Advice for GDPR Planning and Preparation before the May 2018 Implementation Deadline

The new EU GDPR - General Data Protection Regulation Law comes into effect on 25th May 2018. This builds on and supersedes current data protection regulations, and in the UK is administered by the UK Information Commissioners Office (UK ICO). 

We've had quite a few conversations with clients about preparation for EU GDPR and as this overlaps business and pure IT considerations, we've made sure to read up on, and around, the subject so that we can help detangle the fact from the sales spin. In our approach we started by reading the actual text of the GDPR which you can access directly online on the EUR-Lex website.  If you've got time then we'd suggest going straight to the source and reading that also - everything else you read is someone else's interpretation, including the rest of this article. 

We must also mention that whilst we're experienced in business and IT governance, we're not lawyers so please do check through things with your legal advisors. 

Our aim is to take a pragmatic view of things and help to put you in a position to evaluate measures in the context of what is needed rather than what the 'salesman proposes'. GDPR is a veritable salesman's dream and some of this is valid, but much is not necessary in achieving compliance. 


GDPR In a Nutshell:

The main point of GDPR is to make sure that organisations respect personal data and act as a good custodian of this data; respecting it, keeping it safe and handling it appropriately.

There is a lot more detail to the regulations but basically this is it. It especially relates to sensitive personal data such as medical, political, genetic, biometric, sexual, racial and financial personal information and information relating to children (minors).

GDPR has come about in order to give people more rights over their personal data. If you have had calls from vehicle accident claims management companies, PPI claims firms etc. then these are examples of where third parties have been given (or purchased) your personal information; often to your distinct annoyance.  GDPR comes partly in response to these activities and aims to reduce instances of preventable data leakages.

Compliance with GDPR is 'self certified' in the same way that current PCI (Payment Card Industry) standards are for protecting card holder data. There is not an official recognised body that can say that you are 'GDPR Compliant'  (this is / was intended in the legislation but has not come to pass). This means that compliance is a matter of ensuring that you act appropriately for your business and that you are happy that you have managed your level of risk. If you were to suffer a data breach or a complaint was to be upheld against you, then you would be deemed non-compliant with GDPR and might be issued with a fine or face further legal action.  The onus is therefore on a business owner and its management to ensure that compliance is good.   


Practical Measures to compliance and further explanation:

Recommendation 1: Keep a 'GDPR Diary'

This is important as it allows you to note down what you have done, and when, towards GDPR compliance, what you have read and what actions you have taken. If you were to have a GDPR issue down the line, then being able to demonstrate that you made reasonable efforts towards compliance will be important. The ICO understand that some organisations are big and complex so may have a whole team dedicated to GDPR compliance; whereas other organisations are much smaller down, to a single person, and they will expect appropriate and proportional effort from each (a one-person company will, for example, be able to note down what data they hold and where it is with less effort than a 10,000-person company). 

Recommendation 2: Make an internal communications plan and execute it, now and ongoing.

The importance of data protection compliance and respect for client data is something that people should be made explicitly aware of. If you have a board then this should be a recurring board meeting item (even if a brief one), but most importantly everyone in the organisation needs to be educated that respect for client data is of utmost importance to everyone's best interests. This might seem common sense and it is, but unless you make and execute a regular training / communications plan, then there is a risk that people might give away confidential information without realising it is an issue. Having an explicit internal policy about what personal information can be shared; by whom and with whom is a good idea and makes things clear. Your compliance and security are only as strong as the weakest link in the chain and must apply to interns, reception, temporary staff, cleaners, through to senior board level management. 

    Recommendation 3: Have a procedure to authenticate who you are sharing information with.

    This will help protect against people trying to trick you into releasing confidential data which unfortunately does happen but is still your responsibility. The mantra should be:  'If in doubt check it out' i.e. if anything is at all unusual or if it is not someone you know.  It is possible, for example, for someone to call an accounting department of a company to ask for a copy of your Sage Backup file to be uploaded or emailed to them to assist your accountants in their tax work. If a call like that came in from someone who sounded legitimate and convincing, what is the risk that someone in your organisation would accidentally be tricked into releasing your core accounts files? Probably higher than we would all like as tricks like this prey on all of our innate desires to help and people respond with the best of intentions but to unfortunate ends. Your accounts data in this example might not hold too much 'personal' information about individuals, but it is still potentially damaging to the business. We've even seen examples (and taped one of them - click through to read and listen) where people phone a company claiming to be from the Police in order to get through the switchboard. Highly effective as a tactic and, of course, illegal. 

    Recommendation 4: Don't be the easy target.

