Data Protection Magazine - Autumn 2018 Issue 2 by Data Protection Magazine

DATA PROTECTION MAGAZINE

AUTUMN 2018 issue 2

DATA PROTECTION WORLD FORUM 2018 A really worthwhile event for any data protection professional at any level; something for everyone, especially in the post-GDPR world. If you only attend one event a year; make it this. - Information Security & Compliance Officer

2 DAYS REGISTERED ATTENDEES

4176 SPEAKERS

155 THEATRES

8 HOURS OF CONTENT

126 SERVICE & SOLUTION PROVIDERS

3RD & 4TH DECEMBER 2019 | EXCEL, LONDON

Why you should attend Data Protection World Forum Featuring 150 expert speakers and 3,500 plus delegates Data Protection World Forum is taking place in Excel, London on 20th & 21st November of this year. With over 70 vendors www.dataprotectionworldforum.com will showcase more data protection and privacy solutions providers than any other European event of its kind. Data Protection World Forum is taking place 6 months after the May 25th enforcement date of GDPR and in the wake of countless news headlines of high-profile data breaches.

Adverse media Adidas, BA, BUPA, Cambridge Analytica, Dixons Carphone, Facebook, Fedex, Google, Heathrow Airport, Morrisons, Ticketmaster, T Mobile, UBER and even the Conservative Party have suffered reputational damage associated with adverse media as a result of some sort of data breach. According to the latest findings of the Breach Level Index the United Kingdom remains the most breached country in Europe. In many cases data is a company’s most valuable asset, but like any other asset it needs to be protected and managed. The responsibility for this should be of paramount importance to the C Suite within multinationals, and directors of small-to-medium size businesses. EU expects first GDPR fines to be levied before year-end. European Data Protection Supervisor Giovanni Buttarelli in a recent interview with Reuters said; “I expect the first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” And coming over the hill there’s also the ePrivacy Regulation which will govern all communications across electronic networks and of course the (uncertain) impact of Brexit. The old Chinese curse: “May you live in interesting times,” could easily refer to the new world of Data Protection, Privacy & Trust. Visit Data Protection World Forum to source the best solutions and keep your organisation up to speed with regulatory demands.

AUTUMN 2018 issue 2 contents 04.

Blockchain and GDPR: Can You Have Both?

06.

Lego and the Lesson of Constructing Privacy that Works

10.

The Journey to GDPR Compliance

14.

My Facebook Page is Given a Pseudonym

16.

Is GDPR an Attempt to Stop the Emergence of an Orwellian Society?

19.

Artificial Intelligence Meets Data Privacy

20.

Cyber

24.

A Human Firewall is Your Best Untapped Defence

26.

The Dark Web

28.

Catching Cyber Criminals

31.

Encryption Shouldnâ&#x20AC;&#x2122;t Be a Cryptic Experience!

32.

GDPR Around the World

39.

As GDPR starts to bite, make sure that your risk management is in order

41.

Nymity Empowers McGraw - Hill Educationâ&#x20AC;&#x2122;s Privacy Office

42.

Data Privacy in 6 Steps

46.

How to Take an Accountability Approach to Compliance with Multiple Laws

50.

Data Privacy Impact Assessments [at a glance]

55.

The Recovery Imperative

57.

Where Ignorance Leads

Published by Data Protection World Forum Editor: Michael Baxter, michael@dataprotectionworldforum.com Design: Hannah Richards, Amplified Business Content

WHAT OUR ATTENDEES SAY

The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 attendees seeking the very latest insight on data protection and privacy. Here are some of the things our delegates had to say about the event this year: This was a breath of fresh air. No aggressive sales pitches, really enjoyable atmosphere, and lots of opportunities to drop in and out of presentations. Varied content, short and informative presentations and most of all not a ridiculous early start. - Data Governance Manager (Retail Bank)

Itâ&#x20AC;&#x2122;s very reassuring to go to this event and get the feeling that through the world we are all facing similar challenges. And a great opportunity to see the solutions that are being implemented. - Data Protection Officer (Healthcare Provider)

I think there is no doubt that privacy is crucial for people, and the event brought together representatives from a range of disciplines, companies big and small, academics, vendors and regulators to provide a broad discussions across the data protection and privacy spectrum during a time when there is growth and tightening of global privacy laws. - Group Data Protection Officer (Insurance Provider)

DPWF - industry leading speakers that talked the audiences language, happy to engage and answer questions. Picked up some great contacts and inspiration for future data protection strategies. - Head of Business Services (Healthcare Solutions Provider)

Blockchain and GDPR: can you have both?

“I think there will be GDPR 2,” says Gary Brown, Programme Director at Santander UK. He hits the nail on the head. Not everyone is convinced by the merits of blockchain, but let’s assume it does finally justify the hype. Is it compatible with GDPR?

when GDPR was conceived, blockchain was not around, so it does not cover it. I think there will be GDPR 2.0 at some point to cover blockchain and other distributed services.” He adds: “GDPR is all about someone taking control of data – it’s all about accountability, blockchain has no accountability, it is multi-distributive, by its very nature.”

Are there any potential solutions?

The right to be forgotten — it is a rather important part of GDPR. So, for that matter, is the requirement to remove data once it is no longer required, or even essential to fulfil the function for which it was collected in the first place. Blockchain is meant to be immutable, GDPR makes it essential that data can be removed under certain circumstances — can the unmovable object that is blockchain be compatible with the flexibility required under GDPR? With blockchain, data can be added to a network, but not deleted. Under blockchain, data is stored on every computer (or node) that forms part of the blockchain’s network. This is the essence of blockchain. In this way, it is virtually impossible for hackers to change records, or for individuals to cheat. To delete data, somehow all computers in the network must be designed to simultaneously act together and remove data in tandem. That sounds like a tough challenge. There is another barrier. Under GDPR, data controllers are responsible for data processed by third parties, creating particular problems when data is stored on computers outside of a region that signed up to GDPR or has a privacy framework that is not compatible with GDPR. But under conventional blockchain, it is almost impossible to have any control over the location of computers that form the network. There is a wider point: blockchain is closely linked to the concept of distributed ledger, meaning a record of ownership of an asset is stored across every computer or node that makes up the blockchain network. Such a concept seems to be in direct contradiction with GDPR, with its onus on privacy and central bodies having control. Gary Brown echoes those doubts. He says: “One of the concerns is that blockchains are being built in a way that GDPR cannot control, and

One possible solution would be a consensus algorithm, in which computers in a blockchain vote to delete, and it is then removed if a majority consent. But this still leaves a problem. Blockchain puts old data into blocks - removing some would disrupt the block itself. Russell Marsh, Managing Director, Accenture Digital, told us that Accenture has patents that allow you to edit blockchain, “it leaves a scar to show where it has been edited.” But it is inherently difficult, he concedes. Another advantage of a private network is that the amount of energy required to run it would be significantly reduced - bitcoin and ethereum are notorious for the enormous amounts of electricity consumed in the mining process. On this point, Russell Marsh said: “It can be overcome because it will change over time from being a distributed ledger that is out in the world to trusted networks, so it could work a lot faster.” He gave as a possible example: Adobe, Salesforce and Oracle clubbing together, to be a trust network for doing blockchain for media, “so rather than having the whole world doing those calculations you just have those three organisations do it.” He reckons banks could do the same, “so you set up the servers within the banks and they do the encryptions, so no single one of them can confirm a change to the data on their own... which means it is faster, you can have security and transparency, but you can do things in milliseconds.” The principle of a distributed ledger is especially popular with the libertarians, but a blockchain that uses a private network would lose that appeal, alienating the group of people who up to now have been its greatest advocates. There is another potential problem. Russell Marsh fears that blockchain, theoretically giving us a network that cannot easily be hacked into, might lull us into a false sense of security, such that when, at a future date, new technology, such as quantum computing, could potentially hack into a blockchain, we would be unprepared. He said: “The idea of storing data on a block is an intellectually interesting idea because you could arguably control your data by having it on a blockchain. The problem is at what point does blockchain level encryption fall apart sometime in the future and reveal all the data sat on the blockchain.” There is one other way GDPR and blockchain could work together. According to a report from the EU Blockchain Observatory and Forum, there is another solution to the compatibility of blockchain and GDPR. It said: “blockchain could, in theory, make it easier for platforms and applications to have compliance ‘baked in’ to the code, supporting data protection by design.”

BY MICHAEL BAXTER

Visit Data Protection World Forum #DPWF

GDPR promotes trust You hear it often enough. Complying with GDPR enables organisations to build trust with customers. But it is good to hear the argument articulated by someone like Sir Rob Wainwright, a former Executive Director of Europol and now senior partner for Deloitte’s cyber practice in North-West Europe. “When I joined Europol,” he said, “I came to an organisation that already had the principle of data protection embedded into its psyche and framework. “I kind of baulked at that. I came from an intelligence framework in the UK, where I was familiar, of course, with data protection principles, but the data protection officer was always someone who was on the basement floor and you would call up for a short meeting. It was never uppermost in the minds of people running the law enforcement community.” He said that “certain daily practices were quite robust in terms of limitations imposed on the data the organisation had collected, and what they could store it for, and what they could do with it. “There seemed to be walls in the direction I wanted to go. I was very wedded to the idea that you had to follow the legal framework, so I did. “My point: it took me less than two years before I came to realise that data protection, if managed in the right way, is a very effective enabler of the business and can support the data operations in a way that many people don’t understand. “When I look at the impact of GDPR now, I think the smartest companies will have the opportunity to get GDPR right, not just by saying ‘Oh my god, how the hell am I going to deal with this’ – as something that has to be done to avoid a fine — but rather with a mindset that is saying, “Alright, how does this change the landscape, how does that change the data landscape, and change it to my advantage? “What I saw at Europol and then went to preach – as I became a convert – is that its importance lies in the fact that you have clean

data, operations, and clean data sets. So, the idea of running a data regime that is more secure should appeal to anyone. “At Europol, we didn’t have much junk in our system, as we weren’t allowed to collect data we didn’t need. We weren’t allowed to keep data for years past the usability date. But I am glad it was like that. I didn’t want junk data, so the dataset became cleaner, the mind and skillsets of analysts became sharper and more precise, as they knew they had to make the necessary judgments with all the data they ware handling rather than do it lazily, getting everything and anything. “The data operations in Europol, which were absolutely fundamental to the success of the organisation, were greatly enhanced by the data protection regime that we had. “Also, it is hugely important for the credibility, reputation and public standing of an organisation, certainly a public organisation like ours, and one that was collecting a relatively large amount of data on EU citizens. “Europol is the only organisation with a right to do that, it was rightly very much scrutinised with regards to personal data, from the European data protection supervisions, through to the European Parliament. “It is certainly more scrutinised on this front than any other, and as it should be. As such we really had to be cleaner than clean, otherwise, any significant impairment to the public reputation of Europol would have been massively damaging to its ability to do its fundamental operations. “So, the more robust the protection environment and framework we had, the better the reputation we had, and the more strength it gave me as a director, to stand before parliament, and to say ‘I am making these points about why this data needs to be collected, about why we need new legislation’, and did so from the point of view of being the most scrutinised agency in the world on data protection, so I spoke from a position of strength.” “You can translate all these learning lessons and principles into a commercial environment. “The flipside is also true if the implementation of GDPR goes wrong, the public reputation also begins to suffer, and that is the most important asset boardrooms want to protect.” BY MICHAEL BAXTER 7

Data Protection World Forum #DPWF is a must-attend event

Assurance Governance POLICY, NOTICES & TRANSPARENCY

DETECTION FORENSIC

bcm/dr intrusion

anti virus patching

ENCRYPTION

DLP

DELETION, RETENTION & ACCURACY

DEMONSTRATING COMPLIANCE

RIGHT TO RESTRICT PROCESSING / PROFILING

ACCESS CONTROL

RIGHT TO BE FORGOTTEN

MONITORING

ENQUIRES

NETWORK SEGMENT

SECURITY

RIGHTS:

AWARENESS & TRAINING

RIGHT TO DATA PORTABILITY

LEGAL & CONTRACTS

COMPLAINTS

THIRD PARTY MANAGEMENT

SARS [WITHIN 30 DAYS]

DATA BREACH MANAGEMENT

PIA/SIA COMP TESTING POILCY & EXCEPTIONS REGULATOR

RISK MANAGEMENT ACCOUNTABILITY [WHO, WHAT, WHERE, WHY & WHEN]

Lego and the lesson of constructing privacy that works Lego sets an example for all companies that target children, says Pernille Tranberg, a data ethics advisor, and speaker at the forthcoming Data Protection World Forum. She also has a thing or two to say about Google Analytics – for privacy-aware companies, there is an alternative. Google Analytics is free – but it has to be paid for somehow. And so, we pay for it with our data and privacy, says Pernille Tranberg. Pernille is a former investigative journalist, but for the last ten years has been working on privacy. “I call myself an advisor in data ethics, and advise companies and government on how to treat data in ethical ways. I also advise individuals in what I call digital self-defense,” she says. “If you are selling sports shoes, and use Google Analytics, you are telling all your competitors who have been looking at your shoes.” There are alternatives, but Pernille talks about Piwik, an open source analytics tool, that does not involve giving Google all your data. “Google is a data monopoly,” she says. And that brings us to Lego. There are three things that make Lego interesting. It sells things – actual physical products you can touch. Its products are used by children. And, says Pernille, its privacy practices are exemplary. “Lego is amongst the most visionary companies and first movers with data ethics,” she says. Of course, with GDPR, the rules concerning children are strict. As the ICO, the UK’s privacy watchdog dog says: “Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.” Not all companies, even those directly targeting children, get it right. Last year, for example, some parents sued Disney over claims that 43 Disney apps aimed at children contain tracking software that can “exfiltrate that information off the smart device for advertising and other commercial purposes.” Earlier this year, the US Federal Trade Commission fined VTech $650,000 as part of a settlement for violating US children’s privacy laws. That is in America. The rules in Europe, with GDPR, are much stricter. So how does the Danish company Lego do it? Pernille said: “It decided to have no third-party cookies aimed at children.” She continued: “The company contacted Facebook and asked what data they were collecting with a plug-in, they did not answer. As

a result, there is no Facebook plug-in with the Lego App. “Lego also moderates all content and they work against manipulative behavioural design. All this is an opportunity for European companies,” she suggests. “It will be the same as with organic products. It will be exclusive and expensive in the beginning, but the market will grow and they’ll become cheaper. Governments in Europe could help that process.” “It can be like that with products aimed at children. It is unethical to use any data to influence children, and Europe has the first mover advantage in this area.” “With data, it is like the 1960s for the environment. We pollute with our data. But this is changing. We are seeing a smaller segment of consumers emerge who will use companies that are living up to data ethics – of privacy plus.” And that is an opportunity for Europe – one brick at a time. GDPR has helped create a fantastic value proposition, says John Lewis DPO “We have learned a huge amount about our customers, through the process of GDPR”, says Steve Wright, from The John Lewis Partnership, “and that is a fantastic value proposition.” Steve Wright, Data Protection Officer and Information Security Officer at The John Lewis Partnership, and a speaker at Data Protection World Forum in November, sees himself as something of an architect. The House His plan for John Lewis and Waitrose resembles a house. “I implemented the framework, based on the image of a house, there are many layers.” Steve, the architect, says “I don’t need to just design a home with four windows, doors, six rooms, two floors, etc. I have actually got to design a house that may be in an environment that is on a slope, or has no drains – you have all these variables. “So, the key to being a successful DPO, in my opinion, relates to how you make that house/framework fit without causing too much disruption to what is already surrounding it.” “So, there is your house,” he says pointing to the above diagram. “There is plumbing, electrical, thermal insulation, underfloor heating. I talk to my peers; a lot have taken a more legalistic way.” Instead, Steve says, his approach takes into account “how this is going to operate when I leave the building.” 9

“And that,” he says, “is the art. It seems impossible, but can be done.” The end result, it seems, was not only a pretty thorough and extensive data privacy and security framework, but it has helped the business.

bottleneck that slows up the business, we just challenge the business. At first, they don’t like it, but they get used to it. The structure

Re-permission To begin with, they chose to re-permission the consent. This is a process that can be quite stressful. Or, as Steve put it: “Before we did this, we had to take a long stare down the barrel of trade losses that would be associated, it cost a lot of money and time to collect this data, yet we were proposing to cut that data off. “So, we had to ask serious questions.” When getting re-permission works First came an insight, after breaking customer data into seven categories, “we realised that the top three categories accounted for 80% of revenue. “We did some really detailed analysis, such as looking at catchment area, frequency, online, shop floor, and use of credit card.” So, what was the result? After looking down this gun barrel, how did the re-permission go? “We had a 92% success rate on re-permission, on the top three categories of customers. It was the best in the industry – or so I am told – suggesting main customers are loyal.”

