Posts

The Era of the Technology Enabled DPO has Begun

Confucius once said ‘Life is really simple, but we insist on making it complicated.’ One can only imagine Confucius’ reaction to a roundtable with a DPO, CISO and CIO in 2018. ‘You connected what, why?’ ‘You understand this behaviour, how?’ ‘Robots are storing information, why, how and where?’

Staring bleary-eyed back at Confucius the tech leaders might retort, ‘We aren’t making it complicated, we are the ones managing complexity.’

Herein lies the reality for the technology leader in 2018; the advance of technology lies outside of our control, and like the frog in the boiling pot, the heat to protect critical data is starting to bubble, with little support for upgrading the more resistant capabilities of those who find themselves in the pot.

In a search for that extra protection, DPOs in particular are turning to technology, and here’s how.

The Era of the Technology Enabled DPO has Begun

The 2018 EY-International Association of Privacy (IAPP) study showed that 56% of businesses believe they are not entirely GDPR compliant with 20% of businesses believing full compliance is impossible.

To understand how DPOs are turning to technology to close the compliance gap, let’s look at how spending on data privacy/GDPR compliance has changed over the past few years.

The EY-IAPP report has a few telling statistics in this regard:

  • Amongst companies preparing for GDPR 57% are investing in technology in 2018, up from 27% in 2016.
  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.
  • IT and Information Security are now responsible for housing 30% of GDPR/information governance programmes up from 14% in 2016.
  • Right to Be Forgotten and Subject Access Requests were voted the two most difficult GDPR obligations to fulfil. Both currently rely on manual data discovery processes across multiple applications and platforms.

The observed compliance gap, alongside the shift away from human-resource spending to technology spending, suggests that the problem of data discovery, compliance and security is one whose solution supersedes the capabilities of even the best-intentioned human resources.

At the same time the number of DPOs are on the rise, with DPO vacancies up a staggering 700% from 2 years ago.

We can learn two things from this:

  • Data Protection Officers are turning to technology to help discover and protect data
  • Despite the increase in technology uptake, the human role of directing technology is more important and involved than ever.

And so the era of the technology enabled DPO has begun. Fortunately, technology for DPOs seeks for the most part to automate manual process, making the marriage between humans and tech in data protection truly Cyborgian in nature.

This marriage should seem intuitive as the first role of any newly appointed DPO is to answer, ‘What data do I have? Where is it? Who has access to it? How is it secured?’. It’s unrealistic for Data Protection Officers to be literally hands-on with data in 2018 hence smart data discovery and control tools coming to the fore.

So what technology solutions can help?

Data discovery and compliance technologies like Exonar in the UK have emerged in the past 18 months with plug in and play solutions for automated enterprise data discovery where previously none existed. The solutions discover data automatically to create accurate, real-time, classified inventories of information that allow DPOs to see a full breakdown of data and its sensitivity across an organisation, enabling DPOs to govern and protect data effectively.

Through the marriage of DPOs and data discovery technologies, data protection programmes can instantly become much more achievable, accurate, and less work for those involved. The era of the technology enabled DPO has begun.

https://iapp.org/media/pdf/resource_center/IAPP_EY_Gov_Report_2018.pdf

John Tsopanis
Data and Privacy Director, Exonar

CCPA – How Will New Privacy Law Impact Trade With America

 

CCPA – How Will New Privacy Law Impact Trade With America?

You wait years for data privacy regulations to catch up with current data processing requirements and then, like buses, two arrive at the same time.

Many UK organisations may well feel like they have been hit by a bus, given the dramatic impact that the General Data Protection Regulation (GDPR) has had since its implementation in May. Following closely behind is the California Consumer Privacy Act (CCPA) 2018 (AB 375), passed in June, which will come into force in 2020.

In a nutshell, it’s California’s answer to the GDPR. But don’t be fooled. It may look similar to the GDPR but there are nuances organisations need to understand to comply and stay on the right side of the regulations. Especially as it’s widely accepted that CCPA will set the bar for privacy rules across other US states.