    This applies to many areas of IT such as security. You can potentially spend millions on IT security very easily. The appropriate level though is one which normally comes down to common sense. For security (which is part of GDPR in that you need to be keeping your data safe) there will be sensible systems and processes (human and computer) that will allow you to store and share your client information safely. If you are at least as secure as the majority of your industry or peer group then you will be unlikely to be hacked or suffer a data breach. The nature of your organisation and the data you hold will determine appropriate measures so that you can satisfy yourself of compliance.  

    Recommendation 5 - Put in place a Privacy Policy

    It is important that companies have a privacy policy and that this is on your website and made available to people to make it clear how you process their information. Onega have developed a standard Privacy Policy that we adopt and are happy to share with our clients. This can be customised for your organisation if you agree with the applicability of the content to you. We'll be happy to forward you a copy of this on request if you do not already have it and can assist with customisation for your individual needs.

    Recommendation 6: Listen to and communicate with your clients.

    Make sure that when you collect personal information you make it clear what this will be used for and that people give their permission for this. Keep this documentation / record in case you need to refer back to it later.

    If someone asks to be taken off a mailing list then respect that and act on it immediately. If the same person's data has been shared with other organisations or internal departments then also make sure the message is passed along and actioned as appropriate. Something that is sure to get you ICO complaints is if you get requests to remove someone's details from a mailing list / contact list but you continue to call / emall / mail them again and again. If someone does not want to hear from you then best to respect that and expend your efforts elsewhere with people who do appreciate that. The ICO will forgive a legitimate mistake (none of us are perfect) but if they see a pattern of abuse and no good system or process in place then they will take a dim view of this and you may well attract a fine and the poor publicity that may accompany it.

    There is a tenet in GDPR that consent needs to be clear and explicit.  Where in the past you might have had to untick a box in very small print to opt out of something, now you need to have a clear opt in and not assume consent.

    Recommendation 7: Don't hold data if you do not need it.

    The best way to be compliant with safe and secure handling of personal data is not to hold it in the first place. If you don't have a legitimate (and common sense) reason to hold data, then don't and it can't come back to bite you. In the world of Ecommerce, many small companies have benefitted from the services of payment providers like Paypal or Braintree. These providers allow you to take credit card payments, but at no point are you given or allowed to hold credit card details and expiry dates (which come with big responsibility); you benefit from the payment processing and collection system and not having the card details is a veritably positive benefit.

    Recommendation 8:  Complete a Data Audit - Know what data you hold.

    On the basis of 'what you know you can manage', one of the steps towards compliance is conducting a data audit, to identify what information you record (particularly personal information), why this is recorded, where it is held, how you process it, and who you share it with etc. This then allows you to evaluate that data in respect of GDPR to make sure that you are keeping it safe, only keeping what you need to keep and what measures you take to make sure the information is accurate. 

    Information to collect and collate in a personal data audit includes:

    • Data Source (where this data comes from).
    • How & where it is stored (on the cloud, on local servers etc.).
    • Is the data secured in transit and at rest?
    • What information you are holding?
    • What you are doing with the information (how it is processed)?
    • What the legitimate reason for this processing is?
    • Is personal consent required for this processing?
    • If so, do you have this consent and is this documented?
    • Who will the information be shared with and who, in your organisation, is allowed to share it?
    • Is this on your privacy notice?
    • How is the data kept up to date and how will you update subscribers to this data (i.e. organisations you share this with)?

    Recommendation 9: - Consider the Importance of standards.

    It is well worth considering Business IT Security Standards like Cyber Essentials and the fuller ISO27001. It's a fact that no organisation with ISO27001 certification has ever suffered a large scale data loss (true at the time of writing anyway). That's because the standard provides for a methodological and comprehensive approach to security. It can also be a business benefit. The Cyber Essentials standard is one promoted by the UK National Cyber Security Centre which is part of GCHQ. This covers the basics (80:20 rule) of security and Onega can help you prepare for certification to the standard. These standards overlap in IT Security with GDPR and would help reduce risks and, if anything untoward was to happen, would also help demonstrate that you had taken reasonable and recommended actions to secure your organisation.



    How long should I keep data for?

    This is a question of logic and common sense. There might also be regulatory requirements in certain industries that override other criteria e.g. if you are regulated by the FCA then you still need to stick to their guidelines. Keep data for as long as reasonably needed and justified for business and audit purposes, then remove.


    Who is your Data Protection Officer?

    The chances are, that if you have read this far, that could well be you!  If it is not or will not be you, then it is important that this person be defined clearly and be given board-level backing to be put in place so that they have the authority to prosecute the role. Smaller organisations may not need to have a formal data protection officer but it is good practice to make sure there is a clear role and responsibility in any case.


    What happens if there is a data breach?

