Final Thoughts – PrivSec London 2020

Final Thoughts – PrivSec London 2020

At the PrivSec London conference on the 4th and 5th February, we enjoyed hearing how leading professionals in our field are tackling the many shared challenges of doing business under the changing needs of the 2020s.

Here are some final thoughts from the event’s keynote speaker, Baroness Neville-Rolfe, and from ourselves…


Baroness Neville-Rolfe (Member, European Union Committee, and a former minister under David Cameron, who was heavily involved in negotiating GDPR) said that data is the “oil equivalent” of an extraordinary digital revolution.

This revolution is now affecting almost everything on the planet. The effects are impossible to predict, but like other revolutions, this one started slowly and is now picking up speed.

There were some interesting official statements made by government, EU, or other regulators which indicate:

  • There’s an ever-growing concern about the harms of online activity (such as for young people, from fraud, and so on), which is being reflected in legislation and official guidances across the world.
  • China’s big tech companies are catching up with the major US firms.
  • The UK may be particularly exposed to cybersecurity threats.
  • The management of risk has gone up the corporate agenda.
  • EU rules provide a framework to recognise the reciprocity between the data standards of different countries, and the UK will fall inside that alignment thanks to our adherence to GDPR in the new Data Protection Act 2018.

Overall, PrivSec London 2020 was an extremely informative conference. The key things that we learned are:

  • A culture shift is needed in most companies in order to keep up with changing legislation and guidelines. This includes planning for privacy and cybersecurity, getting buy-in across an entire organisation by explaining it in the business terms of each department, and only using data for transparent, legitimate reasons.
  • Security and privacy are not the same thing, and pointing enquiries about privacy to security protocols is insufficient. It’s impossible to buy ‘compliance in a box’ as a solution to GDPR, which raised people’s awareness of the legal bases for processing data.
  • Cybersecurity is a serious issue; the majority of passwords may already be leaked, and Multi-Factor Authentication is a necessity. Most problems are caused upstream by system and configuration issues or poor procedures, but most money is being directed downstream at the consequences, and there are huge skill gaps in the field.

What we can do for you about all this – check out our offers to find out how we can help you with your data protection programme:

  • GDPR Consultancy and Project Management – From start to finish, we will help manage your data protection programme and provide all the advice you need to become compliant.
  • GDPR Gap Analysis – Identify potential risks quickly and affordably, and set out clear recommendations of what will need to be done in order to comply with the law.
  • Data Protection Officers as a Service – As well as helping implement the necessary changes in your business for GDPR, we may be able to help you save money managing your data protection and securing your reputation with your customers.
  • Data Protection Staff Training – We can provide in-person or online support to teach your staff and contractors anything from the very basics of GDPR to the more advanced areas of the regulation.

Our thanks to the following guest speakers at PrivSec London 2020:

  • Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
  • Baroness Neville-Rolfe, EU Committee member
  • Sheila Firtzpatrick, Fitzpatrick & Associates
  • Dave Horton, Solutions Engineer at OneTrust
  • Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
  • Charlie Wijsman, Accenture Global Data Privacy Lead
  • Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
  • Alberto Quesada, Global Head of Group Data Management, BNP Paribas
  • John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
    Ben Hawes, Benchmark initiative
  • Joan Keevil, Professional e-Learning Expert, SAI Global
  • David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
  • Stuart Aston, National Security Officer, Microsoft
  • Greg Van Der Gaast, Head of Information Security, University of Salford
  • Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester;  Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
Cybersecurity Challenges – PrivSec London 2020

Cybersecurity Challenges – PrivSec London 2020

There were a lot of insightful talks from the PrivSec London conference last week – here’s our pick of some of the most important points on the topic of cybersecurity.


Representatives from Microsoft provided some real eye-openers, such as: everyone’s passwords may almost certainly be compromised. This is why it’s so necessary to enable Multi-Factor Authentication on everything you can – otherwise you’re at real risk!

Meanwhile, 60% of data breaches are due to human error. E-learning as staff training for compliance is often quickly forgotten and doesn’t change behaviour – only 23% positively impacted employees – so training needs to be aligned with people’s business needs and personal values and ethics, and team meetings need to be held soon after it to decide what to change. Culture comes from the bottom up, not top down; leadership needs to be distributed not hierarchical as nobody can keep up with all the changes across these areas.

From a different session, a cybersecurity consultant said that 90% of cybersecurity issues that lead to him being called in are caused upstream in other systems and configuration/patching issues plus poor Information Security procedures and standards, yet the ever-spiralling (and very ineffective) cybersecurity spending in companies is misdirected downstream at the impacts of that. He almost always finds serious negligence by lunchtime on day one when starting with a new client.

