My 7 top security publications from the ICO

Given what can only be described as an omnishambles of security breaches, is there much more that the ICO can do to warn data controllers of the risks they should take account of?

Probably not.

What might be helpful though, is data controllers refreshing their memories about the guidance which has emerged from the ICO over the past few years.

In terms of the top 7 ICO publications, (virtual) copies of the following guides really ought to be at every DPO’s fingertips: 

7. Guidance on data security breach management (Dec 2012). This very high level, 8-page guide, builds on earlier advice that breaches of non-sensitive personal data relating to more than 1,000 victims should be notified to the ICO, while breaches of sensitive personal data relating to far fewer victims should also be notified.

6. Bring your own device (May 2013). This 13-page document contains advice on what a BYOD policy should contain, what security issues to consider with regard to data storage & transfers, and guidance on monitoring at work.

5. Guidance on the use of cloud computing (Oct 2012) This 23-page guide, evidently about to be revised by the ICO, contains a useful PIA-type check list which covering the issues (in terms of risks, confidentiality, integrity, availability & legal factors) to consider when using a cloud provider.

4. Privacy in mobile apps – guidance for app developers (Dec 2013). This 23-page guide contains some basic security advice, together with useful examples of good and bad practice for app developers.

3. Encryption (Mar 2016) This 35-page guide highlights, through a range of practical scenarios, when different encryption strategies can help provide a greater level of protection.

2. A practical guide to IT security (Jan 2016).  This natty 18-page guide reports on 10 practical ways to secure IT systems. Sections offer high level guidance on the importance of:

• Assessing the threats

• Getting in line with Cyber Essentials

• Securing data on the move & in the office

• Securing data in the cloud

• Backing-up data

• Staff training

• Monitoring alerts

• Documenting controls

• Minimising data

• Monitoring contractors

However, and by a country mile, top of my list of "must read" ICO security publications is:

1. Protecting personal data in online services: learning from the mistakes of others (May 2014). This 46-page guide focusses on the most common 8 computer security vulnerabilities:

• Software updates

• SQL injection

• Unnecessary services

• Decommissioning

• Password storage

• SSL/TLS configuration

• Inappropriate locations

• Default credentials

So there you have it. Security breaches may well occur despite data controllers having taken account of the ICO’s advice – but woe betide a data controller that suffers a security breach because they’ve wilfully disregarded the published advice.

An inability to follow these basic guides will continue to be an aggravating factor that will be taken into account when the Information Commissioner decides what level of Civil Monetary Penalty to impose on a recalcitrant data controller.

.

750 days to go before the new data protection rules bite

How often do organisations get 750 days’ notice of new rules that may require them to make huge changes to comply?

Well, it’s happened. The European Commission has just announced that the General Data Protection Regulation, a mighty piece of legislation that took over 4 years to negotiate, will come into force on 25 May 2918.

What will it mean to most organisations?

Potentially, lots.  Unlike Y2K, which passed  (mercifully, on 1 January 2000) without a hitch, the new rules are potentially pretty disruptive. After all, from May 2018, organisations will be under greater obligations provide assurance to their boards, customers and regulators that their data protection processes and procedures are fit for purpose.

For the most serious violations (such as ignoring data subjects' rights) privacy regulators will be able to impose penalties up to €20m or 4 percent of global revenue (whichever is higher). This is a critical change compared to current UK fines, which is a maximum of £500,000.

Other changes include

•    Responsibility for data protection. Any organisation that processes or accesses personal data will also be held responsible for its protection, including third parties such as cloud providers. Data processors, (not only data controllers) will be accountable for protecting data.

•    Applicability and Extraterritorially. Any organisation that processes personal data on individuals in the EU is in scope. This includes companies that are established outside the EU, even if they have no physical presence in the EU.

•    Data protection officer. Many companies will need to designate a DPO.

•    Data breach notification. Currently, different countries have different rules on data loss reporting. The GDPR will streamline the process, requiring regulators to be informed within 72 hours.

•    Claims and damages. Individuals and some representative organisations will be able to claim damages in certain cases. Litigation can be extremely costly and invariably results in both reputational and financial losses. Reputational damage will be a key consideration in managing the data breaches that will be reported to both regulators and customers.

•    Organisations will have to provide much more information to individuals about how their personal information is being processed, their rights and safeguards. These include the right to be forgotten, the right to restrict the processing of their personal data, and the right to data portability.

How can organisations prepare for these changes?

There will be no shortage of advice from the consulting firms that have been waiting a long time for the starting gun to be fired.

But how can they prevent themselves from over-engineering the solution?

As we experienced when the new cookie rules came in, some organisations tried almost too hard to implement the rules. Users were offered a bewildering array of choices about what cookies could be dropped on their device. Now, the general tendency is for organisations simply to say: “We use cookies, get over it. Click for more details.” 

I’ve prepared for these changes by changing my own job. I’m now leading the data protection offering at a major consultancy firm, and able to help clients by offering them support from a wider array of data protection specialists than was previously the case.

Wish me luck in my new role – and don’t hesitate to get in touch if you and/or your organisation need help in developing or implementing an enhanced privacy compliance programme.

Transformation and behavioural change?