    If you do have a data breach that involves personal data being leaked, exposed or lost, then this may well be reportable to the ICO. It is important that any such breach be reported quickly and openly. There may be an investigation by the ICO but it is 100% better to be open, honest, and learn from your mistakes to reduce risk of recurrence than to try to bury this. How people react when there is an incident is as important as what has happened in many cases. If a data breach is likely to lead to negative effects to individuals then it needs to be reported. If how many widgets were made on production line 4 in May is leaked then that generally would not be a reportable incident as it does not involve personal data. Of course it is far preferable to secure data and reduce the risk of a breach in the first place than to need to report a breach.


    Who has the right to access data?

    Individuals have a right to ask to see (and have a copy of) what information you hold about them and rights to withdraw consent where previously this has been given. There is also a right to erasure from your records. Although this latter right is a request that you might not have to comply with; for example, if you have a statutory requirement to keep records for an amount of time then that requirement will override the request. If, however, someone asks to be taken off a mailing list then you should comply with that and do your best to make sure they are not sent further automated emails unless any are mandatory (i.e. a product safety recall notice could and should still be sent legitimately to a customer who has asked to be removed from your marketing emails).

    Individuals can make subject access requests to ask for the information you hold about them and you have to comply with these within a month, at no charge. If you judge that an information request (Subject Access Request) is likely to be excessive or unfounded then you can refuse a request giving this reason. For example, some local authorities under the Freedom of Information Act rules have had to find a number of obscure statistics following multiple requests from the same person, where the only intention is to waste the Council's time and resource. Where you do decline a request, you have to let the requestor know that, if they disagree with your decision, they can complain to the ICO who will investigate if appropriate.  The majority of smaller companies will never have had a Subject Access Request and so with GDPR this is something to be aware of but it is likely that it will rarely be an issue.


    What about fines?

    You have likely seen the headlines about fines for GDPR non-compliance and data breaches. These can be up to EUR 20,000,000 or 4% of organisation turnover.  To attract a fine of EUR 20 Million you would have to have a turnover of half a billion Euros a year and have a serious data breach that you could have reasonably prevented.   

    To avoid (minimise the risk of) fines it is important to do your best to comply with the legislation. On the whole, this also overlaps with business interests i.e. what would your clients think of you if they learned that you had a data breach and exposed their personal information? Or if they received unwanted calls from third parties and learned that it was because you passed on their information without their consent? Generally we'd suggest asking yourself (knowing everything you know) whether you would be happy as a customer of your own organisation; are you satisfied that everyone in the organisation would respect your data and treat it professionally at all times? This latter point - applicability to everyone - is very important. It is important to make sure that everyone in your organisation knows that respect for, and confidentiality of, client personal data is their responsibility. 


    What is Privacy by Design?

    Privacy by Design is a concept you might hear about in GDPR documents. The term is a little cryptic but what it means is that you need to think about privacy first in matters relating to personal information. If you are planning a marketing exercise for example you need to make sure that the people you are going to be communicating with are 'opted in' to your communications and that you make sure personal information you capture will be used and stored correctly and appropriately. We'd think of this as having Best Practice front of mind. If you are offered (or seek to licence or buy ) mailing lists, then you need to make sure these include upstream consent from the members of the list and be reasonably confident that the list vendor is not just playing lip service to consent. If you deal with a UK or EU mailing list provider of good reputation then you have the best chance of this all being legitimate. US and other International vendors are not bound by the same rules but you are when you use the data and would be liable for any abuse. Whenever you are considering new systems, processes etc. then it is important to consider security as part of the process so that you will remain compliant with the law.


    What is Personal Data Processing and what are justifications for processing?

    It is important to remember that GDPR relates to processing of personal data. It is important that you need to have a legitimate reason to store and process (use) personal information. One of the legitimate reasons can be explicit consent from an individual (who is given details so that they understand clearly how their information will be used), but there are other reasons too. 

    For example if you have a CCTV system then this may well be for reasons of security and business optimisation.  You'd normally put signs up to let people know that CCTV is in operation but you don't need to ask for consent from individuals. A shoplifter or someone that broke in could not reasonably argue that they did not consent to being filmed if you use this as evidence against them.  In this case of CCTV though, you do need to make sure that you keep the CCTV recording system secure and limit access to authorised staff.

    Where consent is the reason for holding information, it is important that this is clear and that an individual has the right to withdraw consent later.  In most cases clients will be happy to give consent where this is in mutual interest.


    Do I need a new printer, or whatever else people say I need because of GDPR?

    GDPR is being used as an excuse to sell any and many products at the moment. If you are uncertain whether you need X for compliance then please do run it by us and we'd be happy to discuss and help work out the correct response. Generally consider if a product significantly increases your level of security or compliance and if the problem that it solves is a significant risk in the first place. For example, if you have a small office without public access then you are unlikely to need super secure printing, especially if you make sure you collect print items immediately you print them out. The risk of a member of the public (or someone of ill intent) picking up something with someone else's private information on is quite a low risk. Hopefully you'd notice someone not of your staff in your office in the first place, but if you do print super sensitive documents, then consider secure printing or a small printer next to your desk that is not shared (a modern small laser or inkjet printer is now very capable).