“I assigned three board directors to different categories of data: HR/ partner data, Customer data, Finance, supplier and pension data. We gave each one sheet of paper, showing “what they are accountable for.” “We used a carrot and stick approach – if you can’t validate the following 12 things, you could face prosecution.” He says that by doing this, “we got this accountability-driven in.” Now there are governance layers – a steering committee, for example. “We tried to implement this into existing committees, so we introduced new roles, called data stewards,” who are like data guardians. The data stewards are situated within the two trading divisions, and we have built a framework, so that the three data owners, know that, within their realms of data, who has access to it, why they have the data, what they are doing with the data, how long they are going to use it for, and what the data is. “In this way, they can answer those fundamental questions that allow them to be accountable.”

Landmark discoveries “This whole exercise for GDPR created some landmark discoveries and changed our entire data management strategy. “So, we are now looking at merging data sets, after getting appropriate permission. We have learned through the process of GDPR a huge amount about our customers, and that is a fantastic value proposition. “The board are now contemplating how they structure IT and data management and the whole data architecture. It is like taking medicine. If we are really respectful, careful and knowledgeable with that data, then we can really leverage it to the nth degree, and be much better at targeting our customers, who are loyal to us, and we can be loyal back to them. GDPR took this question of permission to create this better communication.” Customer acquisition John Lewis and Waitrose have roughly five per cent market share. Steve says: “The priority is to guard that five per cent, which is about understanding the next generation coming up, and what we can do to make these people loyal customers, so they have to be tailored to their audience. “We have literally helped facilitate the better use of data in a legal way that helps the business, but also helps protect the customer and staff/partners. Testing live data The detail “For example, we integrated into the existing breach procedures and crisis response plans, and we have enhanced it. So, we can notify the consumer or the internal staff member, and most importantly the ICO, if we have had a breach, 24/7/365. In fact, he says that the company gets breaches, ten or more a month, as “people are people, and they send the wrong attachments and click on links they are not supposed to, but nothing major, just lots of incremental things, but lots of little things.” To deal with this, they have implemented change control “so that every time a new application or new use of the data is proposed, it goes through a risk assessment, so that the change management team fills out a questionnaire, this is weighted, given a risk score. Other measures “We have managed to build an e-learning platform for handling data in a safe, secure and legal way. People do this for 12-15 minutes, off the shop floor. We also do a lot of publication guides, for example, what GDPR means? We also do mugs and the like to sit on table tops. “But the key is to operationalise them as much as possible, bed them into existing processes, so you don’t become the stopper, or the 10

He said that these procedures are especially important “where we have data used outside of what we deem to be acceptable, for example using live data in a test environment. “You need the data to be as real as possible, but you can pseudonymise the data, anonymise the data, hash email addresses, etc. So, you can make sure that although the data is real data it would be hard to glue it back together. “We have also built in procedures where we escalate up to the data owners via the data stewards, and the data owners have to sign off to say they know the risk and are willing to accept them.” Ongoing It’s a comprehensive strategy. But houses need maintaining. Sometimes plumbing or electrics need fixing, or paint starts peeling off and needs a new coat. Sometimes, things from outside can cause damage; floods or lightning strikes. “We are at the beginning, says Steve. And the work, it seems, just like maintaining a large house, is ongoing. BY MICHAEL BAXTER

GDPR and data privacy compliance is a journey that requires a roadmap of strategic and pragmatic solutions to achieve sustainable compliance. EXL Consulting has assisted many global organisations on their path to GDPR and data privacy compliance.

Visit EXL at Stand 48 on 20-21st November at the Data Protection World Forum at Excel, London to discuss how you can advance on your compliance journey, or click here to book a one-to-one assessment with one of our data privacy specialists.

ADVERTORIAL

The Journey to GDPR Compliance Current and Future Focus Areas By Prakhar Agrawal, Practice Director – Data Privacy & Mohit Manchanda, Head of Consulting and F&A, UK/Europe

Data Protection is everyone’s business #DPWF

With GDPR now in full effect, European residents are finally in a more privacy-friendly world. Organisations invested weeks and months getting to their interim privacy maturity states in the time leading up to the May 25th deadline. They largely prioritised efforts around areas such as data processing inventory, privacy notices, consents, DPO appointment, contracts addendums, rights request workflows, and basic training and awareness. However, the work is far from over. Business must lay out a clear plan to progress from their current privacy level to the desired compliance level, a task requiring immediate attention. They must also plan to implement forward-looking solutions allowing for sustained compliance as new data and processing activities come into the regulated perimeter. These trends are pushing businesses towards solving problems across three key areas:

Privacy Assessment Framework Demonstrating ongoing compliance Organisations have invested significant effort to show their commitment to comply with principles of transparency, accuracy and data minimisation required by the regulation. With accountability as the new principle, regulators have made it clear that organisations (data controllers) need to demonstrate compliance on an ongoing basis. Myriad challenges complicate this task: •

Organisations do not have a robust privacy assessment framework that they can use assess and monitor privacy risks and controls on an ongoing basis

•

Current risk assessments do not provide adequate coverage of GDPR or data privacy

•

Organisations do not have a GDPR-specific risk and controls matrix, and there are no proven libraries they can leverage out of box

•

Privacy risks vary with business functions

What organisations really must do is map a proven internal control framework to the GDPR’s privacy principles, then carry out an evaluation from the lens of key assessment areas.

Third-Party Risk Management Assessing the data privacy and security preparedness of third-party data processors Data breaches are now common. The increasingly complex supply chain for today’s technologically advanced business landscape and evolving cyber threats only fuel the chance of an organisation being subjected to a third-party related breach. Many studies of some of the recent breaches suggest that as many as 50% of breaches can be directly or indirectly attributed to supply-chains. The GDPR, FCA and other regulatory norms make the repercussions for these breaches massive. However, many organisations have taken a myopic approach to data privacy and security, focusing largely on the perimeter and ignoring or deferring their supply-chain. As organisations now look to enhance and optimise their third-party risk management processes, they face several challenges: •

There is no single authoritative repository of all third-parties and their related details, including services they provide and data they process

•

Various departments hold and maintain their own records of suppliers in largely unstructured forms such as spreadsheets

•

Current processes for conducting third-party risk assessments are manual and time-consuming, resulting in a low proportion of riskassessed third-parties

•

Assessment questionnaires are subjective, meaning the quality of data gathered as part of responses is poor

•

Manual risk scoring methods mean that insights generated from assessments are basic, at best

•

There is limited knowledge of risks posed by the organisations in the third party’s supply chain

Manual process alone will not enable organisations to accurately assess their third-party risk. Technology will be critical in augmenting overall risk assessment and reporting processes.

Sustainable Compliance Forward-looking processes and solutions Largely, organisations’ compliance efforts thus far have been tactical. They were aimed at getting over the line and minimising adverse privacy impact. Unsurprisingly, many of these measures were manual and hence less sustainable. Take, for example, areas such as data and processing inventory, DPIA and rights of data subjects. Organisations carried out structured data audits to understand how personal data is held and processed, resulting in spreadsheet-based data and processing inventories. Likewise, data protection impact assessments (DPIA) questionnaires were manually circulated to various internal business functions for one-time risk assessments of their processing activities. Customer requests around portability and erasure are tracked manually or via a ticketing system with no workflow capability. Other areas have seen similar tactical fixes mainly aimed at achieving partial compliance in the short term. Such measures prompt many challenges in the long run: •

Spreadsheets only provide a point-in-time snapshot and must be maintained as new data and processing operations come into regulated perimeter

•

Unstructured data has been largely deferred until now; discovering and inventorying such data manually is unimaginable

•

Manual processes for rights request management aren’t scalable for spikes and surges in request volumes, given tight fulfilment timelines

•

Manually fulfilling complex requests such as data erasures may not work, especially as unstructured data comes into the mix

•

Access provisioning and permissions will require sophistication to account for staff movements

Achieving sustainable compliance requires people, processes and technology working together. Digitising spreadsheets will minimise errors, automating critical activities creates efficiencies, and robust underlying processes support business logic while an effective governance structure provides strategic direction.

Conclusion GDPR is profoundly reshaping the way data is managed by organisations, challenging their current system landscapes, internal processes, data management practices and governance structures. It is not surprising that current measures for complying with this regulation aren’t yet sustainable. Organisations still require sizable and well-deliberated investments in terms of augmenting people, process and technology. GDPR compliance is a journey, and a solid compliance roadmap will ensure compliance and good data practices in the longer run. For further information on how EXL can assist you on your compliance journey, come and visit us at booth 48 or book your one-to-one appointment with a specialist at: http://info1.exlservice.com/data-protection-world-forum-registration 13

Meet +150 experts at #DPWF

ADVERTORIAL

Data Privacy in 6 Steps With the GDPR in force, a new question emerges: what now? The urge to celebrate, close the books and seek a moment’s respite from data privacy matters is only natural, but even without considering the ePrivacy looming in the future, it comes as no surprise to learn that data privacy is not a one-and-done thing. There are operational tasks required to maintain the organisation’s level of compliance and many GDPR requirements have also not yet been definitively interpreted. Andrew Clearwater and Linda Thielová, at OneTrust look deeper.

1. Look out for domestic legislation & EDPB guidelines The GDPR, while attempting to regulate most of the data privacy agenda uniformly across the EU, still leaves certain issues to be specified by each EU Member State in national legislation. However, quite a few Member States didn’t pass implementing legislation in time to meet the GDPR effective date. This means that very often there may be additional country-specific requirements or criteria applicable to data processing, which must still be complied with, despite being only made public after many organisations’ data protection programs have been reformed. The GDPR is still very young legislation; a lot of its clauses are still open to interpretation. We can therefore expect the newly established European Data Protection Board (“EDPB”) to gradually fill in the blanks and clarify certain issues regarding the interpretation of the GDPR, as well as provide guidance and harmonization of enforcement among EU Member States. 2. Keep your GDPR compliance framework up-to-date GDPR compliance should be perceived as an ongoing exercise, rather than as a means to an end. As such, it requires regular effort to ensure that the data privacy framework functions properly, is comprehensive and adequately reflects the realities of your organization’s operations. Practically speaking, your organization’s GDPR compliance can be boosted by drawing from your past experience to make the processes more tailored: i.e. a new employee training will benefit from first-hand accounts of past incidents of data breach, how the organisation handled the situation and practical tips on how to avoid similar issues in the future. Any GDPR compliance framework is only truly efficient if it is recognized and followed by everyone within the organization. By incorporating practical experience, you make it more relevant and in turn maximize the framework’s effect. 3. Privacy by Design and Default – a constant effort Privacy by Design gained major traction through GDPR as a concept aiming for a more in-depth approach, beyond merely addressing privacy as an afterthought. Privacy by default is an important element of the ‘privacy by design’ approach, it seeks to deliver a maximum degree of privacy by ensuring that personal data is automatically protected by any system or business practice. The reason why it is so important for all organisations to accept a ‘privacy by design’ approach lies with its key role in all stages of a projects’ lifecycles for GDPR compliance and privacy levels in general. If the privacy consideration becomes another element of our designthinking prospective, while building new systems or further developing applications or data collecting methods, it can make an immense difference to the level of data protection afforded to the subjects and would make addressing your organisation’s privacy risks that much easier. As with the previous outlined GDPR compliance processes, it may be helpful to merge the privacy-by-design with existing production processes already familiar to organization’s members. 4. Codes of Conduct & Certification – keep up with their approval process GDPR foresees the approval of codes of conduct and accreditation of certifications (GDPR Arts. 40–42) to help organizations demonstrate compliance with data privacy requirements and best practice. Codes of Conduct may even be binding for certain professional associations and as such may potentially apply to your organisation by virtue of its membership(s). As of today, there are however no codes of conduct or certifications, seals and marks approved under the GDPR. In their absence, there are still accountability requirements of the GDPR – specifically, Article 5(2) of the GDPR makes accountability an expressed obligation, and Article 28(1) states that controllers shall use only processors providing sufficient guarantees. This means organisations are now held accountable to work

with third parties that have measures in place to comply with the GDPR. Validating that these measures are in place, however, is a challenge for both controllers and processors. In their absence, the organisations can assert their GDPR program towards customers and business partners by utilising the OneTrust GDPR Validation program that offers a way to share third-party reviewed details of an organization’s GDPR program. The validation reviews key compliance areas including DPIA processes, personal data breach response and DPO functions, based upon the GDPR and the Article 29 Working Party guidelines. The assessment is conducted via the OneTrust Assessment Automation tool to streamline the validation process and allow you to easily attach and share necessary GDPR program evidence with the OneTrust team for review. 5. Vendor Management As we are all well-aware, the controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected (GDPR Art. 28). In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement. Managing vendor risk is not a new requirement, the key here is for the organisations to keep the vendor review up-to-date. This means that all new vendors should undergo risk-based security review and regular vendor audits should be in place to ensure that ongoing vendors comply in practice with their regulatory and contractual obligations. It is also important to check (among other obligations) whether vendors use subprocessors in compliance with their obligations and whether they notify your organisation in case of employing new sub-processors. 6. ePrivacy Regulation practical impacts

–

get

ready

for

its

While the ePrivacy Regulation may not be adopted yet, the main concern for most organisations will be the online tracking and use of cookies. A good practice would be to keep an eye on what cookies are being used on your company’s websites and be clear about whether these are 1st party or 3rd party, what sort of data is being collected and who the data controller is in each case. While it is still not clear when the ePrivacy Regulation will become effective (the estimates usually state years 2019 or 2020) or what its definitive wording is, it is important to follow the requirements of current ePrivacy Directive and its specific legislative implementation by each EU Member State where your organization operates – as these may differ and so may the implications e.g. for your marketing activities. Combination of current GDPR legislation with ePrivacy Directive already lays down specific requirements for user consent to using cookies, which need to be complied with already. By Andrew Clearwater, Director of Privacy & Linda Thielová, Data Privacy Counsel, OneTrust About the authors: Clearwater and Thielová work on the OneTrust privacy team. They provide counsel, leadership, and guidance on data protection. The OneTrust privacy team is also responsible for providing public policy analysis in the areas of privacy, data security, information policy and technology transactions. Clearwater is a Certified Information Privacy Professional (CIPP/US), holds an LLM in Global Law and Technology and is a licensed attorney. Thielová is also a Certified Information Privacy Professional (CIPP/E, CIPM) holds a degree in Law and Legal Science and has a four years’ professional experience in privacy.

OPERATIONALIZE YOUR PRIVACY PROGRAM O

AUTOMATE GDPR RECORD KEEPING

READINESS & ACCOUNTABILITY TOOL

PIA, DPIA & PbD AUTOMATION

DATA MAPPING AUTOMATION

COOKIE CONSENT & WEBSITE SCANNING

Benchmark organisational readiness and provide executive-level visibility with detailed reports.

Choose from pre-defined screening questionnaires to generate appropriate record keeping requirements.

Populate the data flow inventory through questionnaires, scanning technologies or through bulk import.

Conduct ongoing scans of websites and generate cookie banners and notices.

GDPR Articles 5 & 24

GDPR Articles 25, 35 & 36

GDPR Articles 6, 30 & 32

GDPR Articles 7 & 21 ePrivacy Directive Draft Regulation

SUBJECT ACCESS RIGHTS PORTAL

UNIVERSAL CONSENT & PREFERENCE MANAGEMENT

VENDOR RISK MANAGEMENT

INCIDENT & BREACH MANAGEMENT

Capture and fulfill data subject requests based on regulation specific requirements

Embed consent management directly on website with standardised transaction workflow.

Conduct vendor risk assessments, audit and manage data transfers to third parties.

Build a systematic process to document incidents and determine necessity for notifications.

GDPR Articles 12 - 21

GDPR Article 7

GDPR Articles 28(1), 24(1), 29, 46(1)

GDPR Articles 33 & 34

FREE GDPR WORKSHOP 4.5 CPE Credit Hours

Details and Registration Available at PrivacyConnect.com

For privacy professionals focussed on tools and best practices to operationalise compliance.

