Cybersecurity Challenges – PrivSec London 2020

Cybersecurity Challenges – PrivSec London 2020

There were a lot of insightful talks from the PrivSec London conference last week – here’s our pick of some of the most important points on the topic of cybersecurity.


Representatives from Microsoft provided some real eye-openers, such as: everyone’s passwords may almost certainly be compromised. This is why it’s so necessary to enable Multi-Factor Authentication on everything you can – otherwise you’re at real risk!

Meanwhile, 60% of data breaches are due to human error. E-learning as staff training for compliance is often quickly forgotten and doesn’t change behaviour – only 23% positively impacted employees – so training needs to be aligned with people’s business needs and personal values and ethics, and team meetings need to be held soon after it to decide what to change. Culture comes from the bottom up, not top down; leadership needs to be distributed not hierarchical as nobody can keep up with all the changes across these areas.

From a different session, a cybersecurity consultant said that 90% of cybersecurity issues that lead to him being called in are caused upstream in other systems and configuration/patching issues plus poor Information Security procedures and standards, yet the ever-spiralling (and very ineffective) cybersecurity spending in companies is misdirected downstream at the impacts of that. He almost always finds serious negligence by lunchtime on day one when starting with a new client.

There are huge skills gaps in cybersecurity – 1-2 million jobs going unfilled – and far too few women are getting into that area for many reasons, which doesn’t improve the success of the sector either.

Achieving GDPR compliance while using AI, Big Data and Location data is really difficult, and it’s hard to get genuine user knowledge of and consent for the future uses that might be made of that data and to fulfil user rights demands around that data. In fact, even anonymised versions of these kinds of data can often be de-anonymised by the uses companies put this data to. Locations-enabled apps gather all kinds of data about you and often share that information without your knowledge.


Our thanks to the following guest speakers at PrivSec London 2020:

  • Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
  • Baroness Neville-Rolfe, EU Committee member
  • Sheila Firtzpatrick, Fitzpatrick & Associates
  • Dave Horton, Solutions Engineer at OneTrust
  • Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
  • Charlie Wijsman, Accenture Global Data Privacy Lead
  • Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
  • Alberto Quesada, Global Head of Group Data Management, BNP Paribas
  • John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
    Ben Hawes, Benchmark initiative
  • Joan Keevil, Professional e-Learning Expert, SAI Global
  • David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
  • Stuart Aston, National Security Officer, Microsoft
  • Greg Van Der Gaast, Head of Information Security, University of Salford
  • Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester;  Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
Cybersecurity Challenges – PrivSec London 2020

Insights from Sheila Fitzpatrick – PrivSec London 2020

At the PrivSec London conference last week, we heard from Sheila Fitzpatrick, a global expert in privacy and compliance. Here’s our pick of what she had to say and her advice about GDPR, the culture shift it has already brought about, and data privacy and security.


Anonymising data doesn’t truly make data safe, because someone in the organisation still has access to the original data. You need to really think about why your company is getting and using data – achieving an ‘improved user experience’ is not a good enough excuse. Companies often think that security is the same thing as privacy, and point enquiries about privacy to security protocols – but this is an ‘instant fail’ in Fitzpatrick’s book.

Companies in many other countries don’t realise they’re still subject to other countries’ Data Protection laws such as GDPR – and many countries are also planning laws that will exceed its requirements. GDPR created an awareness of changing legal focus from data security to the lawful bases for processing data, which in turn became the impetus for new laws across the world – as well as adding new technologies which also created privacy issues.

GDPR became the biggest revenue generator since Y2K – and there are a lot of solutions in the market. Companies often like to believe that they can buy ‘compliance in a box’, which is impossible and shows a lack of understanding of privacy; they often throw technology at the problem and assume that innovation will provide a better user experience.

They think that privacy will become irrelevant as a result of this approach; that it can be addressed through a simple checkbox, or that they have a “legitimate interest” in processing personal data. However, this probably isn’t true if the basis can’t be explained on a page clearly. It also shouldn’t be forgotten that if consent is ambiguous, it’s invalid under GDPR.

Big Data is problematic for GDPR compliance on many fronts, and so are AI and Smart Cities: it’s difficult to meet consumer rights demands for example, and to maintain anonymity where necessary.

Fitzpatrick noted that to access public Wi-Fi from a major telecommunications company recently, she had to wade through 5 pages of Privacy Policy and still couldn’t find out how to turn cookies off – which is not compliant with GDPR requirements.

You need to always be honest about what you’re doing; if you can’t, you’ve got a problem. Be upfront about your use of third parties who receive data from you, and don’t let vendors dictate terms to you as their terms can put you in breach. Privacy improvements give a competitive advantage and failing to comply can damage reputations badly.


Our thanks to Sheila Fitzpatrick for these insights and for giving an engaging and thought-provoking talk.