    You may well benefit from some enhancements to your systems and processes especially if some of your systems are already out of date, but we'll be happy to discuss these with you. Many measures towards increasing security have relatively low (and sometimes nil) costs, bar a bit of time to set up.


    If you'd like to discuss any of the contents of this article further please don't hesitate to get in touch (or leave a comment below).


    Many Thanks to Rock Cohen via Flickr for the header photo of the EU flag flying.



    The UK ICO has a very good website with an overview of GDPR, a '12 steps towards GDPR compliance' document which we recommend and advice for particular types of organisation such as small businesses and financial services organisations.

    ICO Main GDPR Site:

    ICO 12 Steps PDF:

    ICO Advice for smaller companies

    ICO Advice for specific business sectors and myths to their 'GDRP Myth Busting' blog. All quite pragmatic.  (this includes specifics for retail, micro organisations, small financial sector GDPR, for charities and local government organisations).

    All the above pages are well worth reading and digesting.

    Complacency is the Enemy of Security

    We're often asked the difference between different products and why we might recommend one solution over another.

    Rather than giving details on particular computer products, and pros and cons between two different virus scanners / firewalls / computers / laptops etc. we thought that it might be more helpful to give some insight as to our general thought processes and illustrate this.

    As an example please consider the two videos linked below. They're also quite short (less than 60 seconds each) and amusing in themselves so do have a watch.

    Video 1:

    The first here is a video of a tourist who 'crosses the line' and lays a hand on a member of the Royal Guard.

    What happens when a tourist touches a member of the Queen's Grenadier Guards

    Video 2:

    The second video below here also shows a security guard, here in the context of an office building lobby. In fact here are two guards that you can see in the video - one crouching in the foreground (hands up) and another approaching on the carpet behind.

    In contrast note what the approaching guard does when his colleague is 'shot'.

    So - what's the point here?

    Both of the videos show someone in the role of 'providing patrol and security' but the training and reaction are very different to a situation. To be clear we're not suggesting that either are right or wrong, but they are definitely very different.

    The first video could be seen as a potential overreaction but this is trained response to a threat and maintaining a clear line which should not be crossed. We suspect that the tourist got quite a shock. You don't see the tourist's reaction on film but you can make a pretty good guess.

    The second video shows the guard running away pretty quickly and comments on the YouTube video liken the reaction to playing 'Sonic the Hedgehog'. As you see in the video this was a staged prank and an effective one at that. The reaction is not necessarily wrong though. Hopefully the guard is going to call for help / police / armed backup / check CCTV and grab a gun etc. rather than just to uselessly become the next victim given what he's just seen and heard in front of him. Of course he might equally be heading straight out of the door and planning to go home; we'd like to think not though.

    Both of these are providing security around a building and assurance for the tenants and visitors to help maintain and assure a safe environment. In very different ways. Both are more effective than many reception / security guards in an office environment who often provide only token levels of security. You've probably noticed buildings where a 'guard' is absorbed in playing solitaire and around whom a seven year old would run rings in a chase.

    This is the difference between ticking boxes and providing value and much of the value of a guard, like the value of insurance or an army, is not in the work they do, but what they can do if needed, which means it is less likely you'll need them. Good security obviously has a more powerful deterrent effect.

    Companies recognise this in their implementation of security. It goes to the core of the company's values; do you only pay lip service, or are you thorough? Much of the time you may not notice the difference unless you are looking for it. We say time and time again that there is no such thing as total security, only different levels of risk management and mitigation.

    In some city firms the security office is manned by staff who may be entirely ex army and indeed sometimes ex special forces. You'll not notice on the door but you will if you try anything untoward and in the subtle, but very real, difference in the level of attention paid to things. This is a deep skill in itself. Guarding anything from an office to nuclear weapons requires dedication and focus to do well, evaluate the risks and pull against the natural human instinct towards complacency over time.

    Are we digressing again here? Yes, probably... to bring the comparison of security guards back more to the world of IT and subtle differences, the point is that when at Onega we consider solutions, we look for what is the best long run solution for a challenge, that will serve a business and provide for value and service. In considering IT systems, we look at many aspects of capital cost, performance, reliability, robustness, running costs and serviceability. Aesthetics are also considered and sometimes people choose preferences of good looks over functionality or serviceability as their conscious choice which is fine if trade-offs are accepted. From cars to aircraft, to computers to anything else, there are almost always trade-offs made in any decision; it is just a matter of getting the balance right.