California holds a key role, especially when it comes to trade with the UK. For example, the California Chamber of Commerce notes that the UK is California’s 10th largest export destination, with over $5 billion in exports.

 

CCPA versus GDPR

What do UK businesses need to be aware of? Well, the overlap between several of the CCPA rights and the GDPR include the right to information and the right of access. But the obvious difference is that that the CCPA rights only apply to persons that reside in California, whereas the GDPR applies to processing of EU citizen data by organisations regardless of whether they are located within the EU or not.

To view an easily searchable text version of the CCPA, click here.

 

Understanding the Differences

Firstly, let’s take a step back and understand the organisations that each regulation will apply to. GDPR is relatively straight forward; it applied to any organisation holding personal data on EU citizens.

CCPA on the other hand will apply to for-profit organisations that process personal data of Californian residents and either take $24 million in annual revenue, hold the personal data of 50,000 people, households, or devices or take at least half of their revenue in the sale of personal data.

Another of the key differences between GDPR and CCPA is that obtaining consent under California’s law differs from the methods required under the GDPR. In Europe, consumers must opt in and give consent for their data to be stored and used. With CCPA, consumers can opt out of the sale of their personal information.

 

What does CCPA mean for the rights of the individual?

One of the main aims of the GDPR is to give individuals better visibility and control over their data, and as such it offers better access to data, right to erasure, correction and objection to automated processing. It also includes the right to notification in the event of a data breach.

The CCPA aims to improve the right of access to data being held, and the right to know how personal data is being used and who data has been provided to. It enforces the right to disclosure and objection relating to who data is being sold to and guarantees no discrimination if an individual objects to their data being sold.

The financial penalties also differ between the GDPR and CCPA. Under GDPR, organisations can be fined 4% of global turnover or €20m, whichever is greater. The CCPA imposes penalties of $750 per consumer per incident or actual damages, whichever is greater. As for penalties assessed against businesses, the highest amount is $7,500 per violation, notwithstanding penalties under California’s Unfair Business Practices Act.

For a breakdown of the similarities and differences between the GDPR and CCPA, click here.

 

Becoming and remaining CCPA compliant

Preparation for CCPA will share many characteristics with actions undertaken for GDPR compliance. Coordination is vital, including executive sponsors and stakeholders from legal, compliance and data privacy teams, people with oversight of technology and its security and representatives from the key personal data owners in an organisation (e.g. HR, sales, marketing, customer service).

The key is starting with data inventory. Prioritise information stores likely to contain personal data and those with poor governance. Be practical and don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk (a head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets, for example).

The aim is to find all relevant data within your organisation. In fact, “identifying what data you hold” was listed as a key step by the UK’s ICO as well as other national authorities in the run up to GDPR. Given how rapidly data is collected, created and stored by organisations, it would be very difficult to find this out manually.

What is correct at the beginning of this year could be wildly different in 6 months’ time, and attempting to complete tasks manually will result in a catalogue of where people think data is held and processed (usually the systems designed to hold the data, like a CRM system) rather than where data is actually held (such as in a spreadsheet extracted from the CRM system to run a regular report).

But the task of creating a data inventory does not need to be arduous, there are tools available that use Big Data and Machine Learning principles as part of an eDiscovery and data mapping process, giving you the ability to rapidly find and categorise data and continue to do so on an on-going basis – ensuring continual compliance for your business rather than just at a single point in time.

 

Technology to simplify compliance

It’s clear that the tasks above are the first steps in what will be an on-going process. But these steps are crucial for any organisation that wants to get it right first time.

To simplify the compliance process, Exonar’s Privacy Dashboard can provide an easily digestible top-down view of the of all of the information a business holds in relation to the GDPR and the CCPA.

Exonar’s solution achieves this by indexing files in any format from sources like cloud, file shares and mail servers, and locating passwords, customer information, credit card numbers, salaries and company confidential records.

This means all of your data, from databases to documents, is mapped and classified and able to be searched instantly – even with advanced queries. This allows users to find any information held in seconds or create visualisations to help understand data. When you understand your data, it’s easy to make decisions about what data to keep or delete and what needs to be done in order to stay compliant with regulations relevant to your business.