Steve Wood, Deputy Commissioner at the Information Commissioner’s Office (ICO) is to speak at the Data Protection World Forum (DPWF). The landmark conference comes to London’s Excel arena on 20th and 21st November to offer insight and advice on data protection issues affecting global business today. Keynote Conference The ICO’s Steve Wood will be among speakers at the Keynote Conference at Data Protection World Forum. Steve’s keynote will leverage his considerable industry experience to bring clarity to the main business challenges we face as organisations develop strategy and galvanise their approaches to data protection. A Leading Voice A former senior lecturer of information management at Liverpool’s John Moores University, Steve Wood became Deputy Commissioner for Policy at the ICO in June 2017. The role sees him take care of the work of the Policy Directorate to help ensure delivery of ICO strategic goals. Stakeholder liaison, guidance, research, international activity and technology policy are among key issues that Steve deals with in a position of vital importance within UK’s regulatory body for data protection. Prior to this appointment, Steve oversaw the ICO’s international strategy as Head of International Strategy

and Intelligence, where he managed numerous high-profile cases. Data Protection World Forum Data Protection World Forum is designed to help organisations get traction on the very latest legislative developments in data security. Besides keynote talks and panel discussions, delegates will have the chance to put their own questions to the specialists to become part of a wider discussion on how to improve data handling practices and prepare for compliant business growth. Coming to London’s Excel on 20th and 21st November, this industry-leading event unites all data concerns under one roof. The voices that matter will be offering analysis, guidance and insight into cultures and practices that make or break business in the digital era. BOOK YOUR PLACE TODAY BY CLICKING HERE

My Facebook page is given a pseudonym, says data ethics expert... By Michael Baxter

Visit Data Protection World Forum #DPWF

Pernille Tranberg, data ethics advisor, tells us why she distrusts Facebook. If you ever you found yourself in a lift with Pernille Tranberg, and you began an interesting, but confidential conversation, she might stop you and ask: “Before we talk anymore, can you turn off the microphone on your Messenger App?” “It is not that Facebook is listening to us”, she says, “but it could if it wanted to.”

Pernille uses a pseudonym on Facebook. “I have a fake name, age, and location”, she says. My friends know it is me. So why did she take this drastic step: “Because I understood what they do with my data.” Pernille is a former investigative journalist, but for last ten years she has been working on privacy. “I call myself an advisor in data ethics, and advise companies and government on how to treat data in ethical ways. I also advise individuals in what I call digital self-defence.” https://dataethics.eu Pernille is also speaking at the Data Protection World Forum in November. https://gdpr.report/ news/tag/data-protection-world-forum/ It turns out, she told me that “Facebook doesn’t stop you if you are not impersonating someone else. I just made up a pseudonym.” Apparently, you can do that on fakenamegenerated.com, and providing you are not impersonating someone else, “that’s not a problem.”

But why would you want to? “In Europe, we are fighting for data democracy, whereas in the US we are seeing data monopolies and a government that is doing nothing to stop it. In China, we have a data dictatorship.” “If you want to be data ethical, I would always store my data in Europe. You may be able to store it legally, (with respect to GDPR) in China or the US, but there are always government back doors, maybe there are in Europe too, but if you want government back doors, have European government back doors.” She continued: “Most consumers had little understanding of tracking, they just accepted it blindly.” So is that the fatal flaw with Facebook. Yesterday, https://gdpr.report/news/2018/07/16/man-behindmoores-law-of-privacy-backs-european-privacyfriendly-rival-to-facebook/ indeed, a European company is setting up a privacy friendly rival to Facebook, called OpenBook. “There are lots of alternatives to Facebook,” says Pernille, “but they will focus on individual applications.” So Pernille does not expect to see a full-blown rival to Facebook emerge, but a multitude of companies offering specific services, or groups. Then again, as Pernille says: “Young people don’t use Facebook anymore, they don’t want to share anything intimate anymore.” 18

Meet +150 experts at #DPWF War is peace, Freedom is slavery, Ignorance is strength.

Is GDPR an attempt to stop the emergence of an Orwellian society? John Lewis’s Steve Wright thinks it is.

“

There is a lack of understanding in the younger generation, they are almost sleep walking into a kind of Orwellian society. 20

Data protection officers are like Custer’s last stand, fighting to protect our human right to privacy, says Steve Wright, Data Protection Officer and Information Security Officer at The John Lewis Partnership. Steve spoke to us recently. And when you prod him, he reveals an idealistic streak. It’s not overpowering, he does not preach GDPR from an altar, but ask and he reveals it. “We have become so blind to the erosion of our rights,” he says. “In 50 years, you could say ‘well of course you can see everything I do and track my movements, of course there is a drone watching me.’” He warned: “There is a lack of understanding in the younger generation, they are almost sleep walking into a kind of Orwellian society, (he says with a laugh). Maybe devices will be embedded in our skin, and we may be segregated for that. And we may go back 100 or 200 years if we are not careful.” And that, he says is why GDPR is so important. “It is a landmark piece of regulation and now with the Data Protection Act of 2018, it is critical to re-jolt us and start again on a level playing field, about the rights of you and me as individuals. I think data protection officers, all (at least the ones I speak to), feel that they are ambassadors or champions of protecting those rights. “We are like Custer’s last stand. So, (as a Data Protection Officer) it is a bit nerdy, and specialist, and businesses may see us as a hinderance, and ask ‘Why do I have to justify what I want to do with your data?’ But we are saying, ‘No, no you have to justify what you do with that data.’ “To me that is brilliant, as you are empowering our industry, it may not be like that in 10-to-20 years, we may become just managers, but our time is now.” So, what about social media, we ask? If you speak to data protection officers, they don’t seem to like it. “I think it is not so much dislike as distrust. I haven’t got anything against any online social media per se. But I do worry that the default position is to have the sharing of potentially sensitive data between organisations and individuals. “So anyone in the privacy profession would have a healthy distrust of any application or system that defaults to an open system of sharing information – gather, gather, gather.” Attitudes began to change with Edward Snowden and when Max Schrems took on Facebook, forcing the US to end the Safe Harbour as a way to protect data pertaining to EU citizens and move to the Privacy Shield. Steve says that until Snowdon and Schrems, no one was brave enough, or understood the complexities of it. He quotes Mikhail Gorbachev, the last leader of the Soviet Union: “‘Trust but verify’. I think it is good to trust, we need trust, it’s what our entire system is built on, but there is a level of trust that you have with an application, you trust it not to share, unless you are aware of who you are sharing it with, and why. “I think that any social media organisation that may have exploited that trust may have moved into a grey area, perhaps dangerous ground.” By Michael Baxter

ADVERTORIAL

Intellegenc

Five AI questions that matter

Solutions that attempt to bring AI to the market face multiple challenges.

l ia

go beyond mere keyword detection and self-assessment spreadsheets.

Ar t

if i

1. Is information considered in context? Just because the words “sexual” or “medicine” appear in a document doesn’t mean it’s personal data. Try this lyrics.txt file: if the system returns false positives, or refuses to show the actual detections at all, you know where it stands on the AI spectrum. 2. Where does the training data come from? AI algorithms are finicky: give it data it hasn’t seen yet, such as a new language or file type, and it can fail spectacularly. While the algorithms learn over time, transparency around models it was trained on and what it can be expected to handle is paramount.

Me et

c va s Da i r ta P

Machine learning and automation are taking the digital world by storm. Radim Řehůřek, the CEO of RARE Technologies, which specialises in natural language processing, describes how the worlds of sensitive data protection and modern contextaware AI converge. Who loves regulations? Social awareness is good, but many companies are tired of fuzzy directives being rammed down their throat, whether by governments or by compliance consultants who promise the moon and deliver a selfassessment spreadsheet. “We’d rather pay the fines than hear the word GDPR ever again!”, one of our clients told us. Meanwhile, the worlds of technology and machine learning made tremendous leaps in recent years. New AI advances are making daily headlines; everyone’s ears are overflowing with talk of deep learning and neural networks. Why then has there been so little application of machine learning to data privacy?

3. What are the performance implications? The one thing regexps and keywords have going for them is speed. In contrast, machine learning relies on costly linear algebra operations. Can the solution handle your company’s entire S3 bucket, Office 365 account, SQL database, employee workstations? 4. How about data security? Do you have to send your data “into the cloud”, or can the models operate on-premises? Is the submitted data retained, used to train and update future models? Given the nature of the domain, cloud SaaS solutions are a non-starter in many auditing scenarios. 5. What type of personal data is covered? How about PI embedded in images like passport scans or email attachments? These can be a ticking time bomb, but regular expressions won’t help you there. Are large file archives and backups, where real privacy gems often reside in secret, properly analysed? If you’re looking to deploy an AI data privacy solution for your company, you’d be well-advised to ask these questions. And demand concrete answers: flashy dashboards and pie charts often serve to hide the horror of the individual detections. Everyone and their dog is riding the AI hype wave, but applying these advanced techniques correctly takes skill and experience.

Shifting zeitgeist A lot of buck, not much bang Companies put faith in manual processes, self-assessment and human diligence for two main reasons. One, it’s cheaper—the people are already there, so why not pile a few more trainings, a few more responsibilities on them? And two, private data protection is damn hard to automate. It’s one thing to teach a machine to discern between pictures of cats and dogs, or play a well-defined board game like Go. It’s another thing entirely to enter the messy world of regulations, noisy data and complex relationships between misspelled and ambiguous entities, often strewn across multiple files and locations. Still, detecting, organising and redacting personal data is clearly an important task that suits machines better than humans. And so, AI slowly enters the fray, with discovery and DLP platforms evolving to

www.protiviti.com

There’s a change of air where the demand for authenticity and transparency trickles down from the new generation of consumers and into the B2B space. It’s a little strange that the field of data privacy has survived on generic “process documentation” and opaque, bird-eye-view solutions for so long. The whole data protection industry is in flux and far from solved (don’t let any vendor tell you otherwise!) and by asking the right questions, you may avoid some costly mistakes. About the author: Radim is the founder of RARE Technologies and author of the popular machine learning Gensim library. RARE developed PII Tools, a solution for data auditors that applies machine learning to personal data discovery, attacking the questions raised in this article head-on. For more information, visit pii-tools.com.

James Felton Keith, President at The Data Union is to speak at the Keynote Theatre at Data Protection World Forum (DPWF). The inaugural data protection conference comes London’s Excel arena on 20th and 21st November to give guidance to industry professionals on the data security issues that matter in business today. It has been a watershed year for data protection, with legislation such the GDPR, MiFID ii and the forthcoming ePrivacy regulation set to recalibrate the data privacy landscape to create a safer future for all stakeholders. America’s Data Awakening Irrespective of potential fines, the naming and shaming of high-profile US brands is proving a pretty ugly look as consumers around the world awaken to the crucial importance of ethical data handling. James Felton Keith will be expanding upon the key issues, and explaining how the EU data laws are driving new policies and practices Stateside. He will also sit on the panel discussion on Global data protection and international transfers of personal data where he will look at whether it is possible for institutions to retain total control data in a world of individual priorities. Currently President of The Data Union, JFK is an award-winning engineer and serial entrepreneur who defined data as a natural resource in the book, Personal Data: The People’s Asset Class.

Founder of the Data Trade Association and Personal Data Week conferences, James has written and influenced widely on global cyber policy over the past decade. He is passionate about economic inclusion, and how to get equity into the hands of people with less so that the world can do more. The first black representative of the LGBT community to run for congress, James says it is necessary to have “the mind of a CEO and the heart of a social worker to solve real people problems”. He has been appointed to the cabinet of Elected Officials, taken over for and advised CEOs, academics and non-profiteers. Data Protection World Forum Coming to London’s Excel on 20th and 21st November, this industry-leading event unites all data concerns under one roof. The voices that matter will be offering analysis, guidance and insight into cultures and practices that make or break business in the digital era. BOOK YOUR PLACE TODAY BY CLICKING HERE

Nowadays, cyber criminals have become more sophisticated; now they are professionals.

CYBER

“Back in 2006, cyber wasn’t even a word,” says Charlie McMurdie, a former head of the Police National Cyber Crime Unit and former senior cybercrime advisor at PwC. “Back then, it was just a high-tech crime; it was digital crime. “Cyber was a word we imported from the US.” Speaking as a former senior police officer, Charlie says: “At that point, a lot of crime involving computers — someone stole a load of data, or hacked systems from an organisation or knocked over a website — was not reported, if it was reported, as fraud or theft. So, there was no data on the extent or volume of cybercrime, also big banks and other large organisations affected by such crime were worried about reputational damage, everything was pushed under the table.” Flavius Plesu, Head of Information Security at the Bank of Ireland UK and Chief Evangelist at OutThink Ltd says that “when [he] started, (back in the early noughties) we weren’t even doing IT security, the job was to make sure the servers stayed online. “The concept of hackers, of someone trying to poke at our servers and get through, this would just amuse us. “No-one took it that seriously, sometimes we had what we now call a denial of service attack, when someone tries to log in a number of times and force the server down. We weren’t seeing any real business impact. But business reliance on information has increased significantly since then. In general, back then if the server went down, it rarely mattered. “Nowadays, cyber criminals have become more sophisticated; now they are professionals.” Indeed, he says that the media portrays these hackers as working in the basement, typing away furiously as green lines appear on the screen. Eventually they jump up, and triumphantly announce that they are in. But they are not like that, not any more. So where is the starting point? Flavius says we need to start with people. It’s more about human error, say Flavius Plesu, Head of Information Security at the Bank of Ireland UK and Chief Evangelist at OutThink Ltd.

“

big banks and other large organisations affected by such crime were worried about reputational damage, everything was pushed under the table.

He explains by referring to a report from the UK’s privacy regulator, the ICO. The report looked at 967 data breaches that occurred in Q4 2017. Around 90 per cent were down to human error, with only five per cent of that 90 per cent being phishing related. “The rest of it is what you call hacking - brute force attacks, exploiting vulnerabilities and DDoS” Flavius likes to draw an analogy with the

human body. “It can detect injures and recover. Organisations are like this. Things happen every day and they detect and recover, fighting the infection or attack. The key is to look at how to reduce the risk of a breach.” Returning to the human body, he says it might help if we all wore bulletproof clothes, but actually, to protect the body, the things that matter are diet, exercise, and taking simple precautions like wearing a seat belt when we are driving. With cyber security, “if 90 per cent is down to human error, such as an employee sending the wrong info to the wrong person, or losing an unencrypted laptop, that is what we need to focus on. “I would say we must remain mindful of hacking attacks, but concentrate on a true people, processes and technology model and employ defence in-depth. “This means a number of defence layers, and on these layers we have multiple controls, so you don’t have single points of failure, so if one control fails that does not mean your security has been compromised and you have suffered a data breach.”

Tech versus People “The industry does a fairly good job with tech, most of us have technical backgrounds, and we apply malware protection, firewalls, intrusion detection systems, email and web filtering, DDoS mitigation solutions and we feel comfortable around this. We like that. Let’s say we have a budget of £20 million, you probably spend £18-19m on technology, £1m on process controls such as policies, risk management, assurance and then it is around £0.5m (or less!) on people controls.” And that may be where the problem is. “About 2 per cent of our budget goes on people,” he explained. So that’s 2 per cent of a budget where 90 per cent of the problems lie. “Techies like to talk if they can employ enough technology, to block and contain users, especially if this is enabled by the latest artificial intelligence and machine learning, then we won’t have to worry about the people element. “But my experience is that we never see that in practice. It is great theoretical idea. Even if possible on paper, to deploy such a utopian security model, the budgets would be eye watering. “So in the real world we need to accept that people play a major role in security and focus on people controls. “It’s about risk reduction. We know budgets are limited, we need to be careful on where we invest our resources to maximise risk mitigation and return on investment. “And the industry suffers from a lack of effective people solutions. Instead, what we see in the market are legacy computer/web based security awareness training and phishing simulation vendors, and these don’t really work.”

How do you do it? “The key to good security and indeed GDPR compliance, is culture change. Yes, you start with tech and continue with

process - you appoint a DPO; write a privacy policy; build up an inventory of your information; understand where your data resides and your relationships between internal and external data processors. When you have done this you will know where your critical information assets reside, those that have high volumes of sensitive personal data, you can call these the crown jewels of the organisation. Once you have identified these, you can deploy sufficient technology controls around that, access controls, encryption ofdata at rest, data in transit, integrity checks, etc.

“

Things happen every day and they detect and recover, fighting the infection or attack. The key is to look at how to reduce the risk of a breach

“Then look at your people. I am not just talking about old-school awareness training, I am talking about helping people understand their part in this and what correct behaviour looks like. “And key to achieving this is to enable a two-way conversation and to really engage with your employees. If you are just going to deliver one-way awareness messages, GDPR is here, it’s important and the fines are big, that won’t do it. “You start at the lower levels, whereby you deliver some information, maybe some internal communications, maybe some security awareness training, and you sensitise them, people become aware of the GDPR. At that stage, you are not talking about new behaviours being embedded, they are just aware now. “You then need a way to identify, understand and measure behaviours. You need to look at people’s perception — a good starting point is to really understand people’s perceptions, attitudes, in relation to data privacy, data protection and information security. “This will help you understand where you need interventions, which will lead you onto implementation.” “Some say people are the weakest link, but that is not really helping. “Let’s say there are 20,000 people in the organisation. They are not all your ‘weakest link’. You need to look across the organisation, identify who’s handling sensitive information, look at people’s engagement levels, their perceptions and attitudes and you need to recognise individuals who may represent high risk. From experience, I would say this is often around 5 per cent of the workforce. “But at the other end of the spectrum, you’ll identify and recruit your cybersecurity or data privacy champions, which may be between 10 and 15 per cent – these are people who already display the correct behaviours, have a positive attitude towards security, exceptional levels of engagement and knowledge, are keen and willing to help secure the organisation. 25

“

the five per cent potential weak links, that is where you are going to have your interventions, and that’s where you need to engage with the business in person.