    Currently in IT there is an increasingly mature trend towards swapping traditionally capital investments for regular periodic subscriptions. An example of this might be Microsoft's 'Surface as a Service' offering but in software, client computing and server side computing the trend is present and it allows for the traditional cost bump to be smoothed out over time; so that you can have a high quality solution and pay for it as you enjoy it with reduced barriers to entry.

    When Onega look at a product, we do of course consider cost. We are a business ourselves and we have to balance the books. However we invest where we need to and appreciate that some things can be very much a false economy. The difference that an extra £100 investment can make to your enjoyment of a computer over three years can be between smooth service delivery and frustration. We've learned many things the hard way and we try to share the benefit of our experience so that you can avoid repeating mistakes and errors we may have made. We do of course sometimes make mistakes, but we learn from them.

    As a case of false economy in point, consider backup systems. The purpose of these is to keep your vital company information safe and in some cases, also doubling as Business Continuity solutions. You really don't want to be choosing a backup solution based on price. Among the criteria here are: how well does it work; is it reliable; how quickly and easily can we get things back when we need them; how is it monitored; how is the data encrypted; how do we obtain support for the system; how many copies of data are maintained; how far back will it retain our backup data; does it cover everything we need backed up; are air gaps enforced; how stable is the company providing the service? Price of course is a factor, but it should probably be a secondary factor to the first questions. A good solution that might cost £30 a month is likely to be much, much better business value than a poor solution that just about does the job for £19 a month. In this hypothetical example the £11 extra a month in cost would arguably be worth way more than that in peace of mind alone.

    So for any system, when we are considering recommendations from Onega, we are looking to help provide solutions that will stand up to the task and deliver when needed rather than something that will disappear like Sonic just when you need it.

    No one likes being let down.

    No one likes being let down.

    Back to the title of our post here (after a slight case of ADD);  Complacency being the Enemy of Security.  Complacency is very hard to prevent, but procedures and reality checks / external audit and baselines can help greatly. Arguably the role of a security professional is primarily countering complacency everywhere it creeps in.. which it does.

    There are some tricks that can be learned from the people who protect some of the nation's most critical assets, again imperfectly but still relatively robustly and relatively successfully. We're talking about the high bar of protecting nuclear assets, domestic or military. Imagine the awesome responsibility of guarding a nuclear reactor or live missile defensive systems. If you were tasked with this role, you'd obviously understand the serious nature of the role and the possible implications of a breach of security. You'd be very much 'on your guard' on day 1, but on day 2 (allow some leeway on timing here), you'd likely think 'no one stole / launched our nuclear weapons yesterday, so I can relax a bit' - maybe read a good book, check out X-Factor, kitten videos on YouTube or read the paper, play solitaire, wave through the maintenance engineers or take a long break for coffee etc. and so it goes until one day something happens and you get that sinking feeling in your stomach when it's too late to do anything about it.  Thankfully it is relatively hard to do anything useful with quantities of nuclear material without being picked up by the eyes and ears of intelligence, but for every time the backstop comes good, comes the day closer when it misses one.

    So to prevent complacency we have a number of routes. Training and reinforcing on why we have security and the importance of the items we are looking to protect, learning from incidents that others have experienced and share with the community, implementing institutional anti-complacency measures with audits and penetration exercises, rotation of staff roles so that your attention-deficit burnout is minimised. Some of these measures can be equally applied to corporate environments and can uncover convenience hacks from staff that might undermine or bypass security measures for example.

    At Onega, we've accumulated a good deal of knowledge on security and we've spotted enough loopholes in our time to know that, if we consider them too much, we'd just run for the caves. We do like the challenge of a security audit though and helping companies to look for low-hanging fruit or potential unbalanced security practices. Checklists and standards can help greatly on this, though their application and evaluation can be done with the thoroughness of the Queen's guard or the run away guard, we try to aim for the former of course in any security evaluation. The cost of doing an evaluation is insignificant compared to the potential cost of not doing one.

    Sharks and Saints - Domain Rights on and .uk

    One of the many services that Onega offers clients is assistance with domain registrations and acquisitions. This can be a minefield but there is usually a common sense solution and balance in this; as to which are the appropriate domains for an organisation to own or register and to protect branding and reputation alongside trademarks etc.

    We recently helped a client to buy a domain that matched the initials of their company name from a broker, to go alongside their other domains. In this case it was a four letter domain that we helped to purchase.

    This all went smoothly, transacting via and the timeline on this was as below:

    Negotiation - 7th Jan 2016 - Several offers and counter offers back and forth, thankfully managing to secure the domain in a small but happy spot where the offer was just affordable to our client and just acceptable to the seller, so all could proceed.

    Purchase - 7th Jan 2016 - We paid for the domain directly so that things could move ahead and to seal the deal. Thus the domain was now secured for our client's company. The purchase was for a domain for which no .uk had been registered (so rights were still vested in the domain for this).