To find out more about the CCPA and Exonar’s solutions, visit https://www.exonar.com/ccpa/

 

The Great Data Shake Up – GDPR changes at 100 days and counting

The 5 Key GDPR Changes at 100 days and counting

September 2nd marked 100 days since the General Data Protection Regulation (GDPR) came into force. The new rules marked a much-needed update to the UK’s aging 1998 Data Protection Act.

The update had been a long time coming. So what have we learned so far? Here’s five ways that GDPR has shaken up the way we gather, store and process data.

1. Effective data management starts with discovery

With the amount of data collected and stored by organisations large and small, data discovery has played a major role in achieving GDPR compliance.

What’s more, being able to react to changes in user habits and trends, like permanently deleting social media accounts or customer history and interactions, has added complications to data management that must be addressed.

Advances in technology, like Big Data and Machine Learning, have added a level of simplicity to creating a data inventory. When implemented correctly, these principles can be used as part of an eDiscovery and data mapping process with the ability to rapidly find and categorise data and to do so on an on-going basis – ensuring continual compliance for an organisation rather than just at a single point in time.

The added benefit of a digital discovery process is that unknown data is often identified and located. It’s vital that all data is accounted for to ensure compliance. After all, you don’t know what you don’t know.

2. The price of non-compliance

Failure to comply with the GDPR can lead to heavier punishments than ever before. Fines for malpractice have increased from a maximum of £500,000 up to €20 million, or 4% of annual turnover (whichever is higher).

What’s more, individuals can sue a business for compensation to recover both material damage and non-material damage, like distress.

Article 82 of the GDPR states that any person who suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered.

Therefore, it’s possible that compensation claims could reach huge numbers if a breach occurs on a large scale under the new rules, increasing financial losses as well as consuming vast amounts of time dealing with individual litigation. Just consider the recent British Airways data breach, where BA revealed that 380,000 customer transactions had been compromised. As well as potentially facing an enourmous fine under GDPR, it may be the case that every customer will be eligible for compensation.

3. Dealing with SARs

Subject Access Requests (SARs) are not a new component of the GDPR, they were first introduced under the 1998 DPA. However, GDPR has made several changes to the way that SARs (or a Right of Access as they are known under GDPR) operate which organisations must be aware of.

To begin with, organisations can no longer charge for producing SARs, and they have less time to complete them (one month, instead of 40 days).

Exonar’s own research found that many organisations struggled to meet the deadline for providing answers to FOI requests (FOI requests must be completed within 20 working days), highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

The time taken by public sector organisations to respond to an FOI varied from one day to 159 days. On average it took 24 days, with the NHS averaging 27, emergency services 21, central government 22 and local government 23 days.

In another survey Exonar carried out before GDPR came into force, 57% of individuals said they would want to request their data as there is now no cost. This means organisations need to ensure they are prepared for a significant increase in the number of requests they handle.

They also need to ensure they are giving users the data they are expecting. For example, Spotify users recently noticed that although they have access to data download tools, to get hold of all of the data held – such as telemetry or A/B testing – a SAR needed to be sent to Spotify’s privacy team.

But the latest technology can help. Platforms are available that can map and understand any information held and create an index which can then be searched in seconds, no matter how much data is held. This greatly reduces the time and cost of managing data and compliance, and in fact it can reduce the cost of processing a SAR to zero.

4. Understand your data

Achieving compliance with the principles of GDPR is an ongoing task, but it becomes a simple one with added benefits once you understand the data you hold and how it’s processed. A completed audit shouldn’t mean you then stand still. Data should be continually reviewed to better organise and refine management processes.

Removing risk, especially if it’s data that has no value, is vital. When you understand your data, it makes it much easier to identify and act on duplicate, obsolete or redundant data and therefore minimise storing and processing costs.

The latest tools are able to search your sensitive information and index files in any format, no matter where the data is held, such as mail servers or the cloud. This means locating and understanding information like passwords, credit card details and confidential records is simple.

