, data transfer challenges or use of cookies and online tracking, our privacy experts will provide you with advice you can trust.
We are here to help you navigate the complex landscape of compliance. From the moment a new data protection law is suggested in Pakistan through compliance programmes to privacy disputes and litigation and in case of enforcement actions by authorities, we can help. Whether it’s GDPR, CCPA or Personal Data Protection Act, data breaches, data transfer challenges or use of cookies and online tracking, we will provide you with advice you can trust.
The Pakistan’s Cloud First Policy has listed five classes for data, including;
It is publicly available data, structured in a way that the data is fully discoverable and usable by end users is called ‘open data’. The implementation of open data principles in the public sector makes the government open and accountable and increases citizen participation in government.
Data related to the public sector that is non-confidential and is publicly available. Public data is the information that will not result in any damage if it becomes generally known. Information in the public domain that has been approved for public use by the information owner.
Restricted data is the (internal) information that can be freely shared among employees, but is not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, and may lead to financial damage or loss of reputation for the organization, or have negative effects for certain customers.
Data related to public sector business, operations and services which even if publicly available but a compromise of which can undermine the reputation of Pakistan internationally.
Information not intended to be published, which shall be accessed only by certain people having proper authorization and which justifies moderate protective measures.
In other words, confidential data is the information which is considered critical to the organization’s on-going operations and which can be shared internally in the organization on a need-to-know basis. If unauthorized people gain access to CONFIDENTIAL information, this may lead to significant financial damage or significant loss of reputation for the organization, or have considerable negative effects for certain customers.
Secret information requires the highest level of protection from serious threats, whose breach will likely cause threats to life or public security, financial losses, serious damage to public interests, etc.
How important are the controls in the organization to prevent these types of data breaches or data theft?
Controls are basically the safeguards or the countermeasures deployed with a purpose to detect, avoid and minimize the impact of any security risk, mostly in this particular order.
All the different types of controls which organizations can have to prevent computer thefts.
Now broadly information security controls will come under the following ten categories;
Now hardware is an essential component of information asset control of hardware equipment mainly involves the following step: identifying the hardware information asset and recording the hardware right from the procurement stage.
Classifying the hardware on the basis of factors like critical monetary value, keeping an inventory control, monitoring the movement of Hardware, inter-department, intra department and constantly reviewing the controls initiated for their adequacy and effectiveness.
Now this is the basic hardware and physical control which the organization’s need to have. Every organization needs to know that
What is the hardware equipment?
What are the hardware computer peripherals which are there in their organization?
So you need to be able to trace that hardware which should be distinctly identifiable and this is one of the most important and critical factors for making sure that you have hardware and physical controls in your organization.
Now barcoding is one of the most effective ways to control this and it should be done on every equipment or the hardware device which you have in your organization which is the first point of entry into the organization.
Now such a system will ensure foolproof maintenance of not just physical entry of hardware equipment but also it will help for financial and accounting purposes.
Now barcode scanners should be made available in every department in the organization and should be used even for the smallest item recorded.
This will definitely have a better result in terms of overall management of the assets of the organization as well.
So nowadays, there are 2D barcodes which are capable of recording more information about the product name, price quality or description.
The earlier barcode readers were very simple and were very cheap as well which recorded very limited information but the new 2D barcodes are capable of securing more information.
Now there are mobile phones that can also read barcodes and scan code and the malls. If you go you will find these types of controls.
Now the form of control which is very popular these days is called RFID Circuit which is also called Radio Frequency Identification.
This can also be used for hardware tracing and monitoring for tracking employees movement inside a huge office complex.
RFID tags are affixed to the equipment or as a part of employee personnel. An employee’s supposed to carry it like a smart card or other cards. It works as an antenna circuit designed with RF signals getting radiated while barcoding is much less than one rupee per equipment.
It is a bit costly but it goes to a different level altogether. You can use an RFID reader to identify an object from 3 to 4 meters depending upon the capacity. So in a way you are securing more information if you are using an RFID circuit.
Now let us talk about software security controls. As we have already spoken about hardware security controls in the organization. We are going to talk about software security controls which may be broadly classified as;
Now as a technology user and as an application user, the user himself has some controls to take care of the information asset like having an updated antivirus, not clicking an untrusted link, not giving information on an HTTP site.
Now these are some of the basic software controls which not only the organization needs to have but also the individuals working in the organization need to be sensitized and trained at least on the basic idea where no skills are very important.
The output control also forms a part of application control in a bank, typically taking one or more copies of a Bank draft is a serious crime.
Now output control plays a crucial role in areas like taking printouts of FDR receipts, security papers like drafts and bankers cheques.
Keeping a proper track record of printouts and preservation of printed logs are all part of output controls on physical security controls.
Now let us talk about the third type of control which is called database control. So we have spoken about Hardware control, software control and now third is data controls.
Now it is normally part of the design stage taking into account different factors such as the security features provided by the database management software, version of the database management software, maintenance of that sort for security and controls that are to be provided by the application, network, bandwidth etc.