    Transfer - 27th Feb 2016 - This was the date that the domain came across to our client in the form of a transfer to their GoDaddy Domain Registration account, and from where we immediately updated the contact details to be correct for their company contacts, to ensure a valid Nominet registration.  The delay was partly down to us as the broker process was a little different from some others in this case (we normally do a Nominet tag change to the ONEGA tag as we are a member and registrar / tag holder with Nominet); whereas in this case a GoDaddy account transfer was the process used which was fine and smooth when done.

    So far so good.

    Fast forward a few weeks. We then came to register the .UK domain as part of good management and to realise the new and trendy higher level domain registration for our client.

    It is worth explaining here for anyone unaware, that as a holder of a .CO.UK domain, you have a 5 year 'sunrise' right to register an equivalent .UK domain. Thus if you have (in our case) then you also have rights to Here at Onega, we primarily use our domain but hold the .uk domains for secondary purposes and domain protection alongside our UK registered trademark of 'Onega'. After the 5 years which starts from the .uk domain launch date to the 'fully open' period, then anyone can potentially register an equivalent .uk address. This 5 years started on 10th June 2014 so protection ends and open season begins at 10am on 10th June 2019. Thus we recommend that clients with an active domain exercise their right and protect their .uk domain with a long registration now (the cost is trivial) . It's also good contemporary branding to do this and use the domain.

    Back to our narrative... we found that when we came to register the domain for our client as per best practice, that now it transpired from the .UK Whois data that the .uk domain had been registered by the seller of the domain under their own details on the same day as the transfer finally occurred (17th Feb)... hmmmmm....

    It was our understanding and is common practice that when the domain of the was purchased, that this would include the rights to register the .UK address. We were a little disconcerted to say the least when we discovered this registration, as we'd consider the domain and related rights effectively owned from the point of agreement and payment - the transfer being a formal process in the completion as would occur in the land registry work related to conveyancing and sale of a house.

    Next course of action was to read up on the rules and check our position. Nominet has a good Q&A on the .UK domain rules, which we consulted; we also checked the Terms and Conditions of the domain broker. The Undeveloped Ts&Cs did not contain anything mentioning related domain rights. Nominet's Q&A is well written although it did not have anything specific on this case, but it did remind us that .UK registrations should normally be available for the owner (who was our client at the time of the seller's registration though not reflected in Whois yet), also that these registrations can be referred to the Nominet Dispute Resolution Service if there is a disagreement on a registration. 

    The majority of domain disputes are amicably settled but having a fair procedure for resolution as a formal path available is a good comfort should it ever be needed. Our next action at this point was to get in touch with the domain broker, through whom the purchase had been agreed, to raise the issue with them and also to contact Nominet DRS informally to ask about case history and precedent on this.

    Nominet DRS were very helpful on our call and we learned that this issue has come up a small number of times already and is likely to come up again in the future as the .uk domains become more established. No cases of this type have yet to get to binding adjudication, but some have been through the DRS procedure which commences with mediation on the issue and thus far all have been settled at this stage. The outcome has so far been, in all cases that we are aware of where the complaint has been followed up in the DRS case, that the .uk domain has ended up being transferred to the complainant (who is normally the rightsholder). Resolution at this stage avoids costs escalating for all parties in the process.

    This was useful to be aware of and to better understand the position and case histories. At this time we heard back from the sales domain broker and they reasonably disclaimed involvement in a case not exactly related to the actual domain purchased and recommended that we contact the seller directly.

    We did contact the seller with a professional, respectful while reasonably formal mail on the subject at hand - setting out the brief case and asking for an amicable agreement on this.

    I'm delighted to be able to say that in this case, the seller called back within the hour and the domain has now been transferred to our client at no cost. The seller had apparently sought to register the domain to protect it from abuse by anyone else, though arguably that should not have been an issue as only the owner can make the .uk registration. In any case, the situation has been resolved without further escalation. The seller was delightful to deal with and I'm happy that this was just a simple miscommunication issue rather than anything more.

    What have we learned or been reminded of from this?

    1) Don't make assumptions - in this case there was no discussion either way on the question of .uk domain rights in the negotiation process. It would have been better in retrospect if we had have explicitly said 'for the domain in question and any rights vested in that registration' so that we made sure we were specifically reserving these rights.

    2) Ideally domain brokers should be clear in their terms as to whether any rights vested in a domain are included in the sale or not. It would be fair and reasonable for a seller of a domain to sell the domain but reserve the rights and register in advance the .uk domain if they explicitly state that they reserve this right.

    3) Most disputes are amicably dealt with and it is always best to try this route before looking at invoking a formal process.

    4) The online reputations of Domain Sellers and Brokers are very important to them so as far as possible most will adhere to best practices.

    If you need any help on domain matters please don't hesitate to Get In Touch and we'd be happy to discuss how we can help. 