There are huge skills gaps in cybersecurity – 1-2 million jobs going unfilled – and far too few women are getting into that area for many reasons, which doesn’t improve the success of the sector either.

Achieving GDPR compliance while using AI, Big Data and Location data is really difficult, and it’s hard to get genuine user knowledge of and consent for the future uses that might be made of that data and to fulfil user rights demands around that data. In fact, even anonymised versions of these kinds of data can often be de-anonymised by the uses companies put this data to. Locations-enabled apps gather all kinds of data about you and often share that information without your knowledge.


Our thanks to the following guest speakers at PrivSec London 2020:

  • Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
  • Baroness Neville-Rolfe, EU Committee member
  • Sheila Firtzpatrick, Fitzpatrick & Associates
  • Dave Horton, Solutions Engineer at OneTrust
  • Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
  • Charlie Wijsman, Accenture Global Data Privacy Lead
  • Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
  • Alberto Quesada, Global Head of Group Data Management, BNP Paribas
  • John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
    Ben Hawes, Benchmark initiative
  • Joan Keevil, Professional e-Learning Expert, SAI Global
  • David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
  • Stuart Aston, National Security Officer, Microsoft
  • Greg Van Der Gaast, Head of Information Security, University of Salford
  • Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester;  Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
Cybersecurity Challenges – PrivSec London 2020

Insights from Sheila Fitzpatrick – PrivSec London 2020

At the PrivSec London conference last week, we heard from Sheila Fitzpatrick, a global expert in privacy and compliance. Here’s our pick of what she had to say and her advice about GDPR, the culture shift it has already brought about, and data privacy and security.


Anonymising data doesn’t truly make data safe, because someone in the organisation still has access to the original data. You need to really think about why your company is getting and using data – achieving an ‘improved user experience’ is not a good enough excuse. Companies often think that security is the same thing as privacy, and point enquiries about privacy to security protocols – but this is an ‘instant fail’ in Fitzpatrick’s book.

Companies in many other countries don’t realise they’re still subject to other countries’ Data Protection laws such as GDPR – and many countries are also planning laws that will exceed its requirements. GDPR created an awareness of changing legal focus from data security to the lawful bases for processing data, which in turn became the impetus for new laws across the world – as well as adding new technologies which also created privacy issues.

GDPR became the biggest revenue generator since Y2K – and there are a lot of solutions in the market. Companies often like to believe that they can buy ‘compliance in a box’, which is impossible and shows a lack of understanding of privacy; they often throw technology at the problem and assume that innovation will provide a better user experience.

They think that privacy will become irrelevant as a result of this approach; that it can be addressed through a simple checkbox, or that they have a “legitimate interest” in processing personal data. However, this probably isn’t true if the basis can’t be explained on a page clearly. It also shouldn’t be forgotten that if consent is ambiguous, it’s invalid under GDPR.

Big Data is problematic for GDPR compliance on many fronts, and so are AI and Smart Cities: it’s difficult to meet consumer rights demands for example, and to maintain anonymity where necessary.

Fitzpatrick noted that to access public Wi-Fi from a major telecommunications company recently, she had to wade through 5 pages of Privacy Policy and still couldn’t find out how to turn cookies off – which is not compliant with GDPR requirements.

You need to always be honest about what you’re doing; if you can’t, you’ve got a problem. Be upfront about your use of third parties who receive data from you, and don’t let vendors dictate terms to you as their terms can put you in breach. Privacy improvements give a competitive advantage and failing to comply can damage reputations badly.


Our thanks to Sheila Fitzpatrick for these insights and for giving an engaging and thought-provoking talk.

Cybersecurity Challenges – PrivSec London 2020

The Need for a Culture Shift – PrivSec London 2020

From what we heard at the PrivSec London conference this week, it was clear that a culture shift is needed in many – maybe most – companies coming into the new decade. Our thanks go to the guest speakers who provided these insights – you can see a full list of those whose talks we attended at the end of this article.

Here are some culture shifts that companies need to be making in order to keep up with changing legislation and guidelines:


CULTURE SHIFT #1: Have a plan for privacy and cybersecurity, with people and budgets allocated to it.

CULTURE SHIFT #2: Don’t assume that privacy = cybersecurity, you’ll fail if you assume it’s a tech matter. Do a dummy run of a data breach at your organisation – it’ll probably throw up some significant issues.

CULTURE SHIFT #3: To get buy-in across the organisation, explain Privacy and Cybersecurity matters in the business terms of each department or stakeholder group’s business goals, such as making money, reputation protection, and so on.

CULTURE SHIFT #4: Getting your data into one place (e.g. the cloud) makes it more controllable in one place with a lot of access but is also where the biggest risk lies. Work out what you’ve got and what you are moving to the cloud – delete as much as you can of your data set defensively, use the infrastructure and systems there to look after every piece of information in one system and apply policies across everything.