“It is important to appreciate that building culture and creating engagement does take time. “Recruit data privacy champions from the 15 per cent who already have a good understanding, who have the right attitudes and are really engaging. And measure these things, you need hard measurements, effecting change in large organisations requires solid metrics based on actual numbers. “Set up a champion programme, make sure it is endorsed by someone at the top of the organisation, and make sure it is not just an email, but that they really support it. Also, make sure people get real benefits, such as linking their performance to the objectives, so if one of their quarterly objectives is building performance from the champions programme, actually link pay rises and bonuses, then they will really care about the programme. “The key here is: you will often find high risk employees and champions within the same business areas — so not only do you need champions who are keen and passionate about security and data protection, but also a good understanding of challenges and opportunities and understanding that can impede transformation in the various parts of the business. 26

“We often say we are outnumbered, there are so many attackers out there, there is a skill shortage. But, if we take this approach, and you drive engagement and build this network of champions, working as an extension of the security team, it can make your limited resources stretch across the organisation. I have seen many programmes of over 300 cyber security champions across 40 countries across the organisation, while the security team may have only been 50 people. “When you do that you turn the tables around and we are no longer outnumbered by the attackers. We have this massive resource, which has hitherto been under-utilised. Due to our stigma bias and perception of people being the biggest weakness, when we say these things we should be looking in the mirror and blaming the person we see.” BY MICHAEL BAXTER

PROFILES Charlie McMurdie is former head of the Police National Cyber Crime Unit, and a former senior cybercrime advisor at PwC. Charlie worked in law enforcement for 32 years. She says she joined in 1981 – “Life on Mars days.” Back then, you could spot a police officer a mile off — a big burly bloke.” Charlie wanted to get into CID from the off, and says for surveillance work, where not standing out was vital, she had the advantage. She worked in serious and organised crime units, ran murder investigations, ran the Met’s covert opps centre, the Central Authorities Bureaux, Vehicle Fraud Units, and ran under cover teams, and counter-terrorism. From there, she focused on cybercrime, retiring at Detective Superintendent Level, before moving onto PwC. Flavius Plesu: “I started as a techie, as do many others in my line of work, but often they refuse to move on from that, they still refuse to believe people have anything to do with this.” He has 17 years’ experience in information and cyber security, data protection and data privacy. He entered the business in the early years of the century, when it was just called IT. At 18, he worked for an ISP in Romania, where he had to set up small networks and maintain firewalls. It was highly technical work, and he practiced older programming languages such as assembly, Pascal and C++, and “could take a computer apart and put it back together.” In addition to his work at the Bank of Ireland, he is heavily involved in OutThink, a project consisting of experienced security practitioners and people from Royal Holloway, University of London and UCL. “Together we recognise the key importance of the people aspect and the critical need to appropriately address this. Companies have to think long and hard about people if they are serious about cyber security and data protection.”

Data Protection is everyone’s business #DPWF

In between the two, sits everyone else – your moderate risk people, you address them by a mix of tech, process and traditional security awareness activities. “But, going back to the five per cent potential weak links, that is where you are going to have your interventions, and that’s where you need to engage with the business in person. “You need to talk to heads of business areas, you need to look at processes and understand the relationship that people have with security and data protection. “That may lead to things we need to change with our security policies, because they are getting in the way of business process; we need to recognise these and handle them as policy exceptions. “You may need to put compensating controls in place, or just accept the risk. “Remember, we are here to support the business and security cannot get in the way of this. If security is a blocker, you need to do something about that. “You will also find that there are people who are disinterested or frustrated for reasons that have nothing to do with security, for example due to recent M&A or redundancies, or simply management style, or there is a culture issue. It is important to identify these areas. We could be talking about malicious insiders, for example, disgruntled employees, so you may have to employ additional monitoring, and you need to keep doing this.

INDUSTRY RECOGNISED 2018 SC Awards Europe Best Data Leakage Prevention Solution Cyber Defense Magazine 2018 InfoSec Award Cutting Edge Endpoint Security Info Security PGâ&#x20AC;&#x2122;s Global Excellence Awards Security Products and Solutions for the Enterprise 2018 Fortress Cyber Security Awards Threat Detection

CUSTOMER APPROVED Over 50,000 organisations rely on Code42 for their data security.

code42.com

keepabl.com

Privacy-as-a-Service

Cloud-based GDPR governance

Automated results

Article 30 Records, registers & reports

Get - and stay - compliant

Data Map, Breaches, Policies & more

Gap analysis & remediation Instant scores & insights

We found Keepabl to be knowledgeable, professional and highly responsive to our individual business needs. We would certainly work with them again. - CdR Capital, London, UK

ADVERTORIAL

A Human Firewall is Your Best Untapped DefenCe In July alone it was reported that 139,731,894 records of sensitive data were leaked as a result of human error Data breaches as a result of cyberattacks may get all the press, but the biggest data privacy risk of all for organisations is people. Rob Van Straten discusses how, by fostering stronger employee engagement tactics in training and communications, organisations can help mitigate the impact of human error. There is a very human cost to non-compliance in most risk areas, and data privacy is no exception. Human-led errors are still the biggest security weakness for a business! In July alone it was reported that 139,731,894 records of sensitive data were leaked as a result of human error. Despite there being so many high-profile headlines in the past year around data privacy breaches and leaks, employees are still a high-risk area for organisations. However egregious the fault, human error in the disclosure of data can seriously damage a company’s reputation, perhaps making it liable to pay damages, as well as having serious adverse impact on a company’s financial performance. Equifax is a case in point. Last year’s cyberattack at the credit reporting agency, resulted in the theft of highlysensitive personal data of approximately 143 million consumers; heavily tarnishing the brand image, reputation and credibility of the company. Reportedly human error was a major precipitator of the incident, as employees failed to follow security warnings and code reviews in implementing the software fixes that would have prevented the breach.

Mitigating the risk of human error The theft of sensitive data isn’t something that can be completely eradicated overnight – what with nefarious cyber criminals’ methods becoming just as sophisticated as the technology being implemented to thwart them. Human error, on the other hand, and mitigating the risk of human error, is a factor that can be more easily overcome. It all comes down to providing employees the appropriate level of training for dealing with data safely and securely. However, in today’s modern working environment, organisations are faced with an employee engagement crisis. According to a recent survey by Gallup, “Worldwide, the percentage of adults who work full time for an employer and are engaged at work – they are highly involved in and enthusiastic about their work and workplace – is just 15%.” In short, this means that significant numbers of employees simply don’t care about what happens at their company. This is why in the context of data protection; Gallup’s findings suggest that we need to re-think our approach to the engagement tactics we use in our training and communications in order to foster and drive a more compliant-driven culture. 28

If we are really going to address the human factor, we need to understand why people don’t follow policies, why they don’t change their behaviour and why they are so careless with such valuable data. Simon Sinek’s Ted Talk about inspiring leadership is helpful here. He explains that much human decision making is controlled not by rational and objective analysis but by the more primitive limbic system that deals with emotion and feeling. As advertising guru Robin Wight says, “The causal role of conscious thought has been vastly overrated, and what we are in fact is not rational creatures, but rationalising creatures.” Perhaps this is one of the reasons that we are seeing a dialogue emerging around the relationship between compliance in the workplace and shared human values. After all, there is a very human cost to noncompliance in most risk areas, and data privacy is no exception. Central to data privacy compliance is a very powerful theme of protection which, if personalised, can engage and motivate employees. Taking a personal, human view of the risk means we can help employees protect their own personal data and keep their families safe and this, in turn, may drive more compliant behaviours at work. For an organisation to help safeguard itself from human error-based data privacy threats they must have policies and practices embedded in the company culture as robust, repeatable processes focused on secure behaviour around cybersecurity but also ensuring awareness around the specific processes for personal data controlling and processing. If we look at where the risks for loss or theft of personal data come from, you could simply say from employees, weaknesses in the IT systems, or from the vendors to whom we outsource IT processes in the nowadays connected digital world. In order to ensure organisations sufficiently protect the personal data they are responsible for, an effective cybersecurity control framework needs to be implemented, preferably based on standards (as also defined for instance in GDPR articles) and supported by technology. In addition, an effective Third-Party Risk framework and assessment process needs to be in place. But to ensure a robust risk and compliance programme, companies need to start by fostering a top-down, security-focused and personal data risk-aware culture throughout the organisation. And in order for a company to effectively create a human firewall, it needs to focus on developing the right ethics, values, and risk-aware culture.

About the author : Rob Van Straten is Executive Vice President, EMEA and APAC for SAI Global, a provider of integrated risk management solutions. He joined the company in May 2017 from Nasdaq Inc, where he served as Global Head of Sales and Professional Services responsible for the BWise business unit, from 2011 to 2017. Previously, Van Straten served in a number of executive roles at both private and public technology and services companies.

WOULD YOU LIKE TO SPEAK AT

DATA PROTECTION WORLD FORUM 2019? APPLY TO SPEAK 3RD & 4TH DECEMBER 2019 WWW.DATAPROTECTIONWORLDFORUM.COM | EXCEL, LONDON

The Dark Web The dark web has become one of the great pillars of crime infrastructure. It has given a home to a criminal ecosystem online, which is enormous in scale.

Sir Rob Wainwright knows a thing or two about the dark web. He is the former executive director of Europol, which is now the primary intelligence sharing and operational gathering centre in Europe, interconnecting 1,200 law enforcement agencies. Now he is senior partner for Deloitte’s cyber practice in north west Europe. He says that “The dark web has become one of the great pillars of crime infrastructure. It has given a home to a criminal ecosystem online, which is enormous in scale. Around 300,000 different types of commodities are traded on the dark web, including drugs and firearms. “The sheer scale, its tremendous ability to interconnect, the criminal community, is on a level that has transformed the business of crime, and not just cybercrime, but the business of selling drugs has been revolutionised by the ability of the dark web to provide this platform for more or less safe and guaranteed anonymity, in creating a criminal business. Given this, how do you catch criminals on the dark web? He says we have got lucky by getting leads from elsewhere, but speaking further, you soon realise it’s the kind of luck that comes with hard work. But Sir Rob says that does not mean we should disband the dark web, “assuming we could.” “According to our estimates, 50 per cent of the dark web is devoted to criminal efforts, but that means 50 per cent is not; there are civil liberty groups, protest movements in darker parts of the world where they also use it for very good purposes. “It is a complex picture, which takes us to a very difficult debate, that many of us have been involved in, of the last few years, of where you draw the line in terms of dealing with encryption, and the ability to access and monitor criminal activity in ways you would have in the offline word, it is a difficult one to get right.”

About The Author: Rob Wainwright, became ‘Sir Rob’ this year. He calls himself a law enforcement professional. He began his career in the intelligence world in the UK, and ran Europol until May of this year. At the age of 50, he decided to experience a different community, when he joined Deloitte to take his experience to try to help government and commercial organisations do their security better, especially around cyber. He says: “Throughout my career I have had a number of touch points on data protection and privacy issues and they have gradually become much more than touch points, and have become a part of the fabric of the community. “I have come to understand and see the growing importance of data protection as a principle, one of the most important principles by which law enforcement should plan and do its work.”

Meet +150 experts at #DPWF

GDPR FAQ

is your data being handled correctly? Read the latest FAQ on GDPR

Catching Cyber Criminals

“Who is going to rob a bank?”, asks Charlie McMurdie. In the old days, robbing a bank was a risky thing to do, the chances of being caught were high. But it is not like that now. Charlie says: “To do cyber, you don’t need to be a techie. She cites as an example one case when cyber criminals uplifted a load of accounts, changed the amount in all the accounts, and then changed the maximum amount you could cash out, and they hit 210 cities in ten hours, emptying cash points. “That’s the scale. “We found that a lot of the baddies (that’s the technical term for cybercriminal) might be Russian or Chinese and that might seem as if they are hard to catch. But they might spend their money in Knightsbridge, so you can catch them that way. “If you have stolen multi-millions, you don’t want to be in the back of beyond.” She says, with robbing banks, you are at physical location, the chances of getting caught are high, but with a cyberattack, it is different. She cites one example: a disgruntled employee gets the sack, and goes off on holiday to Thailand, goes online, hires a bot neck attack – Avalanche – and launches it against their former employer, a high street supermarket. And knocks the website down for a number of hours, losing hundreds of thousands pounds. Just to get revenge. “Or take school girls, in the past they may have gone shop lifting, and tried to avoid security tags, but there is a limit to what they could steal, going up and down the high street. But if they go online, buy a load of credentials, and use them to go shopping on Amazon and eBay, in their case, they don’t need to go out of the bedroom, they can stay warm and dry, and could order hundreds of coats at any one time with stolen credentials. And the chances of being arrested, even of the crime being reported, are slim, so cyber is big business.” Sir Rob Wainwright says “You almost certainly cannot identify cyber criminals by any actions on the dark web itself, rather you need to go through more traditional means, police informants perhaps, monitoring other areas of criminal activity. “You need a lucky break.” Although, he clarified this, “the lucky break is deliberately sought. But most of the times you don’t get that break, and most of the activity goes unidentified, you see it all, you see how many drugs are being dispatched, but you don’t know from whom or to whom.”

By Michael Baxter 32

Schedule a demo bigid.com/demo

Redefining Personal Data Protection & Privacy Find, Inventory & Map User Data at Scale

Data-driven Compliance Advanced PII Discovery

GDPR Compliance

Automated Data Mapping

Data Subject Access & Erasure

Breach Identification & Notification

Lineage Analysis

Residency and Retention Analysis

Security & Privacy Risk Measurement

Track Data Access

Centralized Consent Management

bigid.com

@bigidsecure

info@bigid.com

Visit Data Protection World Forum #DPWF

ADVERTORIAL

Encryption Shouldn’t Be a Cryptic Experience! 1010100001010000010110000010101010001010101100101001101001011110 Encryption, encryption and more encryption – the security buzz word is on the tip of everyone’s tongue. In an increasingly treacherous digital landscape, protecting your data with airtight algorithms seems like a logical strategy, yes? Sarah Happé, from Echoworx, gives her answer.The simple answer is: absolutely.

But making the decision to encrypt confidential emails that are leaving your secure network is about more than just encryption. The algorithms are not the differentiator when comparing various secure email solutions. You can find 2048-bit RSA encryption, 256-bit AES encryption, in SHA2 signatures in almost all modern security products. The component of the solution that does the encryption and decryption is (most of the time at least) solid and predictable. But sitting on top of that core security is the more interesting topic. Controlling which emails need encryption, the different types of delivery, the simplicity of registration, the look and feel (known as “branding”) of the emails and web site, are the real differentiators of a first-class secure email solution. It is my job to help enterprise-level organisations understand how email encryption fits into their business model. And for me, this starts with helping them create a seamless end-to-end experience for their clients. When I work with a new enterprise, a little time is always necessary to cover the basic security aspects of the platform. However, you may be surprised to learn that much more time is spent on fine-tuning the customer experience to align with the enterprise’s goals and expectations. Secure email becomes an integral part of the communications strategy for the entire business. It needs to look authentic or use phrases and terminology that match the company’s web site and advertising. It is also important to consider how varied the recipients of secure email will be – a grandmother at home with minimal computer experience who needs everything explained in detail, versus a tech-savvy Millennial that expects efficiency and automation. The same secure email experience is used for both, so it had better not alienate anyone! Your clients are unique, but they all need to trust you with their most personal data, and they will leave you if you lose it. A recent Echoworx survey, for example, found a full 80 per cent of customers consider leaving a brand after a data breach. That’s no small figure. So how do we achieve this perfect blend of secure email that is still easy to read and send? For the employees of your company, they don’t want any extra steps or separate systems. If it’s inconvenient, they won’t use it. Fortunately, your corporate network is already secure with

firewalls, access controls, and native security in your mail server. So, let the encryption happen as the email is about to leave your network (commonly called the “gateway” or “boundary”). It is the recipient who needs to work with the encrypted version of that email, and the best way to make them happy is to send it in the format they understand. A business partner should receive transparent encryption (called TLS); while a customer receiving a monthly statement should have a secure PDF attachment. A European bank may demand PGP emails since the employees have PGP software running on their desktops. The secure email platform should figure this out based on policies you define during initial customization of the service. If you’re doing business internationally, you also want to be aware of local jurisdictional laws and regulations. In our post-GDPR world, you know where and how you store your clients’ data matters. But don’t forget to consider how your communications will reach people in many non-English speaking countries. Here’s another example of that usability layer that lives above the actual encryption. You want your clients to feel at home with you and comfortable sending sensitive information through encrypted channels. A confused customer is likely to second guess the validity of a secure message and may be more susceptible to scams. Investing in data privacy is not only good for your brand – it’s good customer service. And, when done right, “plain and simple!”

it’s

About the author: Sarah Happé serves as Director of Client Engagement at Echoworx, a recognised leader in secure digital communication.