    Thanks to Ryan Espanto for the circling sharks photo.

    Onega March 2016 Planned Engineering and First Focus on DNS

    This is to let you know about some March Planned Engineering and Service Updates - and our fist 'Bono Pastore' Focus area. Please see the background and overview of the program at if you're not yet aware of this.

    Our first best practice focus is going to be on DNS (Internet Domain Name Services) and making sure that clients systems (as well as our own) are in-line with best practice in this area.

    In business terms:

    DNS is the system that allows us to register Internet domains for our organisations and to browse the web and send emails with friendly names like and etc. So much uses DNS that we often take it for granted much of the time – and well implemented so we should.

    Being such an important system, we want to make sure that client implementations are optimal in three key areas relating to DNS:

    Domain Registrations – This is the administration of your domain and the registration of it. We want to help make sure that all the details related to your domains are up to date, correct & appropriate, not due to expire any time soon etc.

    Internal Resolution – This is how client and server computing devices carry out Internet resolution so that you can connect to the Cloud quickly, reliably and safely (see  Secure DNS Services for more on this).

    External Resolution – This is how people find your organisation and services on the Internet – to know where to send you email, browse your website and communicate via electronic means etc. It is important that this service be provided robustly and reliably.

    Our object is to conduct a review to ensure that these aspects of DNS are all well implemented across our client organisations.

    The next steps are:

    We will be in contact with clients over the coming weeks to ensure that we run through your DNS configuration with you. Don’t worry if you’re not technical – we are happy to take care of those parts. We have a checklist which we’ll complete with you so that we capture the key information about your domains, and identify any areas that need attention so that we (you or us as per preference and can work to resolve these and get them checked off.

    For clients under Onega managed services contracts we'll liaise with you and do most of the running on this to help make sure your DNS is good and documented. For clients with whom we have PAYG agreementswe can agree with you who will do what with the aim that we make sure all our your services are robust.

    Expect us to be in touch soon then about next steps and starting the process. If you are not under contract with Onega (or not sure) and would like to engage in the DNS best practice review process then please do get in touch and we’ll be happy to add you to the review rosta.

    For reference:

    Internet DNS Best Practice Policy –

    Organisational DNS Checklist -

    For information on Secure DNS Services:

    If you don’t have a login for the Onega’s Policy and Procedure wiki then please get in touch and we’ll setup access for you.

    Technical changes that will occur on Onega Infrastructure:

    Tuesday 22nd March 2016 12:00 (Midday) GMT - We will be changing the configuration of our two legacy DNS servers and to no longer act as recursive resolvers. Thus any computers or servers that are using these servers for DNS will need to be updated to use alternate (eg Secure DNS) servers before this cut off date.

    Tuesday 12th April 2016 12:00 (Midday) GMT - We plan to turn off these two DNS servers - thus any zones hosted on these servers will need to be moved before that time.  We have new servers in place to take the zones and migrations will be done as part and in conjunction with the best practice review process – the new DNS servers being more best practice compliant than our legacy servers.

    Why are we making these changes?

    In short, so that we also comply with our own guidelines for Best Practice, but in more detail:

    1) Comply with best practice - Recursive DNS Servers (ones that do lookups for client PCs) should be split off in role from ones that host DNS Zones.

    2) For best security and maintain best performance of the service - Recursive resolvers can be abused in DNS Amplfication attacks (see if you're interested to learn more

    3) So that we make sure all clients are resolving securely to the Internet and to retire an older Windows Server 2003 DNS Server which is coming towards end of life.

    What happens if I don’t have best practice DNS?

    We don’t want to scare anyone but if you don’t comply with best practice then you risk (in the worst case):

    1. Losing your domain or having it suspended.
    2. Not being able to access the Internet
    3. Not being able to send or receive email
    4. Clients getting redirected to phishing or competitor’s websites and email going the same way.
    5. Being unprotected at DNS level against infected websites.

    The above are worst case scenarios but we aim to greatly reduce the risk of occurrence by complying with best practice with regards to your domains.

    Once we've been through the review process with you the outcome should be that we can all sleep easier knowing that the DNS aspect of your IT is in very good order.

    Bono Pastore

    Bono Pastore = Good Shepherd

    This is what we aim to be at Onega. We work with organisations to help deliver smooth IT and related services. We like working with people and machines, and fixing issues. Even better than this we like to prevent problems from happening in the first place.

    Before anyone asks we're certainly not likening our clients to quadrupedal, ruminant mammals of genus Ovis, nor do we walk on water. What we are saying is that much of IT, like many other things is about procedures, routine and best practice. Watching over a flock is about patience and care. Not glamorous but important. 