CULTURE SHIFT #5: Get tighter on checking, stating and enabling opt-outs for all the cookies working on your website(s), such as trackers: many of these may be coming from your third-party hosting provider rather than your own web developers and plugins! ‘Continued browsing’ or browser settings aren’t adequate to demonstrate consents anymore under the latest government guidances.

CULTURE SHIFT #6: For businesses, ethics ARE sustainability. They’re about only using data for transparent, legitimate reasons that genuinely improve the user experience and give users control over the data held about them and how it is used. They’re about not ruining trust or making customers uneasy about using your business or website or platform.


Our thanks to the following guest speakers at PrivSec London 2020:

  • Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
  • Baroness Neville-Rolfe, EU Committee member
  • Sheila Firtzpatrick, Fitzpatrick & Associates
  • Dave Horton, Solutions Engineer at OneTrust
  • Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
  • Charlie Wijsman, Accenture Global Data Privacy Lead
  • Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
  • Alberto Quesada, Global Head of Group Data Management, BNP Paribas
  • John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
    Ben Hawes, Benchmark initiative
  • Joan Keevil, Professional e-Learning Expert, SAI Global
  • David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
  • Stuart Aston, National Security Officer, Microsoft
  • Greg Van Der Gaast, Head of Information Security, University of Salford
  • Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester;  Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
DynaRisk reports on UK data breaches

DynaRisk reports on UK data breaches

A report from cybersecurity firm DynaRisk has uncovered some interesting facts about UK data breaches. The information uncovered by the company includes:

  • There have been more data breaches for users with BT email addresses than for those who use Gmail, Hotmail, or Yahoo emails.
  • UK consumers suffered more data breaches than people in such countries as Canada, New Zealand, and the majority of Europe.
  • Three out of five consumers in the UK were victims of a data breach.
  • The average Cyber Security Score – which works like a credit score but tracks cyber security – of UK consumers rose by 26% in the last 12 months.

According to a report from ITProPortal:

“It’s encouraging to see that the average score in the UK is now so high (800) and has increased by so much from this time last year,” said Andrew Martin, CEO, DynaRisk.

 

“Consumers are clearly becoming more aware and more protective of their online information in the UK; and getting better at arming themselves against an ever-increasing number of cyber threats.”

 

Even though the numbers are promising, Martin says there’s still plenty of room for improvement, and that consumers should always be cautious when signing up to different services with their email address.

 

“Constant investment and training needs to be put in place by all companies to ensure customer information is as safe as it can be,” he said.

The takeaway from this report is that while the frequency of UK data breaches is worrying, the overall trend is one of improvement. Users are increasingly aware of the cyber security risks that they face in the modern technological environment.

Do you have concerns about possible data breaches at your organisation and want to plug the gap? Activa Consulting is here to help. Get in touch with us today and find out how we can help your data protection programme!

 

First UK GDPR fine issued

First UK GDPR fine issued

The first UK GDPR fine has been issued by the Information Commissioner’s Office (ICO). A fine of £275,000 was issued to Doorstep Dispensaree Ltd, a pharmacy based in London which supplies medicine to care homes.

The fine was issued on 20th December 2019 after an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Although the MHRA was investigating other issues, they found an estimated 500,000 documents containing personal data left unsecured in an outside courtyard at the pharmacy’s premises.

The documents were apparently found in storage crates, a cardboard box, and disposal bags. According to a report from mondaq:

These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.

 

The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.

There are many important things to note from this first UK GDPR fine:

  • While £275,000 is a significantly greater fine than anything issued pre-GDPR, it is also far short of the maximum possible. This is because the ICO has taken into consideration the size and financial position of Doorstep Dispensaree Ltd to make the fine “effective, proportionate and dissuasive”.
  • The data involved was not breached, but was stored in a dangerous way that was non-compliant with GDPR. The ICO is not merely looking at breaches, but overall compliance.
  • GDPR does not only apply to data stored digitally, but hard copies as well. Physical documents should be stored safely and securely, and properly disposed of as well.
  • Data controllers are required to protect data against damage or accidental loss; apart from questions over security, it is clear that storing documents outside in a cardboard box will insufficiently protect them from damage.
  • According to a report from Lexology: “The Commissioner noted that the pharmacy’s data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy.” So there were other failings at the pharmacy, which showed little compliance with GDPR in any way.

Our GDPR Consultants can always advise an organisation about what they must do to become GDPR compliant. If Doorstep Dispensaree Ltd had obtained external, professional advice about data protection, they might have been able to avoid this fine.

If you have any concerns about compliance at your organisation, get in touch with us today and we’ll work with you on your data protection programme.