WHAT OUR ATTENDEES SAY

A really worthwhile event for any data protection professional at any level; something for everyone, especially in the post-GDPR world. If you only attend one event a year; make it this. I will be returning next year hopefully. - Information Security & Compliance Officer (IT Service Management Company)

I really enjoyed the experience of meeting so many colleagues in the data protection industry. The speakers were brilliant and represented a wide range of aspects of data protection. The Forum overall was interesting and informative, and I felt that I took away some very helpful information and tools to use in my organisation. - Data Protection Officer (Local Government Organisation)

I found the Data Protection World Forum very informative with a broad range of speakers; they definitely covered all bases. It was a great event and full of great likeminded people. I would recommend attending next year. - Data Protection Officer (Software & Accounting Company)

The DPWF provided a brilliant platform for everybody involved and affected by privacy to engage in a debate and share their knowledge. - Privacy Manager (Consultancy)

GDPR around the world Is GDPR having a domino effect?

ALL YOUR DATA PROTECTION NEEDS UNDER ONE ROOF â&#x20AC;&#x201C; BOOK TODAY

As one country adopts a GDPR-type framework, will others follow: countries falling for a European style privacy framework, one at a time? As one country adopts a GDPR-type framework, will others follow: countries falling for a European style privacy framework, one at a time? A country that trades a great deal with the EU may simply find it easier to adopt its own GDPR style regulation - in this way it may spread out: like a benevolent contagion. To an extent this might be true. China seems to be heading in the opposite direction, with its social credit system, and many Europeans are becoming frustrated with what they see as an intransigent attitude in the US. EU MEPs have voted 303 to 223 in favour of a motion calling for the US to comply with GDPR, by September 1st, or suspend the Privacy Shield altogether. Well, September 1st has been and gone and nothing yet has been suspended. The resolution said that the MEPs call “on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 25 May 2018, and with the EU Charter, so that adequacy should not lead to loopholes or competitive advantage for US companies. Meanwhile, Vera Jourova, EU Justice Commissioner, said: “We need to check that ‘America First’ does not mean ‘America Only.” And that takes us to the thorny question of Brexit.

Brexit provides no let-off for UK firms on GDPR, but it will mean some changes In or out of the EU, the UK won’t extrapolate itself from the reach of EU data protection regulation. There is more than one reason for this: First off, what used to be called the Great Repeal Bill. Once, and indeed if, the UK leaves the EU, the UK will still be subject to laws which are identical to EU Laws. When she first discussed the bill, Theresa May referred to the bill as the Great Repeal Bill, although when it was finally confirmed by Parliament, it was described as the EU withdrawal bill. There are three key aspects to the bill. When the UK leaves the EU, which is scheduled to do in March next year, the legal authority of EU law will be removed. In its place, all EU laws will be introduced to the UK, including GDPR. UK ministers will then have the power to make secondary legislation.

Second off, the UK government has stated its intention to keep GDPR as part of UK law. On the 21st June, 2017, when the UK government unveiled its legislative programme, notes to the Queen’s speech stated that legislation will have the effect of “helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU”. And third off, the Data Protection Act of 2018, makes the UK’s adherence to GDPR clear. There are, however, issues associated with Brexit that may create complications. Under the GDPR, there are limitations on the flow of data to and from the European Economic Area. These limitations are largely curtailed with regions that have an adequacy status with the EU. Unlike Japan, which recently concluded a bilateral data sharing agreement with the EU alongside a comprehensive trade agreement, the UK has no such agreement. The UK will need to be found “adequate” by the EU to allow uninhibited data flows between the UK and the EEA.

“

I am mystified by how this happened.” It is worth bearing in mind, however, that Canada does have an adequacy decision for commercial organisations allowing them to transfer data. There is also the question of supervisory authorities. Post Brexit, what role will the UK’s privacy regulator, the ICO, have in enforcement concerning issues that span the UK border into a region where GDPR applies? Finally, there is one controversial point, which relates to data pertaining to EU immigrants in the UK. The Data Protection Act 2018 introduces exemptions from certain provisions of GDPR, including Subject Access Requests and right to erasure. Schedule 2, Part 1, paragraph 4 of the Act states: “The GDPR provisions (listed in an earlier paragraph) ...do not apply to personal data processed for any of the following purposes: (a) the maintenance of effective immigration control, or (b) the investigation or detection of activities that would undermine the maintenance of effective immigration control.”

The UK will need to be found “adequate”by the EU to allow uninhibited data flows between the UK and the EEA. Failing that, companies will have to rely on other safeguards, like Binding Corporate Rules, Standard Contractual Clauses, certifications or seals, all of which must first be blessed by the European Commission. The barrier here relates to logistics - the European Commission has a crowded agenda. And this takes us to a worrying point. When considering Canada’s adequacy status many years ago under the previous EU Data Protection Directive, the EU limited its adequacy finding to Canada’s federal privacy regime under the Personal Information Protection and Electronic Documents Act (PIPEDA). None of the provinces – not even Quebec – were granted adequacy status. Recently, privacy lawyer and Canadian, Abigail Dubiniecki said: “The European Commission has to be abundantly transparent about how it makes its adequacy decisions [if it wants to avoid US accusations of non-tariff barriers to trade], and I say this as a Canadian who was recently disappointed that jurisdictions like Quebec, which of all Canadian jurisdictions is the closest to the EU, were not granted adequacy status under the EU Data Protection Directive.” She said, in Quebec, “the legal foundations, just like in the EU, are baked right into its Civil Code and its Charter: that you have an inalienable right to “the respect of [your] name, reputation and privacy” (art. 3, CcQ), to the safeguard of [your] dignity, honour and reputation, and “to respect for [your] private life” (arts. 4-5 Quebec Charter). These rights are inalienable. And they have been – for a while now – actionable in court. I thought that (the decision) was quite shocking.

California When real estate entrepreneur, Alastair Mactaggart and finance industry executive, Rick Arney got talking, they soon realised that privacy rights were not being given priority by the companies that collect data or the authorities that legislate. And so, after many phone calls, meetings and after hiring privacy expert, Mary Stone Rose, they set up the Californians for Privacy Protection pressure group. Some 637,000 signatures later, they submitted the Californian Consumer Privacy Act to the Californian legislature. Their securing of more than double the required number of signatures meant Californian legislators had no choice but to vote on it.

“

Because they had secured more than double the required number of signatures, Californian legislators had no choice but to vote on it. Facebook, along with Google, Comcast, AT&T, Verizon, Microsoft & Uber pumped $2 million into a group designed to stop the legislation. “We have heard that there is a $100m campaign lined up against this measure,” said Alastair Mactaggart earlier this year. Despite all this, it was going ahead anyway, until legislatures, worried that that they were 37

losing control, took the cause on. Earlier this summer, as a result, Californian legislators passed the privacy law: AB375 – a kind of GDPR for California, to be fully in place in January, 2020. It isn’t quite GDPR, though. For one thing, it does not arm regulators with the teeth that their European counterparts can gnash, dishing out massive fines, but the new law will furnish consumers with new rights, including the Californian equivalent of subject access rights, more exacting rules concerning consent and the right to have data deleted. The rules concerning consent are not as prescriptive as those within GDPR, with an emphasis on opt out, rather than opt in.

“

Online advertising allows companies to reach audiences that are likely to be interested in the companies’ products or services in a privacy protective way. Some say, that the Californian privacy regulation is like GDPR-lite. But Abigail Dubiniecki, Associate at Henley Business School’s GDPR Programme and Specialist in data privacy at My Inhouse Lawyer, doesn’t think that’s a fair assesement. “I am not a believer in copy-pasting one legal system onto another; the GDPR is part of a much broader legislative framework that is built on the Treaty on the Functioning European Union (TFEU) and, so GDPR builds upon the EU charter of Human Rights, it has a very specific context and flows from European notions of autonomy and personality rights that do not necessarily translate on a one-toone basis to other contexts. She says: “The law in California is trying to capture the spirit of the GDPR – to build more trust and give people more control which means more accountability and

transparency among tech companies and more choice for individuals.” By contrast, in the US, she says the notions of autonomy will probably resonate more effectively with people there. Trying to copy and paste these fundamental human rights that are valued in the EU into the US, would be a bit of a mismatch, because culturally they are different. Tech resistance But while the big techs say they support GDPR, in California, various trade associations which represent them, are trying to water down the Californian legislation. A letter sent by an assortment of Californian trade bodies including the Californian Chamber of Commerce has called for changes to Act. Among their proposed changes are calls for: •

• •

•

Deleting the term ‘specific pieces’, where the regulation requires organisations to provide details on browsing history when data subjects request information on the data held by them. In this way, organisations would not have to provide details on the websites their records show data subjects have visited. Deletion of the requirement to provide data requested by individuals in a readily usable format. Deletion of a section that relates to profiling data subjects. The section they want deleting refers to data that “reflect(s) the consumer’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.” Change of definition of personal information to exclude “aggregate consumer information nor information that is deidentified, pseudonymized, or publicly available information...” Extending the period organisations have to respond to information requests to 45 days.

The letter described the legislation as “hastily passed” and says it wants to “address drafting errors, and fix aspects of this bill that would be unworkable and that would result in negative consequences unintended by the authors.” The letter said: “Online advertising allows companies to reach audiences that are likely to be interested in the companies’ products or services in a privacy protective way, which does not require the online platform to identify the consumer to the business in order to deliver the business’s advertisement.” In response, privacy advocates wrote a letter stating: “On behalf of 39.5 million Californians, the undersigned state and national organisations strongly urge you to reject recent proposals to weaken the California Consumer Privacy Act... “The majority of the Chamber letter’s proposed changes are substantive in nature and would fundamentally water down the privacy protections. “Even when the letter does identify a provision where a technical fix is needed, the proposed solution is often excessive in nature and would run counter to the clear intention of the legislation...” As for the claim made by the trade associations that the legislation is unworkable it said: “What is allegedly ‘unworkable’ today will be workable once companies comply with the law.”

“

The majority of the Chamber letter’s proposed changes are substantive in nature and would fundamentally water down the privacy protections. Returning to Abigail Dubiniecki, she said: “That the tech companies are trying to speak in terms of the free market, freedom of expression, things that resonate with US, whilst side-lining the issue of trust.”

The law is similar to GDPR, but not identical; GDPR spreads over 80 pages, GDPL, 30 pages. Similarities with GDPR include: • • The rest of the US But it is not just California where things are changing. In Alabama, a new data breach law has been passed. The law relates to unauthorized acquisition of sensitive personally identifying information in electronic form and carries a maximum fine of half a million dollars for companies that are subject to a breach and did not comply with the law. Clearly, it’s a step in the GDPR direction, but many steps short of the European regulation. In Arizona, the breach notification law has been updated – it too carries fines of up to $500,000, but as in the case of Alabama, only has similarities with one part of GDPR. In Colorado, a new regulation applies to entities that maintain, own or license personal identifying information in the course of the person’s business, vocation, or occupation, such entities are accountable for protecting personal information. In Iowa, a new regulation that came into effect on July 1st is designed to protect the privacy of children. In Louisiana, new regulation, among other things deals with breaches and requires the destruction of data once it is finished with. In Nebraska, regulation requires reasonable security practices, while in Oregon, breach notification rules have been amended. Others states with privacy/data protection regulation in place include South Carolina (heightened breach notification regulation), South Dakota (a new data breach law), Vermont (regulation of data brokers) and Virginia (amended breach notification laws to now include data on income tax).

•

• • •

cross-border jurisdiction, meaning data related to Brazilian citizens is subject to the law wherever the data processor is based, related to the above, regulations on transfer of data internationally, a risk approach, like GDPR the Brazilian legislation talks about lawfulness, fairness, accountability, non-discrimination, purpose limitation, data minimisation and transparency on the use of personal data the Brazilian legislation includes a right to be forgotten and the right to access data; requirement to notify data breaches; requirement to appoint data protection officers, under certain conditions.

It is slightly different in other respects: • • •

the Brazilian legislation provides for 10 legal bases to process data, unlike GDPR’s six legal bases, slightly lower maximum fines, imposes even shorter deadlines to notify about breaches.

However, Mr Temer vetoed a requirement for a National Data Protection Authority (ANPD) and the establishment of National Council for the Protection of Personal Data and Privacy. The President said that the vetoes were required because under Brazilian law congress cannot create agencies. He said that the executive will create agencies similar to those proposed. On the other hand, the new law does give citizens the right to sue companies who misuse their data.

The rest of the world

South of the border, down Brazil way A new law in Brazil which is similar to Europe’s GDPR has been sanctioned by Brazil’s President. However, he vetoed several sections. The new legislation, the General Data Protection Law, was sanctioned by Brazilian President, Michel Temer, last week. The legislation will become enforceable in 18 months.

Across the world, GDPR is seen by many as the benchmark: it has set a high bar in data protection and privacy regulation. But there are adequacy agreements in place with various countries across the world, suggesting that the EU believes privacy regulation in these countries is sufficiently robust. Countries which have adequacy agreements with the EU are: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States. Except in the case of the US, the agreement is partial. In Canada, The Personal Information Protection

and Electronic Documents Act, known as PIPEDA, falls way short of GDPR. In fact, considering that Privacy by Design was invented in Canada, and that many of the world’s leading privacy experts are Canadian, it is quite surprising how far short it falls. There are voluntary standards in Canada, and indeed some Canadian companies set the highest of examples in their approach over privacy, but there is a question mark over Canadian privacy regulation being sufficient. But PIPEDA is being amended later this year.

“

On the other hand, the new law does give citizens the right to sue companies who misuse their data.

In Japan, the Act on the Protection of Personal Information was amended in May 2017, and in a recent meeting between Commissioner Haruhi Kumazawa of Japan and Commissioner Věra Jourová of EU, a joint communique was released saying that the two countries were moving to a position such that in Japan an adequacy agreement will be in place. In China, regulation has some similarity with GDPR, in other respects it is like the polar opposite. Cyber Security Law does require Chinese government to produce a written assessment before transferring data, and has certain ambiguity that has similarities with GDPR regulations concerning legitimate interests. But the Chinese Social Credit System is as different from GDPR as you can imagine. The system is designed to give citizens and companies points for their everyday behaviour and activities, based on what people buy, who they associate with and what they post. There is even talk of marking people down who play too many video games. And for people who get low scores, it might be impossible to buy a train ticket, for example. But many critics argue that the Chinese system has a distinct Orwellian feel to it. Privacy regulation advances in other regions too - in Australia, amendments concerning breach regulations were added to the Privacy Act of 1988. In South East Asia, Singapore, Malaysia and the Philippines are advancing privacy regulation. In Africa, the Protection of Personal Information Act (PoPI) is expected to come into force later this year. Finally, in India, a draft Personal Data Protection bill is advancing, a group of lawyers are calling for something much closer to GDPR – The Privacy Code. BY MICHAEL BAXTER

Data Protection World Forum (DPWF) is delighted to welcome Wojciech Wiewiórowski, Assistant European Data Protection Supervisor, to its speaker roster. Coming to London’s Excel arena on 20th and 21st November, DPWF is an industry-leading data conference set to unite all business leaders’ data security concerns under one roof. A Timely Event in a New Era in Data Protection Barely six months on from the introduction of the General Data Protection Regulation (GDPR), data breach reports have reached record levels with news websites lighting up with the latest cyber security let-downs. Current focus falls on social media sites, which have been found to be the guiltiest of all outlets for data breach offences, according to Gemalto research. It has been a torrid few months for the big platforms, with Facebook admitting that up to 50 million of the social network’s users’ details were compromised due to a bug in its ‘view as’ feature. Facebook could now face a regulatory fine of up to $1.6bn. Google+ remains red-faced after the tech giant disclosed that external developers were able to access 500,000 Google+ user details, a breach that looks set to shut down the popular site. These are testing times for all organisations that deal with the private data of EU citizens. Business owners need to get on top of data security obligations of the GDPR and other landmark data legislation at a time when consumers are being given 40

more and more reasons to doubt companies’ ability to manage data ethically. The Keynote conference theatre at DPWF is designed to give C-suite members and senior IT professionals insight and advice on the latest regulatory and security issues. Among speakers at the theatre will be Wojciech Wiewiórowski, who has been working with the European Data Protection Supervisor and in public administration since 2016. He was elected to the post of Inspector General for Protection of Personal Data (Polish Data Protection Commissioner) by the Polish parliament in 2010. He held the post until his re-election to the role in November four years later and was Vice Chairman of the Working Party Art.29 between February and November 2014. Wojciech has published numerous studies and lectures in the field of personal data protection, IT law, e-government, and legal informatics. His areas of scientific activity include Polish and European IT law, processing and security of information, legal information retrieval systems, information of public administration, electronic signatures and application of semantic web and legal ontologies in legal information processing. BOOK YOUR PLACE TODAY BY CLICKING HERE

Data Breaches Will Continue & Intensify Safeguarding your data requires a solution you can trust MONITOR, TRACK & REPORT ON: IT Risk and Compliance

Bring IT security to the forefront of protecting your business â&#x20AC;&#x201C; Speak to one of our team at the upcoming Data Protection World Forum, stand 96.