    In the same vein, here at Onega, we are thus planning to address a number of IT focus areas with clients during the course of 2016. The pattern we plan to set and repeat here will be as follows:

    1. Identify key areas of IT that may cause risks for clients.
    2. Ensure we have best practice solutions and procedures available to address these.
    3. Communicate the focus area and engage with clients to address this.
    4. Create and fill out appropriate checklists so that we capture any relevant information and actions.
    5. Agree on a plan to resolve any issues; so that things are brought as close to optimal as practicable and document exceptions where there are good reasons why not.

    During the course of these processes we well be looking at the same aspects of IT operations across multiple clients so we have the benefit of scale in the effort and the team will be well briefed on the task at hand to ensure you are getting good advice.  The outcome should be more robust systems implementations, documented procedures and policies, and documented systems and responsibilities. 

    The engagement that Onega has with clients varies widely. For some clients we manage entire IT estates and systems, and for others we provide ad hoc assistance as you need us. Thus, one of the first parts of an effort is establishing the relevance of an area of IT to a client, who is responsible for this aspect and who will carry out the work and under which contract.

    We fully expect that not every proposed Bono Pastore engagement will be relevant to every client so where you are happy to take care of something yourself this is documented, and where you'd like our assistance in a matter big or small we are happy to help with that. One big benefit for everyone is that the process should help make everyone aware of aspects and ensure that any ambiguity in responsibilities (or duplication of effort) is addressed and removed. 

    The first pass of this series of best practice benchmarking exercises is due to start soon with DNS - Domain Name Services. This is one of the underpinnings of the Internet and something we use every day for conduct of business. Thus it is one that affects just about all clients so expect a post and for us to be in touch about this. We may even make it a podcast topic soon to go into more detail. We're mindful that we should communicate more about what we do as much of good IT, if done right, will not be seen but contributes to things 'just working'. This is ideal but far from universal so we should resist the trap of complacency just as the good shepherd keeps vigilant watch. The wolf is ever hungry but will find tonight's meal elsewhere.

    Have you updated your TPS and FPS registrations recently?

    TPS - The UK Telephone Preference Service

    The Telephone Preference Service (TPS) and Fax Preference Service (FPS) exist to reduce the number of unwanted (junk) phone calls that you get on a phone line by allowing you to register your number on an opt-out basis to say that you'd rather the telesales people left you alone, thanks very much.

    This is a free service in the UK and has to be renewed / re-registered annually. It takes 28 days to take effect from when you confirm the registration. Once this is in place, it is illegal in the UK to call you with an unsolicited sales call. Companies who use direct marketing must check and respect the register and if they violate the UK's direct telemarketing rules, then you can complain and the company or individual responsible can be fined.

    There are a couple of caveats to the rules, but generally 28 days after you've registered your numbers, you should find that if you've been plagued by time wasting unwanted calls then these will drop off noticeably.

    To register visit the website - and fill in the form there. Remember to list all your company phone numbers - IP / VOIP phones, analogue phones, ISDN lines (base numbers and DDI ranges) . You can also (and should) also list your staff's mobile phone numbers (if they are personal phones rather than business phones check no one has any objections to theirs being registered first - 99% should thank you for it though). For mobiles it stops you getting PPI and compensation claim calls and the likes - through voice (human or robot) and also works for text (SMS) messages. All of these calls can be annoying and distracting and divert our valuable time from more productive activities.

    If you get unwanted (spam) SMS text messages to your UK mobile phone you can (and should) forward these to 7726 on any network (Vodafone, O2, EE etc.) and they are then investigated and traced / blocked / prosecuted (and the good news is that companies are now being actively fined big money for abuse here so there is more disincentive to continue to abuse people). An easy way to remember the 7726 code is that it spells 'SPAM' on your phone's numeric keypad. Even if a spam SMS message comes anonymously the networks can trace them.

    FPS - Fax Preference Service:

    The Fax Preference Service is just like the TPS but, as you might guess, applies to fax lines and machines. You visit the website and register your fax line(s) and confirm as for the phone preference service. This stops junk faxes that waste your time, paper and ink / toner and tie up your line. Registration is at

    Many companies are at the point now of retiring their fax machines and terminating their fax lines. Here at Onega we maintain just one fax machine & line for the odd time it is needed, but this is increasingly rare. Do ask yourself when you last used your fax machine; if you have to scratch your head for long, do call us about getting it cut off. If don't already have one, scanners are now very good and many copiers or multi function fax / print / scan / copiers scan better than they fax. Sending a scan as an email attachment is cheaper (especially internationally) than a fax, as well as clearer.

    How Onega can help:

    For Onega's IT & Telecoms support clients, we can help make sure that you are registered and, with your authority, can also do the admin of registering and renewing TPS and FP registrations for you. We're not just about fixing computers, we're about making your working experience better and getting rid of some of these junk calls is a good win for all :-)

    For more information you can visit:

    And, as always, please feel free to get in touch: