I’ve been collating findings from many online sessions and updates this year, and keep a log of latest findings, recommendations and case studies as I attend them. Here are some pointers to adapt your organisation to the latest guidance being shared by privacy and information security professionals.
- 2020 has inevitably meant a new working environment (Working From Home etc), requiring new tools, and new risks. This has accelerated trends that were already underway. But at the same time, when organisations disperse, privacy professionals become central – because organisations need robust central controls and standards. But for the same reason you also need to establish local Privacy Champions – extra eyes and ears with special training, can be anyone, to drive privacy initiatives and expectations within departments etc. I managed the design and tailoring of Data Governance Frameworks for massive global CPG companies at a Big Tier firm for a year until recently and can advise about this if you need any guidance (email [email protected]). Annual one-hour online staff training courses often add little value or change across an organisation; putting up posters in bathrooms might actually be more effective often!
- Email is your #1 threat, because nearly all workers have to use it for work and often family and friendships too. The vast majority of breach reports to the ICO relate to misdirected emails. Lots of other data converges in emails – for example for dealmaking, and people emailing themselves documents to print, proof and sign at home. The extent and types and severity of risks continues to increase, and at the same time people are having to solve their technical challenges and workarounds by themselves at home without peer pressure and support around them! Egress’s 2020 Insider breach report showed that 80% of respondents reported that misdirected emails were a high risk. One London lawyer had 4 different clients with the same full name and was constantly sending the wrong information to them!
- Past Data Loss Prevention technologies are inadequate and outdated. Instead, cloud and parallel processing analyse vast quantities of historical behaviour. Graph databases model relationships and how people interact. Contextual machine learning allows us to fix breaches before they happen! For example, to prevent misdirected emails, your system could understand the email as a mistake by comparing an email to a user’s history, understanding who they’ve normally sent emails to, what sensitive data was communicated around it, and their patterns of email sharing, even before the email is sent. This means you can notify a user of anything unusual ,for example who they’ve copied in on what types of data.
- The strongest encryption in the world won’t work if it’s not easy to use. Using simple tools like web browsers to access content (for example via authenticated SSL connections) can help. Smarter approaches to authentication can mean users not being encumbered with passwords etc. I’ll be exploring the severe limitations of password protection in my upcoming series of articles challenging the ‘data free-for-all’ – watch this space from September 28th!
- Your current state of compliance can change from one day to the next. The critical element is the capability for being compliant – having the right people, oversight, and so on, to respond to changes successfully. It is crucial for the Data Protection Officer to have the tools to monitor the oversight across the organisation. There are always gaps to address. Information governance is everyone’s responsibility and so is ownership of their work, so we build your bricks of data governance up from that. There needs to be constant risk assessment with ongoing monitoring. Heavy marketing businesses have more challenges than other types of business.
- To get buy-in for privacy or data protection intiatives across the organisation, it’s important to talk about privacy as part of the brand journey, such is in terms of improving relationships and reputation with customers and so on.
- Saudi Arabia and China are still among the countries that have no data protection laws. In others, it’s very easy to get caught out because although GDPR is often their model, there’s often a key difference – so don’t just use GDPR as your model.
- The UK ICO has been good at communicating what’s needed, but privacy professionals have been surprised at the relative lack of fines handed out. The ICO is though highly liable to legal challenges from the major companies they try to fine so that may have been challenging for them. In dealings with them, they’ve turned out to be pragmatic. it’ll be interesting to see what kind of regulator they’ll be after Brexit – supportive of British business or strict.
I’m continuing to extend these points as I cover more sessions – refresh or return to this article today and on the 23rd of September to get the latest!
Conclusions and recommendations
- It’s vital that all areas of the business are constantly pulling towards improved privacy, information security and Data Quality – all of which are specialisms we have driven for massive international companies and UK national companies. If you haven’t already got an ongoing Privacy, GDPR or Information Security initiative within your organisation, contact us to discuss how to establish one and what you’ll need to build into it: an initial telephone conversation with one of our consultants is free (up to 30 minutes), email [email protected] to book one.
Sources (the relevant contributors and their credentials are shown at the link and you can watch their talks yourself in full):