WE OFFER The most comprehensive content library

Business intelligence reporting

E-Learning courses

Risk advisory services

Cybersecurity GDPR IT Vendor Risk Digital Incident Management Business Continuity Security Threat and Vulnerability

For more information please contact info.emea@saiglobal.com www.saiglobal.com

Data Protection World Forum will see Marloes Pomp speak at the in the GDPR Advanced theatre. Head of Blockchain Projects for the Dutch Government, Marloes will join a roster of specialists on data security when she explains key issues surrounding tech and GDPR legislation at Data Protection World Forum. Governance vs Innovation Running parallel to a landmark year in data regulation is an irrepressible tide of technology pushing a global Internet of Things (IoT) market predicted to be worth $8.9 trillion by 2020. Reconciling the worlds of good governance and innovation will be difficult when one considers the many security and privacy issues that IoT introduces. Can compliant business methodology really look forward to embracing the power of blockchain whose much heralded immutability contradicts EU lawâ&#x20AC;&#x2122;s demands that personal details can be edited and removed under certain circumstances? The GDPR Advanced Theatre at DPWF brings timely insight into the key issues facing technology and business as we move forward into the GDPR era. Speakers will delve into the intricacies of the regulation, throw a spotlight on current and emerging tech trends, and consider the many implications for the data security upon which our futures rely. Attendees of the GDPR Advanced Theatre will be able to hear Marloes Pomp discuss the future role of blockchain. Marloes is currently Initiator and Programme Officer for the blockchain projects within the Dutch Government and is responsible for 42 42

the international strategy of the Dutch Government Blockchain Coalition. Marloes began 35 pilot projects within the Dutch Government to establish exact opportunities and threats of the distributed ledger technology, some of which are in prototype phase, while others are fully implemented. The tech specialist has also built an international network with governments collaborating on topics concerning prototypes and tech innovation. In 2017, Marloes was Mission Leader of the first official blockchain trade mission to Singapore and is now working on a three-year collaboration between Singapore and the Netherlands on blockchain projects and research. Marloesâ&#x20AC;&#x2122; roles have covered a series of projectleader and researcher areas at government organisations, including the Ministry of Internal Affairs, City of Amsterdam, the Dutch Court and the Ministry for Foreign Affairs. Data Protection World Forum Data Protection World Forum is designed to help organisations get traction on the very latest legislative developments in data security. Besides keynotes talks and panel discussions, delegates will have the chance to put their own questions to the specialists to become part of a wider discussion on how to improve data handling practices and prepare for compliant business growth. BOOK YOUR PLACE TODAY BY CLICKING HERE

ADVERTORIAL

By Simon Marvell, Partner at Acuity Risk Management

As GDPR starts to bite, make sure that your risk management is in order. In September 2018 the UK Information Commissioner’s Office (ICO) issued the UK branch of credit rating agency, Equifax with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017. The ICO investigation revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access. Simon Marvell, from Acuity Risk Management, explores further. Because the failings occurred before GDPR came into force in May 2018, the investigation was carried out under the Data Protection Act 1998 and the fine issued was the highest possible under that legislation. If the failure had occurred after GDPR became law the fine could have been much higher. Fines under GDPR will be imposed in accordance with the risk profile of the operation and the extent to which the risks were appropriately addressed. Over the next few years, GDPR will start to bite and organisations that suffer a serious privacy breach and who can’t demonstrate a diligent risk-based approach to their handling of personal data will find themselves subject to very serious penalties. On the other hand, organisations may face reduced fines or avoid fines altogether by addressing the risks to their operations, even if such measures fail to prevent a breach. (See: The Risk-Based Approach in the GDPR, Interpretation and Implications. Gabriel Maldoff, CIPP/US, IAPP Westin Fellow.) GDPR: A Risk-based regulation

• • •

BS ISO/IEC 27002:2013 — Code of practice for information security controls BS ISO/IEC 29151:2017— Code of practice for personally identifiable information protection Measures for the Privacy Risk Treatment — Commission Nationale de l’Informatique et des Libertés (CNIL, the French data protection authority)

It is important that processes are ongoing and are reviewed, tested and updated regularly, these are not one-time activities that can be completed once and forgotten about. Processing of high-risk data For the processing of high-risk data, such as data of a highly personal nature, data concerning vulnerable data subjects and large-scale processing, additional obligations apply: •

• •

Data protection impact assessments (DPIA’s) may be required providing a systematic description of processing and (amongst other requirements) describing how risks to the rights and freedoms of data subjects are managed Prior consultation with the relevant Data Protection Authority may be required unless the controller implements appropriated measures to mitigate the risk Notification of a data breach to the individuals affected may be required unless again appropriate measures (such as encryption) have been implemented.

While high-risk data attracts additional scrutiny, organisations should remember that the requirement for a risk-based approach applies to the processing of all personal data, not just high-risk processing. Practicalities of a risk-based approach

GDPR requires a risk-based approach to compliance with organisations required to consider the risks of varying likelihood and severity to the rights and freedoms of natural persons. This is a different emphasis from the management of risks to the business which typically focus on financial, reputational and other impacts to the organisation rather than to individuals. Appropriate risk-based technical and organisational measures must be implemented to:

A risk-based approach requires risks to be identified and assessed, and then appropriate technical and organisational measures to be implemented effectively and maintained. The problem is that things change: processing of personal data changes to exploit new opportunities which changes the risk profile and the required mitigations. If a breach occurs then organisations may need to show that, at the time of the breach, reasonable risk-based measures were in place and operating effectively – this requires evidence and history to be retained. The following are recommended minimum requirements for a riskbased approach to compliance with GDPR:

• •

Demonstrate processing in accordance with the regulation (Article 24). Design processing to implement the data protection principles and integrate the necessary safeguards (Article 25). Ensure a level of security appropriate to the risk (Article 32). These are ongoing requirements meaning that organisations must monitor, review and update their processing to continue to comply with the regulation.

Risks to privacy Risks to privacy align with the data protection principles: Lawfulness and fairness; Transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; Availability; Personal participation and access, and; Accountability. For the security-related risks, organisations should consider the need for pseudonymisation and encryption of personal data. Other risk-based measures must be taken to ensure the ongoing: • • • •

Various guidance is available to assist with privacy risk management:

Confidentiality, integrity, availability and resilience of processing systems and services. Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Compliance with data protection principles. These should be backed up by processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

• • •

An Asset Register of personal data with mappings to supporting assets A Risk Register with assessments of privacy and security risks to the rights and freedoms of individuals Mappings of technical and organisational measures to risks with test results to show that they are operating effectively Ongoing visibility and monitoring of risk status and the effectiveness of mitigations Evidence, history and accountability to show a continuing riskbased approach.

Except in very simple, low-risk situations it is unlikely to be practical or efficient to manage these processes with a manual, spreadsheet-based approach. Instead, Governance, Risk Management and Compliance (GRC) software platforms, such as Acuity’s STREAM Integrated Risk Manager, should be considered to operationalise risk-based compliance with GDPR. Conclusion The requirements for a continuing risk-based approach run through GDPR and organisations should put appropriate risk management processes in place to protect the rights and freedoms of individuals. It is impossible to guarantee 100% privacy or security, but among organisations that suffer a serious data breach, those that can demonstrate a diligent risk-based approach are likely to receive lower fines than would otherwise have been the case, or even avoid them altogether.

STREAM Integrated Risk Manager Fast, flexible, scalable and easy-to-use GRC software for cyber and privacy risk management

Rated 5* by SC Magazine for four consecutive years GRC, Risk and Policy Management Review 2018 Cyber Security Product of the Year 2018! Continuity, Insurance & Risk (CIR) Risk Management awards

https://acuityrm.com/

Acuity Risk Management

@AcuityRM

Nymity Empowers McGraw - Hill Education’s Privacy Office ADVERTORIAL to build a Successful Privacy Program compliance. The greatest value he derived from Nymity was the ability to get more done with fewer resources. Results Nymity Framework™ provided the foundation for implementing and maintaining an agile privacy management programme that can respond to changes in laws and regulations as well as allow reporting internally on multiple levels including the status of compliance, privacy requests and even budgeting decisions. • This case study will highlight how Nymity Resources and Software helped McGraw Hill Education to develop and build an accountable and agile privacy program. The program was designed to support efficient and effective communication with the business and to be able to quickly respond to changes in laws and regulations, emerging threats, and evolving consumer expectations. Nymity’s privacy management methodologies and best in class software solutions helped achieve multi-jurisdictional compliance, avoid risk and involve the entire business in maintaining ongoing compliance. The author of this case study is Teresa Troester-Falk, Chief Global Privacy Strategist, Nymity Client overview McGraw-Hill Education is a learning science company, and one of the largest providers of customized education content, software & services for pre-K, through post-graduate education. They have offices across North America, India, China, Europe, the Middle East & South America. Their learning solutions are available in more than 60 languages. Situation With offices in 54 countries across the world, McGraw-Hill Education (MHE) is challenged with managing multi-jurisdictional compliance. This includes complying with the new General Data Protection Regulation (GDPR) in the EU. MHE’s privacy office is based at corporate headquarters in New York City and they are responsible for privacy across the organization, whether privacy applies to customer data, or the company’s personalised and adaptive learning platform that utilises personal student data to improve the individual learning experience. Protecting this sensitive personal data falls within the privacy office’s broad scope. As a small but growing one-person privacy office, MHE needed the right approach to 46

building a privacy programme and the right software tools to help them develop a privacy management programme. They needed a programme that allowed for an ongoing capacity to comply with multiple jurisdictions and to report internally on the status of privacy, develop privacy policies & procedures, and communicate them to the entire business. Since MHE operates in 54 countries, they needed the best software solutions available to help them achieve multi-jurisdictional compliance. While MHE had a data privacy management programme in place, they were constrained by the size of their small US-based privacy office. As a result, they had to rely on in-house resources and outside counsel to keep up to date on privacy developments and remain compliant. They realised that what they needed was a reliable “go to” source to be able to access a broad range of privacy research materials packaged software tools to save them time and effort as their current processes were slow, expensive and inefficient. Action MHE’s CPO, Andy Bloom had recently joined the company and was single-handedly running the privacy office. He was aware that he had to make a business case at MHE for a privacy software solution and looked at several options in the market. Since he was alone at the privacy office, he knew he needed another headcount. He realised that the right approach to privacy programme management and the best software would help him save costs of hiring another body in the privacy office and also help him to operationalise compliance activities in his new role as CPO. Bloom did not come from a legal background, but he had significant operational expertise. He made a decision to adopt Nymity’s accountability approach to compliance with multiple laws (the foundation of which is the publicly available Nymity Privacy Management Accountability Framework) and chose Nymity Software to help him operationalise privacy

• •

•

Nymity Research™ helped the CPO save time, money, and quickly understand regulations and their possible impact on his operation. Nymity Templates™ helped the CPO build project plans and create documents for privacy management. Nymity Benchmarks™ helped the CPO demonstrate, internally how his privacy programme compares to other organisations. Nymity Templates™ helped the CPO build project plans and create documents for privacy management. Nymity Attestor™ helped McGraw-Hill Education identify gaps in their written privacy procedures across the organisation, and gain commitment from the various business ofﬁces to operationalise privacy.

About the Author: Teresa Troester-Falk, Chief Global Privacy Strategist at Nymity Leading Nymity’s global privacy strategy, Teresa is a thought leader in the privacy industry and helps identify the future needs of privacy professionals by engaging with customers, privacy & data protection regulators, key policy groups/think tanks and other privacy thought leaders. She leads many of Nymity’s key accountability and compliance solutions to help customers ensure organizational success. Teresa is responsible for Nymity’s external thought leadership and authors Nymity white papers and other publications. She speaks regularly at conferences, advanced privacy forums and on webinars. She has over 20 years’ experience in law, including over 14 years as a global privacy professional. Prior to joining Nymity, Teresa served as Associate General Counsel (Privacy) for Nielson, where she expanded the global privacy programme as well initiated and led key global and regional privacy data protection programs and strategies, driving relationships across internal and external stakeholders to advance the company’s privacy agenda.

Privacy Compliance and Risk Management

TrustArc Privacy Solutions

20+ Years Experience

1,000+ Clients

Deep Privacy Expertise

Global Coverage

Privacy Platform

Consulting & Training

Compliance Validation

• Data Flow Manager

• GDPR Maturity Assessment

• GDPR Validation

• Assessment Manager

• CCPA Priorities Assessment

• Privacy Shield Verification

• Cookie Consent Manager

• DPIA / PIA Program Development

• APEC CBPR / PRP Certification

• Direct Marketing Consent Manager

• Breach Response Plans

• Kids Privacy / COPPA Certification

• Website Monitoring Manager

• Policies and Procedures

• TRUSTe Enterprise Certification

• Individual Rights Manager

• HIPAA Assessments

• Dispute Resolution Service

• Ads Compliance Manager

• Employee Training

TrustArc Privacy Solutions Privacy Platform Data Flow Manager

Assessment Manager

Cookie Consent Manager

Direct Marketing Consent Manager

Build a data inventory, data flow maps, and GDPR Article 30 reports to identify and manage risk

Conduct and manage DPIAs/PIAs and privacy risk assessments in compliance with GDPR Article 35

Manage user consent to address GDPR cookie usage requirements

Ensure proper consent is obtained and managed for direct marketing programs

Website Monitoring Manager

Individual Rights Manager

Ads Compliance Manager

Identify and manage the use of trackers on your digital properties

Analyze and respond to data subject access rights requests, in compliance with GDPR Articles 15-23

Obtain and manage user ads preferences across all devices, in compliance with DAA, EDAA and DAAC guidelines

Consulting & Training GDPR Maturity Assessment

CCPA Priorities Assessment

DPIA / PIA Program Development

Breach Response Plans

Assess GDPR maturity and develop an action plan

Assess your California Consumer Privacy Act readiness and develop an action plan

Develop the processes, templates and tools to conduct privacy risk assessments

Develop a working response program with the help of our privacy experts, along with optional training

Policies and Procedures

HIPAA Assessment

Employee Training

Assess privacy policies and procedures against industry standards and best practices

Assess compliance with HIPAA requirements and develop a remediation plan

Train employees on privacy and data management best practices

Compliance Validations GDPR Validation

Privacy Shield Verification

APEC CBPR / PRP Certification

Validate privacy program practices meet GDPR standards

Verify customer and HR privacy practices meet Privacy Shield standards

Certify privacy practices meet the APEC CBPR or PRP standards

Kids Privacy / COPPA Certification

TRUSTe Enterprise Certification

Dispute Resolution Manager

Certify privacy practices meet the Kids Privacy / COPPA standards

Certify privacy practices meet industry standards, including FIPPs and OECD

Manage privacy inquiries from consumers in compliance with Privacy Shield requirements

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | ÂŠ 2018 TrustArc Inc

ADVERTORIAL

How to Take an Accountability Approach to Compliance with Multiple Laws

With the advent of the GDPR and the overwhelming attention it received, to many new privacy professionals, it may have seemed that it was the first privacy law ever to be passed. But there are over 700 hundred data privacy laws and regulations worldwide – some dating back to the ‘80s. The EU GDPR was the first law with global repercussions that required extensive organisational changes – and the fact that non-compliance could result in severe penalties made everyone take notice. Now that we are facing the ramp up to the CCPA (California Consumer Privacy Act), coming into effect January 1, 2020 (as well as other laws, like Brazil’s new data protection law), organisations are wondering how they can leverage all of the work they put into the GDPR to also comply with the CCPA and all of the other relevant privacy laws. In this article, we will discuss, on a theoretical level, how an accountability approach to compliance can help you efficiently manage and scale your programme. We will also cover the practical side of how to implement programme changes. We will examine cases studies in which the Nymity Privacy Management Accountability Framework™ helped organisations take an accountability approach to the GDPR and prepare to leverage those activities for the CCPA and other new laws to come. An accountability approach will work both for organisations that have made themselves GDPR ready, and for those that are just getting started with privacy compliance. In all cases, it will help prepare you to comply with multiple laws as well as ensure that you are ready for future laws.