First UK GDPR fine issued

First UK GDPR fine issued

The first UK GDPR fine has been issued by the Information Commissioner’s Office (ICO). A fine of £275,000 was issued to Doorstep Dispensaree Ltd, a pharmacy based in London which supplies medicine to care homes.

The fine was issued on 20th December 2019 after an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Although the MHRA was investigating other issues, they found an estimated 500,000 documents containing personal data left unsecured in an outside courtyard at the pharmacy’s premises.

The documents were apparently found in storage crates, a cardboard box, and disposal bags. According to a report from mondaq:

These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.

 

The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.

There are many important things to note from this first UK GDPR fine:

  • While £275,000 is a significantly greater fine than anything issued pre-GDPR, it is also far short of the maximum possible. This is because the ICO has taken into consideration the size and financial position of Doorstep Dispensaree Ltd to make the fine “effective, proportionate and dissuasive”.
  • The data involved was not breached, but was stored in a dangerous way that was non-compliant with GDPR. The ICO is not merely looking at breaches, but overall compliance.
  • GDPR does not only apply to data stored digitally, but hard copies as well. Physical documents should be stored safely and securely, and properly disposed of as well.
  • Data controllers are required to protect data against damage or accidental loss; apart from questions over security, it is clear that storing documents outside in a cardboard box will insufficiently protect them from damage.
  • According to a report from Lexology: “The Commissioner noted that the pharmacy’s data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy.” So there were other failings at the pharmacy, which showed little compliance with GDPR in any way.

Our GDPR Consultants can always advise an organisation about what they must do to become GDPR compliant. If Doorstep Dispensaree Ltd had obtained external, professional advice about data protection, they might have been able to avoid this fine.

If you have any concerns about compliance at your organisation, get in touch with us today and we’ll work with you on your data protection programme.

Pop-ups for website cookies could breach of GDPR

Pop-ups for website cookies could breach of GDPR

Pop-ups asking us for our consent to website cookies have increased since GDPR came into force. However, a new study shows that many of these pop-ups could actually still be in breach of GDPR.

The study, titled: “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, focuses on the requirement for informed consent. According to an article from Telecoms.com:

The issue this study seems to have been conducted to address concerns how much information people are supplied with when asked for their consent, as well as the matter of presumed consent – i.e. opt-out as opposed to opt-in. In many cases this process is managed by third party consent management platforms (CMP), and that’s what the study focused on.

 

We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” says the abstract to the report. We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices.

 

“We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22–23 percentage points; and providing more granular controls on the first page decreases consent by 8–20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

You can read the full article from Telecoms.com by clicking here.

The study has basically found that people are not being supplied with enough information to give their consent in the majority of cases. If consent is not sufficiently informed, then it is not up to the standards of GDPR.

In fact, GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Because pop-ups relating to website cookies and other elements do not meet these criteria, they are not GDPR compliant – putting these websites and companies at risk of being penalised.

Unsure of how consent or other lawful bases for storing and processing data under GDPR work? Want to improve your compliance programme? Contact us today; our GDPR consultants can provide expert advice.

Data subject access requests pose GDPR risk

Data subject access requests pose GDPR risk

gdpr - data subject access requestsData subject access requests are a key part of GDPR. By allowing users to request a copy of the data an organisation holds on them, they ensure transparency and give users the awareness and ability to protect their information.

However, an unexpected side-effect is that they are also posing a risk to users because organisations are not taking sufficient steps to check the legitimacy of such requests.

The issue was discovered by Oxford University PhD student James Pavur. Having sent 150 data subject access requests in his fiancé’s name, he was given her data by almost a quarter of organisations with no more confirmation of identity than her email address or phone number.

As reported by Econsultancy:

Clearly, subject access creates a significant and previously not well-publicized risk for businesses.

 

While GDPR compliance has been a great concern for many companies, and Pavur’s research indicates that a large percentage are taking subject access requests seriously, the lack of a standard for what constitutes reasonable identity verification leaves companies vulnerable and gives bad actors the ability to turn a consumer data protection law into a weapon for stealing consumer data.

 

Perhaps not surprisingly, just as small and mid-sized organizations struggled the most to prepare for the GDPR, these organizations also appear to be the most vulnerable to subject access abuses. According to Pavur, the largest organizations he sent requests to “tended to perform well”. Non-profits and mid-sized businesses, on the other hand, were responsible for 70% of the mishandled requests.

You can read the full article from Econsultancy here: https://econsultancy.com/identity-verification-is-now-an-important-gdpr-issue/

The data that Pavur gained access to was often of a sensitive nature. In one case, he was able to obtain his fiancé’s US social security number without providing any documentation. He also obtained bank details and breached usernames and passwords that were still in use.

All of this indicates that there is still a long way to go when it comes to GDPR compliance. In attempting to comply with the law over data subject access requests, organisations were actually failing in their obligations to protect user data.

If you’re uncertain about how to ensure GDPR compliance, Activa Consulting can help. Get in touch with us today and our expert data protection consultants will provide the guidance that you need.