Yes we can.

So let’s do it.

  

If your clients want to know what good data protection practices look like, you know I can help.

.

A (light hearted and) handy guide to privacy activists for the under 10s

Privacy activists in the olden days

There weren’t many privacy activists in the olden days. This was because there was no Internet, and very few people had heard of the Data Protection Commissioner. As it was expensive to make a telephone call, and texts had not yet been invented, it was quite hard to spread rumours and exchange information with lots of people you didn’t know. Only print journalists were usually able to do this, which is why the Sunday papers were often packed with stories about prostitutes and vicars. 

Journalists didn't bother about people’s privacy in the olden days.

Nowadays

Nowadays, privacy activists are bored with journalists because, on the whole, they behave themselves.

Nowadays privacy activists are bitter, but balanced, people. They have chips on both shoulders. Social media companies are a big disappointment to privacy activists.

Privacy activists now think that most people are:

a) Simple and easily led

b) Un-enlightened and susceptible to short-term pleasures

c) Terribly sad and struggling, unable to cope on their own

d) All of the above

Education is a life-long task

Privacy activists think that most people are unable to think for themselves and require life-long education to help them make informed decisions.

Privacy activists work tirelessly campaigning to encourage most people to be acutely aware when buying online, rather than in local shops. They are disappointed that most people like to exchange their privacy for “free stuff”.

Most people like to surf the Internet, watch pornography, have sex and book foreign holidays. They do not understand that these activities are dangerous and need continuous education from privacy activists.

Most people need to be protected from the internet, even though they don’t read behavioural targeted adverts. They are easily influenced and their happy-go-lucky ways can be turned into bigoted nasty ways. Privacy activists are needed to help them use Facebook carefully and not make mistakes.

Privacy activists like to be sad and unhappy

Many privacy activists have a very nice life, but they like to be sad. To help with this, they choose to be sad for other people. Sometimes these people are far away and sometimes they are nearby, but different to them.

In the olden days, privacy activists tried to make it better for other people. Nowadays, they like to protect them by being offended when a normal person doesn’t behave as the activist would like them to do.

Privacy activists like to help other people by being offended on their behalf. This means that the other people can carry on with their lives and the privacy activists do all the work. This isn’t really fair, but the privacy activists seem to carry on doing it, so they must enjoy it. Despite all this effort privacy activists are still very sad.

Privacy activists care more than other people

Privacy activists care so much that they hate most social media companies. And Google. Other people don’t really think about social media companies, they only care about themselves and other people that they know. This means that piracy activists have to hate the social media companies even more, even more than they actually hate Google.

Privacy activists show that they care by telling other people about how much they care. They send special “I care” signals to other people. Forwarding videos on Facebook is one way that they can show how much they care. The videos often show people far away who are living miserable lives, but links to poorly written privacy policies are also considered sufficient.

Privacy activists (see below) are very helpful. They make lots of “I object” videos which makes it quick and easy for other activists to send their “objections”. They do this several times throughout each day when they are not busy.

Sometimes privacy activists are made angry by other people

Privacy activists care so much, it makes them hate people who don’t show that they care. These people are normal people. Privacy activists have given them a name. It is “Corporate scum”. Privacy activists like to shout at the people and tell them that they are scum even when they aren’t listening.

Shouting at the staff at the Information Commissioner’s Office is another way to show that they care. Caring is very important to privacy activists.

Privacy activists care so deeply that they don’t have time for thinking and convincing. They use their precious time for shouting about caring.

Also, normal people don’t know what privacy activists are saying, so it is helpful when they point to the people and shout “scum”. They think that normal people do understand shouting and caring.

If you have observed someone and you are not sure if they are a privacy activist, seek their opinion on “the corporates”. If they start to shout and care, they are privacy activists.

Privacy activists are helpful

Privacy activists are people who have an encrypted internet connection. They make the internet very loud.

Privacy activists help other people care on the internet. They are very helpful in pointing out when people have forgotten to show that they care. They help people in many ways – watching videos, commenting on things and clicking on buttons called “start a petition”. Privacy activists sometimes go outside their houses and meet other privacy activists and they care together and shout at the corporate scum.

Privacy activists are funny

Privacy activists have “enlightened comedians” who make jokes on “panel games” and tweet a lot. These are broadcast on the television, BBC Radio 4, and Twitter.

The enlightened comedians make people laugh at normal people, whom they consider stupid. In the olden days, comedians made jokes about Irish people, but these comedians weren’t clever like the enlightened comedians.

Instead of the Irish people, the enlightened comedians make jokes about Facebook. Because they care, they use special words like “Privacy Policies”, “Trans border data flows” and “Privacy Shield”, so the normal people will not notice.

Normal people do funny things like posting selfies on the Internet, eating Haribos and watching television. This is funny and the enlightened comedians are helpful because they point at them and laugh, so we know who to laugh at as well. It is very funny and we all laugh because we are enlightened too.

Further reading

Any tweet by @tim2040 should be enough to put you off your dinner.

Credits:

I am deeply indebted to Andy Shaw, whose recent article on a handy guide to Left-wing people for the under 10s prompted me to lovingly plagiarize his work. I do hope he won’t be offended.