On the database level, designing the schema is quite important. A schema is the context of a database and refers to the structure described in formal manner in language as a part of a particular database management system in the organization of data in different tables and components.
Now understanding the schema supported by a particular DBMS is very important to design and decide the security features that may be built as a part of the schema of our DMS itself so that security capabilities of the database are fully exploited.
This is important so when we are talking about database control, it’s all about the designing of the database software which you are using in your organization.
What is Data Definition Language – DDL?
DDL is basically a statement to create or alter an object, that is creation of a table or alteration of a database scheme. This is called a DDL database.
What is Data Manipulation Language – DML?
DMLis used as a statement to retrieve data, insert data, modify data and delete data and do such manipulation in the data in pursuance of broader powers assigned in the database server.
Difference between DML and DDL:
DDL is basically a statement to create, alter and drop an object in the database and DML is used to retrieve, insert, modify or delete an entry in the database.
Now prevention controls may be preventive or detective; a preventive control is one which prevents an attack from occurring or just prevents the external attacker from meeting the vulnerability and affecting the information acid.
Accounts department of your company deals with the financial
resources and transactions. There are certain legal issues which may arise
instituting criminal as well as civil liabilities including tax matters
Now some of the most effective preventive controls are physical and hardware control such as posting a physical security guard at the entrance, intrusion prevention, barbed wire fencing and unified threat management. This is the physical prevention control which you can have in the organization.
Now software security controls information security policy whether it’s adequate and implementation is done properly running an anti-virus and anti-malware software and all the PCs’ effective password management internet email and other related policies.
Now if you follow these preventive controls they will never be a computer fraud in your organization.
So in most of the bank’s the frauds the one common point of major breach has always been the password policy so the password policy has to be well-defined and the users, the people, your employees have to be sensitized in thought and in fact trained on how to use their passwords.
Now incidents like tailgating and masquerading are some of these access methodologies for gaining illegal entries to information resources. This is important or masquerading is the kind of entry to a critical room where more than one person enters with the same idea or token or card which can be very dangerous for the organization because the other person may have criminal intent.
Now both these are possible in the case of software access when a person leaves the session open after a valid login and the same is utilized by an intruder. It will go to a tailgating session to check.
Such kinds of access and proper intrusion prevention controls are necessary: a sound password policy, internet access policy in UTM boxes with all features of intrusion prevention at every level.
Detection control is also a control that the organization puts in place to check the review of any incident or report that has happened in the organization and put in place the lessons learnt from the incident name and its impact.
Detection is always part of an audit or an inspection or a review mechanism. Hence, detection risk is the risk that an auditor confirms that there are no material errors in practice. Sometimes there could be some errors, some of them with serious impact too. So it is a risk the auditor lets exist.
These audits are very important and every organization should carry out these audits periodically.
Now the first step in detection control is identifying a fault that is detecting the fault followed by isolation of the system detected and then act of recovery immediately after the identification and fault detection there should be isolation of the information assets.
So that it does not spread much and not further percolate down to impact the other information assets down the line, so after the process of isolation of the assets. The next step is towards recovery from the incident or the risk encountered.
Mitigation mitigation controls is something which is referred to as compensating control since it is closely associated with alternate controls and segregation of duties it can be said of greater significance especially in auditing when sometimes an uncollected on an unrecorded statement may escape the attention at first stage and may result in a crucial failure of control and efficiency in the system.
So mitigating control will be very helpful in finding out that omission so many times even the auditors may fail to detect a problem in the system. So this can be done by taking proper mitigation measures such as cyber risk insurance.
Now it is another mitigating control which is in the form of transfer risk, getting relief by transferring the risk from the organization to a third party insurer. So this is another way of mitigating that risk, another way of making that impact less burden on you.
Encryption is the process of storing or conveying or communicating information in such a manner that only the authorized user or the receiver can understand and nobody else.
Now strong cryptography is another variant of cryptography and this can certainly help people to communicate over networks.
Knowing exactly what you need to do to be data protection regulation compliant can be daunting. Our specialist data protection lawyers will work closely with you to understand your business and provide advice tailored to your current commercial situation and future strategic goals.
Our team’s deep data protection knowledge has developed over years of work in this complex and intricate area of law. This means that we can support in-house counsel or data protection officers, either as a “sounding board” or as specialist advisors.
The GDPR is EU legislation and applies throughout the EEA but can also apply to non-EEA organizations too. We therefore advise Pak, UK, EU, US and international businesses about data protection compliance.
If you’re based in Pakistan, we can advise whether you are affected by GDPR or Personal Data Protection Act and, if so, explain the extent of your compliance obligations. We’ve worked with a number of overseas businesses – particularly in the UK – on GDPR issues and can bring that knowledge and experience to your organization.
Our lawyers can help you with all aspects of data protection and GDPR/CCPA compliance. We can take you through the initial steps of compliance by carrying out a GDPR Audit to assess where you currently stand. We can then advise on a compliance strategy and the policies and procedures that you will need to put in place to evidence your compliance.
We also advise businesses on day to day issues such as managing subject access requests (SAR/DSAR) and Data Breaches, and how to enter into data protection compliant contracts.