Data Protection is everyone’s business #DPWF

What is Accountability? Over the past decade, the concept of accountability emerged as a dominant theme in global privacy and data protection law, policy, and organisational practices and is considered fundamental to privacy management. It requires organisations to take a proactive and structured approach to privacy management through the implementation of appropriate and demonstrable privacy and data protection measures. It now has broad international support and has been adopted in the GDPR as a compliance obligation. The GDPR calls for organisations to put in place appropriate technical and organisational measures. Privacy offices dealing with multiple laws at the same time will benefit from having a core data protection programme in place which will allow them to map to the requirements of the relevant legislation. This will also ensure they can demonstrate an ongoing capacity to comply with privacy laws and remain accountable.

you can leverage the work that you have already done to comply with those laws. Comparing GDPR & CCPA You may be surprised (and relieved) to learn that many of the policies and procedures that you have put in place for the GDPR can be used for the CCPA, as well. Nymity has mapped the CCPA to the Nymity Privacy Management Accountability Framework™. We have identified nine Articles that require evidence of a privacy management activity/technical and organisational measure in order to demonstrate compliance. Of those nine activities/measures, seven are also relevant under GDPR and are thus likely to already be part of your privacy program. Overlapping Privacy Management Activities Shared Between the GDPR and CCPA

Blue Ocean Enterprises Blue Ocean provides services to a privately held portfolio of companies. They used Nymity’s Framework™ to implement an agile privacy programme that can respond to changes in laws and regulations, emerging threats, and consumer expectations. With a portfolio of both mature companies and start-ups, they have implemented a 4-step privacy programme lifecycle: 1. Identify requirements 2. Assess their programme against the Nymity Framework™ 3. Remediate the gaps

•

Maintain a data privacy notice

Comparing Compliance Approaches

•

Maintain procedures to respond to requests for access to personal data

Traditional Compliance Assessment Approach: this approach assesses compliance with each requirement individually.

•

Maintain policies/procedures for the collection and use of personal data of children and minors

Operate the programme

Many organisations take the traditional compliance assessment approach. They identify all the laws that apply to them and determine the activities to put in place to comply with those laws. This works fine if you are in a single or a few jurisdictions and have many resources at your disposal, but it is difficult to sustain over time. With every new law, you need to start from the beginning and map requirements to activities, which causes a great deal of duplicate effort.

•

Maintain policies/procedures for obtaining valid consent

•

Maintain procedures to respond to requests to opt–out of, restrict, or object to processing

•

Maintain procedures to respond to requests for data portability

•

Maintain procedures to respond to requests to be forgotten or for erasure of data

•

Privacy Management Activities that Do Not Overlap between the GDPR and CCPA

Rationalised Rules/Requirements Approach: this approach identifies common legal requirement elements and address outliers.

•

Conduct privacy training reflecting jobspecific content

•

Maintain procedures to respond to requests for information

In the “rationalised rules/requirements” approach (historically popular in the financial industry), all relevant new laws are mapped against existing ones and a compliance rule set is created to address all of the common legal compliance elements in those laws. There are many disadvantages to this approach. It takes a great deal of effort to devise a rule set that only addresses the common elements, and then you still need to address the outliers. Plus, the more laws there are, the more unwieldy this approach becomes. Accountability-Based Approach: One privacy program to comply with multiple laws.

This approach begins with using a privacy framework to embed privacy management activities/technical and organisational measures throughout your organisation (i.e. a privacy programme). The privacy program serves as a strategic framework to help organisations put in place a robust privacy infrastructure which will facilitate compliance with multiple law and the framework is used to guide specific privacy management activities/organisational measures that you embed throughout your organisation. As new laws come into effect,

Using Nymity’s Framework™, Blue Ocean has found that implementing a single technical and organisational measure could help them comply with several laws. And if they find a gap against the Framework, when they fill that gap for one law, it could also fill that gap for other laws at the same time.

As you can see above, most of the privacy management activities that you may have in place for the GDPR can be extended or reused for the CCPA if you are taking an accountability approach to compliance. An accountability approach will work both for organisations that have made themselves GDPR ready, and for those that are just getting started with privacy compliance. In all cases, it will prepare you to comply with multiple laws and be ready for new laws coming down the road. The Accountability Approach to Complying with Multiple Laws All of the activities required to manage privacy and appropriately process personal data have been identified and grouped into 13 categories in the Nymity Privacy Management Accountability Framework™, a single framework for building and maintaining a privacy programme. The following are two business cases where the Nymity Framework™ has helped companies leverage their GDPR compliance initiatives to be ready to comply with multiple laws.

About the authors: McGraw-Hill Education With offices in over 50 countries around the world, MHE has a broad scope of privacy laws with which to comply. When they set out to centralise the privacy programmes from their individual offices, they used the Nymity Framework™ to build all of their documentation for a privacy programme that would work for every jurisdiction.

Google to speak at Data Protection World Forum Data Protection World Forum is delighted to welcome Google representative, William Malcolm, to the two-day data protection conference at London’s Excel arena. Director for Privacy and Legal for EMEA at Google, William Malcolm will be among a stellar line-up at DPWF’s Keynote Theatre, to discuss tools that build user accountability and user trust. Expert’s view: William Malcolm will be bringing a wealth of industry experience and knowledge to the Keynote Theatre’s delegates when he speaks on using tools to build accountability and user trust. He will also sit on the panel discussion: Global data protection and international transfers of personal data alongside James Felton Keith, President of The Data Union and Marie-Louise Gächter, Data Protection Officer of the Principality of Liechtenstein. William is currently global legal lead for Google’s GDPR compliance programme, and speaks frequently on data protection and privacy in keynotes and panel discussions at leading industry events around the world. Besides global privacy, data protection compliance and policy, William also specialises in e-Privacy, and GDPR, AI/ML privacy issues, cloud privacy and the right to be forgotten. Data Protection World Forum This exclusive two-day conference is designed to give its global audience of business leaders the guidance needed to understand obligations to data protection within our complex legislative landscape, so that compliant business growth can take place. 52

Delegates will also have the chance to put their own questions to the specialists to become part of a wider discussion on how to improve data handling practices and prepare for compliant business growth. Tickets are now available to this exclusive conference which will see engaging presentations delivered across multiple forums including: • • • •

Keynote Conference Theatre Governance Risk & Compliance Seminar The Public Sector Seminar GDPR Advanced

Coming to London’s Excel on 20th and 21st November, DPWF unites all data concerns under one roof. The voices that matter will be offering analysis, guidance and insight into cultures and practices that make or break business in the digital era. BOOK YOUR PLACE TODAY BY CLICKING HERE

Universal Consent Platform The first unified solution to help brands achieve compliance with the consent requirement of the GDPR and other privacy laws. Designed by data protection experts, leading privacy officers, brands, and marketers.

For more info or a demo come to our booth #87

www.evidon.com

from

ÂŽ

Marie-Louise Gächter to speak at Data Protection World Forum Marie-Louise Gächter, Data Protection Officer for the Principality of Lichtenstein is to speak at Data Protection World Forum. The landmark conference comes to London’s Excel arena on 20th and 21st November to offer insight and advice on data protection issues affecting global business today. As organisations align to the new standards set by the EU’s General Data Protection Regulation (GDPR), attention must also be paid to legislation such as MiFID ii which is designed to enhance security and transparency in financial sectors. A Global Authority Dr. Marie-Louise Gächter has been Liechtenstein’s new privacy advocate since the beginning of 2018. Since 2009, she has been lecturing at the Department of International and European Law of the Faculty of Law of the University of Freiburg. Dr. Marie-Louise Gächter will be among speakers at the Governance, Risk and Compliance (GRC) seminar at Data Protection World Forum. The seminar is dedicated to examining the key topics that compliance professionals and organisations need to understand within the financial landscape as we move through what has been one of the most significant years in regulatory history in modern times. The compliance journey plays out against a backdrop of political uncertainty, as Britain seeks to finalise Brexit negotiations with the EU. 54

Dr. Gächter’s keynote will leverage her wealth of knowledge and experience to bring clarity on crossborder compliance in financial services. In addition, Dr. Gächter will also join the panel discussion on Global data protection and international transfers of personal data in the Keynote Conference, looking at the challenges of cross-border data tranfers. Data Protection World Forum Data Protection World Forum is designed to help organisations get traction on the very latest legislative developments in data security. Delegates will also have the chance to put their own questions to the specialists to become part of a wider discussion on how to improve data handling practices and prepare for compliant business growth. Coming to London’s Excel on 20th and 21st November, this industry-leading event unites all data concerns under one roof. The voices that matter will be offering analysis, guidance and insight into cultures and practices that make or break business in the digital era. BOOK YOUR PLACE TODAY BY CLICKING HERE

Address GDPR compliance with Ardoq AI application Risk and compliance architecture.

Rich graph analytics and auto-generated visualizations

Customizable templates for GDPR data mapping

Supports and integrates with existing security and quality solutions

Read our special GDPR magazine to learn more about how Ardoq helps enterprises understand GDPR as an integrated part of wider risk and compliance architecture.

ARDOQ.COM Ardoq cited in

Market Insight: Address GDPR Compliance With AI Application (March 2018).

IS YOUR DATA AN ASSET OR A LIABILITY? In todayâ&#x20AC;&#x2122;s organization, data is a double-edged sword. It can represent value or risk, depending on how you manage it. When it comes to data privacy, risk is increased when your privacy strategy fails to identify and continuously manage sensitive customer data. Recent developments in data privacy, such as the EUâ&#x20AC;&#x2122;s General Data Protection Regulation (GDPR) and the upcoming California state law AB375, are driving urgency for solutions that help organizations build and maintain a defensible data privacy strategy. Integris offers an industry-leading data privacy automation platform to meet the accelerating demand for comprehensive data privacy. Visit us at Booth 52 to learn more. www.integris.io | info@integris.io

Data Privacy Impact Assessments [at a glance] What are they and what do you need to do? By Nicola McKilligan and Naomi Powell Extract from the 3rd edition of the Data Protection Pocket Guide : Data Protection Act 2018 edition. A Guide for Small Business and start ups.

Meet +150 experts at #DPWF

you

collect

personal

information

the

correct manner, providing appropriate notices and

selecting

the

correct

legal

basis

for

•

processing data that might endanger the individual’s physical health or safety in the event of a security breach.

•

the ICO has also encouraged DPIAs to be conducted wherever processing is ‘large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

processing, you will have made good progress in ensuring your compliance with the data protection law. However, there is much more to data privacy compliance than providing a privacy notice. There are still other requirements that must be taken into consideration when using personal information particularly if that processing could be deemed to present a ‘high risk’ to the privacy of individuals. Data Privacy Impact Assessments and High-Risk Processing You will always need to balance the interests of your business or organisation in using personal information against the individual’s right to have their information kept private. Some activities or processing that involves personal information may be seen as more intrusive than others. For instance, processing sensitive information about individuals or operating systems that place individuals under surveillance, for example via GPS or CCTV, could be seen as very invasive. Collecting large amounts of information about individuals or sharing or selling information may also be difficult to justify. If you are planning an activity or processing that may pose privacy risks to individuals the Data Protection Act now requires that that you carry out and document a ‘data privacy impact assessment’ (DPIA) first to make sure the processing, you are planning is lawful and fair and does not breach the Data Protection Principles.

Even if there is no specific indication of high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.’ What is a DPIA A DPIA is essentially a health check to ensure a new system or process involving personal information complies with the requirements of the new Data Act 2018 and appropriately mitigates any risk that the new uses of the data may pose to the individuals whose data is being processed. The assessment and the risk mitigation and the safeguards must be documented. For example, you might record in your DPIA: •

that an appropriate privacy notice was given

•

that there was a legal basis for the processing

•

safeguards put in place to ensure data quality and to allow individuals to access their rights

•

the security and access control measures you have in place to protect the data from misuse

•

the retention period for the grounds for any transfer of the personal data outside Europe

•

any anonymization or pseudonymization used to minimize the amount of personal information used

Quick reference – what is a DPIA?

•

the fact the processing has been reviewed by legal counsel or your DPO

•

A mandatory assessment of the privacy risk involved in a new process or system

•

Typically conducted at the concept stage

•

A preliminary DPIA may be needed before a project is signed off to make sure it is viable before considerable spending on development takes place

•

A formal DPIA is only carried out for high-risk processing (see later) however an assessment (PIA lite) may be carried out for any system processing personal data to check if a full DPIA is needed

The Information Commissioner has published guidance on carrying out these assessments, which is available on its website, as well as a useful template for recording your DPIAs. The Information Commissioner also recommends that you should carry out your privacy impact assessment as early as possible before you install the new system or start collecting and using the data. This will help you to ensure that you do not implement a system or process that proves unlawful and that may prove impossible or expensive to make changes to at a later date.

•

A record must be retained of all DPIAs (see ICO template)

•

Focus groups or data subject consultations may be needed where appropriate

•

DPO must review DPIA decisions

•

DPIAs, where risks are not mitigated, need to be escalated to the ICO

You must carry out a DPIA if the processing is ‘high risk’. The Information Commissioner has identified the following types of data processing as high-risk processing which require a DPIA. •

use systematic and extensive profiling with significant effects;

•

process special category or criminal offence data on a large scale; or

•

systematically monitor publicly accessible places on a large scale

•

use of new technologies;

•

use of profiling or sensitive data to decide on access to services;

•

profiling individuals on a large scale;

•

processing biometric data;

•

processing genetic data;

•

matching data or combine datasets from different sources;

•

collecting personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);

•

tracking individuals’ location or behaviour;

•

profiling children or target services at them; or

Data Privacy Officer (DPO) Commissioner review of DPIAs

and

Information

If you have a DPO they must review the safeguards and controls put in place to protect data privacy following a DPIA. A DPO is unlikely to approve that you go ahead with the processing without making changes to improve the safeguards for individuals. If you cannot mitigate all the risks, you, or your DPO, must ask the Information Commissioner to review the intended processing. The ICO can prevent processing which does not provide for sufficient safeguards or which would breach the Data Protection Act. Consulting Individuals It is also a requirement to consult individuals where ‘appropriate’ on the proposed processing. This need not be done in every case but could be a good idea where the processing will have a significant impact on the individuals and you can easily communicate with them. The consultation can be done via surveys, focus groups, or if the data relates to employees via trade union or workers representative groups. In Summary Data privacy impact assessments must be carried out for new systems and must be recorded. In some cases, formal data privacy impact assessments need to be referred to the ICO for approval if all the risk cannot be mitigated.

Data Protection World Forum (DPWF) is delighted to welcome Ventsislav Karadjov to the speakers’ roster. Personal Data Protection of the Republic of Bulgaria and Chairman of the Commission for Personal Data Protection and a Vice-Chair of the Working party on the protection of individuals, Ventsislav will join a lineup of globally authoritative voices when he delivers his keynote to delegates of the GDPR Advanced seminar at the inaugural Data Protection World Forum. The landmark conference comes to London’s Excel arena on 20th and 21st November to offer insight and advice on data protection issues affecting global business today. Expert review: Taking a look at GPDR’s influence half a year on from its introduction date, Ventsislav Karadjov is the right man to weigh up consequences of the EU’s new data laws and will ask what more could and should be done to continue its implementation. Ventsislav has been Chair of the Bulgarian Commission for Personal Data Protection since April 2014. After two terms as VC of the Article 29 Working Party, he was elected unanimously for VC of the European Protection Board (EDPB) in May 2018. A graduate of Sofia University’s Faculty of Law, Mr Karadjov holds an MA in Law, with specialisation in Public Jurisdiction. Beginning as a legal adviser and programme director at the Bulgarian chapter of Transparency International, he has held various senior legal and management positions on projects on anti-corruption and the creation of functioning democratic institutions for bodies such as the European Commission, the US Agency for 58

International Development, the Organisation for Security and Co-operation in Europe, and the UN Development Programme. Mr Karadjov has worked as advisor to the Minister for Internal Affairs in international public security and anti-corruption affairs throughout his career. Mr Karadjov will be among an authoritative lineup at DPWF’s GDPR Advanced Theatre. Delving deeper in the intricacies of the regulation, GDPR Advanced will be attended by DPOs and compliance specialists seeking the very latest insight. Data Protection World Forum Data Protection World Forum is designed to help organisations get traction on the very latest legislative developments in data security. Besides keynotes talks and panel discussions, delegates will have the chance to put their own questions to the specialists to become part of a wider discussion on how to improve data handling practices and prepare for compliant business growth. Coming to London’s Excel on 20th and 21st November, this industry-leading event unites all data concerns under one roof. The voices that matter will be offering analysis, guidance and insight into cultures and practices that make or break business in the digital era. BOOK YOUR PLACE TODAY BY CLICKING HERE

World Class GRC platform helping customers to become and stay compliant. www.DPOware.com

