From what we heard at the PrivSec London conference this week, it was clear that a culture shift is needed in many – maybe most – companies coming into the new decade. Our thanks go to the guest speakers who provided these insights – you can see a full list of those whose talks we attended at the end of this article.
Here are some culture shifts that companies need to be making in order to keep up with changing legislation and guidelines:
CULTURE SHIFT #1: Have a plan for privacy and cybersecurity, with people and budgets allocated to it.
CULTURE SHIFT #2: Don’t assume that privacy = cybersecurity, you’ll fail if you assume it’s a tech matter. Do a dummy run of a data breach at your organisation – it’ll probably throw up some significant issues.
CULTURE SHIFT #3: To get buy-in across the organisation, explain Privacy and Cybersecurity matters in the business terms of each department or stakeholder group’s business goals, such as making money, reputation protection, and so on.
CULTURE SHIFT #4: Getting your data into one place (e.g. the cloud) makes it more controllable in one place with a lot of access but is also where the biggest risk lies. Work out what you’ve got and what you are moving to the cloud – delete as much as you can of your data set defensively, use the infrastructure and systems there to look after every piece of information in one system and apply policies across everything.
CULTURE SHIFT #5: Get tighter on checking, stating and enabling opt-outs for all the cookies working on your website(s), such as trackers: many of these may be coming from your third-party hosting provider rather than your own web developers and plugins! ‘Continued browsing’ or browser settings aren’t adequate to demonstrate consents anymore under the latest government guidances.
CULTURE SHIFT #6: For businesses, ethics ARE sustainability. They’re about only using data for transparent, legitimate reasons that genuinely improve the user experience and give users control over the data held about them and how it is used. They’re about not ruining trust or making customers uneasy about using your business or website or platform.
Our thanks to the following guest speakers at PrivSec London 2020:
- Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
- Baroness Neville-Rolfe, EU Committee member
- Sheila Firtzpatrick, Fitzpatrick & Associates
- Dave Horton, Solutions Engineer at OneTrust
- Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
- Charlie Wijsman, Accenture Global Data Privacy Lead
- Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
- Alberto Quesada, Global Head of Group Data Management, BNP Paribas
- John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
Ben Hawes, Benchmark initiative
- Joan Keevil, Professional e-Learning Expert, SAI Global
- David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
- Stuart Aston, National Security Officer, Microsoft
- Greg Van Der Gaast, Head of Information Security, University of Salford
- Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester; Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
Pop-ups asking us for our consent to website cookies have increased since GDPR came into force. However, a new study shows that many of these pop-ups could actually still be in breach of GDPR.
The study, titled: “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, focuses on the requirement for informed consent. According to an article from Telecoms.com:
The issue this study seems to have been conducted to address concerns how much information people are supplied with when asked for their consent, as well as the matter of presumed consent – i.e. opt-out as opposed to opt-in. In many cases this process is managed by third party consent management platforms (CMP), and that’s what the study focused on.
We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” says the abstract to the report. We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices.
“We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22–23 percentage points; and providing more granular controls on the first page decreases consent by 8–20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.
You can read the full article from Telecoms.com by clicking here.
The study has basically found that people are not being supplied with enough information to give their consent in the majority of cases. If consent is not sufficiently informed, then it is not up to the standards of GDPR.
In fact, GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Because pop-ups relating to website cookies and other elements do not meet these criteria, they are not GDPR compliant – putting these websites and companies at risk of being penalised.
Unsure of how consent or other lawful bases for storing and processing data under GDPR work? Want to improve your compliance programme? Contact us today; our GDPR consultants can provide expert advice.
A new report has found that the majority of the UK’s most popular websites are failing to comply with GDPR.
The study from ImmuniWeb found that 86 of the top 100 sites visited in the UK did not meet their obligations, with all of them handling user data via insecure cookies.
As IT Pro reports:
The stats reveal that sites operating across the rest of Europe are more likely to be compliant with GDPR. A study of popular sites in France found 83 of its top 100 were non-compliant, while in Germany this fell to 50. The reasons for this are noticeably different, however, as sites in France and Germany are far more likely (50% and 40% respectively) to have missing or hard to reach privacy policies.
“We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies,” said Ilia Kolochenko, CEO and founder of ImmuniWeb. “However, there is a long road before the majority of organisations value actual security above paper-based compliance thereby providing their users with the privacy and security they truly deserve.
You can read the full article from IT Pro here: https://www.itpro.co.uk/policy-legislation/33726/most-of-the-uks-top-websites-fail-gdpr-claims-immuniweb
With GDPR now over a year old, these are worrying statistics. Compliance should have been met before it even came into force; failing to comply with GDPR now is inexcusable.
That the UK is lagging behind other countries (although only just behind some of them) would seem to indicate that GDPR is less of a concern for British organisations than it is for the rest of the EU.
Yet even with uncertainties over Brexit, GDPR will remain as the framework for Britain’s data protection laws. Failing to comply with GDPR is unacceptable no matter what happens when the UK leaves the EU.
If you’re yet to ensure GDPR compliance at your organisation, Activa Consulting is here to help. Our Gap Analysis service will identify the potential risks to your business and recommend what changes you need to make. Click here to contact us now!