PARTNER WITH

2018 PARTNERS

BECOME A PARTNER 2019

3RD & 4TH DECEMBER 2019 | EXCEL, LONDON REGISTER YOUR INTEREST WWW.DATAPROTECTIONWORLDFORUM.COM

Governance Platform 01 RISK STATUS 02 DOCUMENTATION 03 MANAGE TASKS 04 DATA SUBJECT REQUESTS 05 INCIDENT MANAGEMENT

Youâ&#x20AC;&#x2122;ll find us at

DATA PROTECTION WORLD FORUM. Meet us at stand #75

www.easygdpr.uk +44 845 1541445 gdpr@easygdpr.uk Agile Data Warehouse Solutions Ltd St. Albans, AL3 6HN

The Recovery Imperative restarting your business in the aftermath of a destructive malware attack BY Nick Turner, Senior Director Data Protection Solutions, Dell Technologies United Kingdom & Ireland Here at Dell Technologies we are in a privileged position of being a trusted partner to our clients, helping them to secure their data assets across the extended data protection continuum. This means in reality that we are providing solutions spanning from active-active replication, through traditional backup & recovery techniques, right through to long term retention….and everything in between! Security has always been a vital component of a data protection strategy, and for good reasons. Keeping the bad guys out has never been more important! However I would argue that in the last 10 years or so the relationships and inter-working between the Security and IT teams that support other data protection functions within many of our customers have not been working in an optimal way. Security teams struggle with a wide brief; perimeter threat detection, network security, authentication and of course preventing aggressive destructive malware attacks. Data protection teams focus on data replication, security, backup, recovery and archiving. These teams do not always collaborate perfectly! This world we have been living in for the last 10 years is changing and we need to help our customers create a more integrated approach to protecting their businesses and their data against today’s threats. The reason that the security and data protection worlds are converging at a faster rate than ever is down to the changing nature of the cyber threats we all face. We’ve seen the rise of destructive malware & insider led cyber-crime; cyber-attacks such as ‘WannaCry’, ‘Petya’ and ‘notPetya’ have caused havoc in many companies and industries due to the destructive nature of their objectives. We can observe some stark learnings as a result of reviewing how companies were affected. There have been many insightful articles written about how the affected companies and organizations dealt with incident response and business recovery in the direct aftermaths of these attacks. These observations include: 1) Breaches will happen. It is inevitable. In fact the greatest threats many organisations face today is from ‘insider’ led cyber-crime. As many security experts warn, ‘It’s not a question of if you will be breached, rather than when you will be breached….’ 2) Once a destructive cyber-attack is underway, the attacks can proliferate across global networks in minutes. IT systems and services collapse quickly and all network connected systems are exposed. 3) Once such an attack has occurred (assuming your organisation’s defences have been breached) the focus quickly comes onto your recovery 62

strategy. This is not like traditional IT system recovery, this is recovery 2.0. You may be working in the dark, with no access to networks, applications, recovery systems or communication tools. 4) Recovery becomes your only imperative. If you cannot recover, the future of your organisation/ business is in doubt. 5) At this point – your ability to execute a successful IT services recovery is no longer an issue for the IT department, the Security Operations Centre etc. It has become a board level issue and your customers, shareholders expect to see board level ownership and communication.

So with this in mind….does your organisation have a clear, unambiguous recovery strategy that is understood from the board level down, and, integrates all the business functions under an integrated strategy, and that can be executed seamlessly should the worst case scenario happen?

www.dataprotectionworldforum.com

WHAT OUR ATTENDEES SAY

The event was a great experience, full of key players in the industry. I was able to enhance my understanding through the expertise of speakers and the vital solutions available. - Data Privacy Consultant (Financial Services Organisation)

Glad I was able to attend the Data Protection World Forum held in ExCel London over two days. Great range of passionate speakers touching on topics such as the Dutch Government’s blockchain projects, tension between GDPR and AML/KYC regulations, and the who the real ‘villain’ of privacy is. - Cyber Risk Consultant (Consultancy)

Attending events like these can sometimes be a bit “hit or miss” but there were some big returns coming down for this. - Data Privacy & Governance Director (Management Consulting Firm)

Data Protection World Forum #DPWF is a must-attend event

Where ignorance leads the dangers of ‘do-it-yourself’ privacy compliance

Back in 1989, my mother in law got a bit of a shock when she went to open the dishwasher one morning. In fact, it was quite a big shock because her transit across the kitchen was accompanied by a large bang and the distinct smell of burning. This was in the days before you needed someone qualified to do electrical work in the home and get a certificate to prove it, and the builder’s ‘mate’ had managed to mix electricity and water in a potentially fatal combination. While for those who are handy around the house, the advent of this paperwork has been a cause for complaint, it has discouraged many a keen amateur from having a go. While errors in data protection are unlikely to have such dire consequences, diving into new technologies without a full understanding of their complexities really should be avoided. Creating anything with the purpose of disclosing information is not something to be approached with reckless abandon – as the UK Conservative Party found out to their cost last week. While much scorn has been poured on the head of Party Chairman Brandon Lewis about the security breach which lead to the personal details of Ministers, MPs and party members being made public, it is highly unlikely that he played any part in specifying the app concerned other than saying yes to the ‘we need a conference app’ question. It isn’t the first time that the security of an event app, or the lack of it, has led to the unintentional disclosure of attendees’ data, but it is the first time anyone has, to my knowledge, ‘fessed up. The education of data subjects with respect to their rights meant that there were far too many potential whistle blowers involved to be able to keep the whole thing under wraps and it wasn’t long before the BBC had a hold of the story and the Tories were off to make friends with the Information Commissioner’s Office. The Australian company which developed the app, CrowdComms, have issued a statement where they claim that they will be “reviewing 64

and amending our Data Policies”. Not a moment too soon because they really do need to change the information on their CrowdComms & the GDPR page where they talk happily about Alice and how her data is affected by the legislation, and the bit about security where they say: “CrowdComms is conforming to all of the GDPR security requirements. We take security seriously. We have a regular review process to ensure that our data security processes and policies are up to date and conform with the latest security protocols.” There’s nothing worse than where your actions speak far louder than your words. Companies like CrowdComms do need to be brought to account when bad things happen, but the bigger issue at play here is the responsibility of the event organiser. They specified and purchased a product that was not fit for purpose. Perhaps they were beguiled by the fact that the app in question was awarded Best Event App 2016, and price undoubtedly played a key role in the decision. It is unlikely that there was an individual on the team with the knowledge and expertise to do any real due diligence on the security features or data protection risks. Frankly, any system which enables anyone to access someone’s personal data simply by being in possession of an email address should never have got past the pitch stage. Organisations that use and proliferate products with poor data security and integrity are enablers that are stifling the best efforts of DPOs, compliance and governance officers working hard to give data proper respect. They can expect find little sympathy, either for the reputational difficulties they find themselves in or any subsequent penalties dished out by the regulator. BY HELLEN BEVERIDGE, PRIVACY LEAD, DATA OVERSIGHT

RETHINK YOUR SECURITY

Learn why digital business requires re-architecting for distributed security

Read the playbook that empowers your professionals to protect your business

DOWNLOAD NOW https://eqix.it/SmartKeyProtection

Data Protection World Forum is delighted to welcome European data expert, Bruno Gencarelli, to the two-day data protection conference at London’s Excel arena. Bruno is Head of the International Data Flows and Protection Unit at the European Commission and will be opening the Keynote conference theatre at Data Protection World Forum looking at the story of data protection so far. A World of Increased Data Security Far from being a bureaucratic annoyance, the GDPR’s manifestations have the welfare of us all at heart, but are we really starting to give these new laws the respect they merit? Checking the GDPR Pulse In his keynote, Mr Gencarelli will be discussing whether the GDPR is having the desired effect, six months in. He will be using his industry-proven expertise to inform delegates of their obligations in the new legislative climate so that businesses can achieve the transparency that the modern consumer deserves and actively seeks. Mr Gencarelli currently heads up the International Data Flows and Protection Unit at the European Commission (DG Justice and Consumers). He led the Commission’s work in the area of data protection in the decisive phases of the legislative reform and the EU-US negotiations. In this capacity, he led the Commission’s delegation in the inter-institutional negotiations with the European 66

Parliament and the Council that resulted in the adoption of the EU data protection reform (General Data Protection Regulation and Law Enforcement Directive). One of the lead negotiators of the EU-US Privacy Shield and “Umbrella Agreement”, Mr Gencarelli recently finalised the mutual adequacy arrangement with Japan. He previously served in the European Commission’s Legal Service and as assistant judge at the European Court of Justice. He holds degrees in law and political science, and teaches EU Competition Law at Sciences Po, Paris, and has published widely on EU law. Keynote Theatre at Data Protection World Forum Mr Gencarelli will be opening talks at the Keynote conference theatre at Data Protection World Forum. The forum is designed to give C-suite members and senior IT professionals insight and advice on the latest regulatory and security issues. Coming to London’s Excel on 20th and 21st November, this industry-leading event unites all data concerns under one roof. The voices that matter will be offering analysis, guidance and insight into cultures and practices that make or break business in the digital era. BOOK YOUR PLACE TODAY BY CLICKING HERE

Protect â&#x20AC;˘ Comply â&#x20AC;˘ Thrive

Navigate your way to GDPR compliance

Consultancy services

Staff awareness training

Compliance toolkits and software

DPO services

Training courses

Legal and contractual

itgovernance.co.uk

Data on the loose: why it's time to regain control 58 percent of the organisations we analysed had more than 100,000 folders open to all employees and, in total, 21 percent of all the folders in our investigation had no access controls at all. by Matt Lock, director of sales engineers, UK, Varonis.

Security strategies tend to focus on keeping external threats out of the enterprise network, but many organisations are leaving themselves vulnerable to data breaches with poor internal practices. In particular, some of the most significant data breaches in recent years have been the result of bad practice around managing and securing data on the network. Varonis recently investigated the extent of this problem by analysing more than six billion files held by 130 organisations as part of its 2018 Global Data Risk Report. With the GDPR introducing strict new requirements on data security, it has never been more important to take control of data. Open access The most extensive issue we encountered was a lack of proper control over who could access sensitive data. 58 percent of the organisations we analysed had more than 100,000 folders open to all employees and, in total, 21 percent of all the folders in our investigation had no access controls at all. Worse yet, 41 percent of companies had at least 1,000 sensitive files open to all employees. Unsecured folders that are open to global access groups â&#x20AC;&#x201C; those set to Everyone, Domain Users, or Authenticated Users â&#x20AC;&#x201C; are also a major windfall for attackers that have breached the network, granting easy access to key data such as intellectual property and customer data. Poor access control also increases the threat of a malicious insider abusing their position.

www.varonis.com

Ghosts in the system Not only are organisations struggling to keep track of what users can access, many also fail to track which accounts exist at all. Many enterprise networks are full of ghost users â&#x20AC;&#x201C; accounts which are supposedly inactive but still retain their full capability to login to the network and access files. On average, we found 34 percent of all user accounts in an organisation were actually ghosts. These old accounts are another gift to external attackers, who can use them to move around the network with impunity and are largely unmonitored. Former employees could also log back in after leaving the organisation to access sensitive files â&#x20AC;&#x201C; a favoured tactic used by some for gaining goodwill after joining a competing company. Compounding this issue, 46 percent of organisations also had more than 1,000 users with passwords that never expire. This means that many ghost accounts can be utilised by threat actors months or even years later. The risk of stale data Alongside old user accounts, most organisations also have a major problem with old, unused data that is no longer being used in daily operations. We found that on average, 54 percent of all data on the network was stale, and this commonly included sensitive data such as critical information about employees, customers, projects and clients. Stale data creates an unnecessary storage expense and complicates data management, but also poses a major security risk. The more data on the system, the more damage an intruder or malicious insider can do when they access the network. Additionally, much of this data is subject to regulations such as PCI DSS and the GDPR, exposing the organisation to added liability. The least privilege approach One of the best places to start for any organisation seeking to regain control of its data is to sort out file access. Firms need to run a full audit of all servers to identify any data containers such as folders, mailboxes and SharePoint sites, that have global access groups applied to their ACLs (access control lists). These global access groups need to be replaced with tightly managed security groups that ensure only appropriate users have access to sensitive and regulated data. Moving forwards, a least privilege approach should be used for all access permission, with users only accessing as much as they need to perform their roles. Companies should also work to exorcise their ghost users by ensuring stale accounts are disabled or outright deleted.

www.varonis.com

Behavioural analysis can be used to understand what constitutes normal user behaviour and better spot inactive users and other behavioural anomalies. Finally, the way data is collected and stored should follow the principles of privacy by design. This includes minimising the amount of sensitive data that is collected and how long it is stored for and reducing the number of users that can see it, using a least privilege approach. Networks also need to be analysed for stale data and the findings should be either deleted or archived, particularly data that is sensitive or covered by a regulation. By going back to analyse their current data practices and laying new groundwork to ensure data is collected, stored and accessed securely moving forwards, organisations can gain control of their data and drastically reduce the risk of both internal and external threats.

www.varonis.com

psKINETIC in association with APPIAN Ingolv Urnes is a Co-Founder and Director of psKINETIC. Operationalising GDPR Compliance Data and privacy legislation compliance has become a top strategic issue for organisations across the world. After the initial scramble up to the May 2018 introduction of the EU’s General Data Protection Regulation (GDPR), implemented in the UK by The Data Protection Act 2018, the challenge is now “How do we effectively operationalise ongoing GDPR compliance?” The Challenges Data capture and use is growing exponentially. Large organisations have a significant and growing data inventory (we use the term ‘dataset’). While new and exciting ways of leveraging this data are emerging, GDPR now puts significant demands on organisations to demonstrate appropriate and lawful use of such data. The consequences of a failure to comply are well known. GDPR breaches do not only carry substantial reputational risks but also potentially very significant penalties of up to 4% of global turnover. News headlines regarding data protection and largescale data breaches or theft of data (British Airways, being a good example) have made the general public much more aware of the risks. The Information Commissioner in the UK (as reflected elsewhere in Europe) is reporting a rapid growth in complaints. In fact, complaints filed with the Information Commissioner’s Office between May 25, when the new GDPR rules went into effect, and July 3, were more than double the number received during the same period a year earlier. As the value of data is better understood and reports of recordbreaking fines hit the media, individuals are likely to increasingly use their newfound rights. At the same time, expect to continue to see the phenomenon of the GDPR activists. There is even an app that simplifies – for the consumer – the exercise of subject access rights. The challenge of the explosive growth in data and its uses is compounded for organisations by their data sitting in different systems (from large ERP systems to excel); different organisational units and regions holding, and using, data differently; and, much of this data sitting with various data processes, such as vendors of cloud software or other outsourcing arrangements. 360° Holistic Approach GDPR compliance is a complex multi-dimensional challenge. At the heart is your Dataset of Personal Data which (i) drives various activities including Impact Assessment, Subject Access Requests, Incident Reporting and Vendor Management and (ii) requires planning, execution and monitoring across complex organisational structures of various Divisions, Regions and Functional areas. So how do you ensure compliance? How do you try to guarantee that the expensive work on polices is actually put in to real life? We think a 360° holistic approach is required to ensure all areas are covered and no effort is duplicated.

C-360° Compliance Platform C-360° is a unique software solution designed to help you solve your privacy and GDPR compliance needs more effectively. It is delivered on Appian, a world-class case management and automation platform: •

Flexibility: C-360° is not an off-the-shelf product. Our job is to adapt it to work with your existing processes and organisational structure. C-360° can be tailored according to your key priorities.

•

Start small: When we implement C-360° with you and your team, we begin with the most immediate priority – maybe it’s Impact Assessment or Subject Access Requests. Our approach and the underlying architecture allow C-360° to grow organically; for example, you may build out the Dataset as you respond to incoming SARs or you may choose to first build the Dataset, including DPIA and policies which can then drive more automated responses to SARs.

•

Future proof: Since you are fully in control of C-360°’s configuration, you can expand it to cover new compliance related requirements as these emerge. Our job is to help you operationalise compliance for today and the future.

C-360° is designed to automate as many activities as possible and ensure coordination across large organisations – key functionality includes: •

Auto capture of requests from email, web form or print (using OCR); AI is helping us structure incoming requests to reduce manual work and errors.

•

Policy Engine: A sophisticated rules engine that links your dataset and the associated policies to increase automation when responding to Subject Access Requests (SAR). This reduces cost, but more importantly ensures that you are executing SARs consistently.

•

Case Management & Workflow: Enable coordination and collaboration across complex organisations, including delegation of tasks, measurement of SLAs, etc.

psKINETIC has nearly 10 years of experience helping customers leverage the Appian platform, working to ensure a successful outcome for clients’ digital transformation and process automation projects. For more information, www.pskinetic.com or telephone 0845 5050120.

Operationalising Compliance

C-360° Software •

Automation & Policy Engine

•

Conﬁgure to your processes

•

Platform for today and future www.pskinetic.com

the latest news, comment and insight in data protection and privacy

Issue 3 COMING SOON

Get THE MAGAZINE DELIVERED Direct to your inbox