5. Beyond GDPR

Although it applies mainly to data processing, the effects of GDPR are far reaching and a successful programme of compliance often brings additional benefits, such as improvements in efficiency and productivity, tighter cyber security and increased customer loyalty and trust.

Of course, in a perfect world, data would already be stored securely and processes would be in place to ensure continued compliance.

But the good news for any businesses concerned about GDPR compliance and surviving the next 100 days is that the tools mentioned above are all available today. And not only will they help you become compliant, but they will ensure you remain compliant and in control of your data.

Adrian Barrett, CEO and founder, Exonar

To find out more about the tools that can help you to discover and understand your data, visit exonar.com. For specific help with SARs, see sarlution.com.

CCPA – The Definitive, Easily Searchable Text

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organizations holding data on US Citizens.

We’ve now made it easy for you to read the act in full with our easily searchable CCPA text below:

California Consumer Privacy Act

CCPA 2018 Introduction

Section 1

Section 1 This measure shall be known and may be cited as “The California Consumer Privacy Act of 2018.

Section 2

Article A In 1972, California voters amended the California Constuition…
Article B Since California voters approved the right of privacy, the…
Article C At the same time, California is one of the world’s leaders in…
Article D As the role of technology and data in the every daily…
Article E Many businesses collect personal information from…
Article F The unauthorized disclosure of personal information and…
Article G In March 2018, it came to light that tens of millions of people…
Article H People desire privacy and more control over their information.
Article I Therefore, it is the intent of the Legislature to further…
Article I (1) The right of Californians to know what personal information is being collected about them.
Article I (2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
Article I (3) The right of Californians to say no to the sale of personal information.
Article I (4) The right of Californians to access their personal information.
Article I (5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Section 3 – Title 1.81.5 CCPA 2017 added toPart 4 of Division 3 of the Civil Code

Law Section 1798.100 Right to Know What Personal Information is Being Collected.
Law Section 1798.105 Compliance with Right to Say No and Notice Requirements.
Law Section 1798.110 Articles (A), (B), (C), (D).
Law Section 1798.115 Articles (A), (B), (C), (D).
Law Section 1798.120 Articles (A), (B), (C), (D).
Law Section 1798.125 Articles (A), (B).
Law Section 1798.130 Articles (A), (B), (C).
Law Section 1798.135 Articles (A), (B), (C).
Law Section 1798.140 Articles (A), (B), (C), (D), (E)…(Y).
Law Section 1798.145 Articles (A), (B), (C), (D), (E)…(J).
Law Section 1798.150 Articles (A), (B), (C).
Law Section 1798.155 Articles (A), (B), (C), (D).
Law Section 1798.160 Articles (A), (B).
Law Section 1798.175 This title is intended to further the constitutional right…
Law Section 1798.180 This title is a matter of statewide concern and supersedes…
Law Section 1798.185 Articles (A), (B).
Law Section 1798.190 If a series of steps or transactions were component parts…
Law Section 1798.192 Any provision of a contract or agreement of any kind that purports…
Law Section 1798.194 This title shall be liberally construed to effectuate its purposes..
Law Section 1798.196 This title is intended to supplement federal and state law, if permissible…
Law Section 1798.198 Articles (A), (B).

Section 4

Article (A) The provisions of this bill are severable. If any provision of this bill or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

PWC – The Global State of Information Security Survey 2018

Revitalising privacy and trust in a data-driven world

Key findings from The Global State of Information Security Survey 2018

‘49% of the 9500 respondents did not have an accurate inventory of personal data’

Massive data breaches and the constant collection of personal information routinely spur debate on whether privacy, rooted in ancient times, is dead in the digital age. Are we in a post-privacy world? In many ways, it is the wrong question. Privacy, security and trust—all increasingly at risk—are also more vital and intertwined in our data-driven society.

Read the full survey results: exo.nr/PWCsurvey

 

Ask the founder: 15 questions with NatWest

NatWest meets Exonar CEO – Adrian Barrett

In their series of interviews with SME founders about their business journey so far, NatWest chats to Adrian Barrett, our CEO and founder.

Read more about how Exonar was created in 2010 and changed in 2013, when Adrian and our team set out to create our own software that could help businesses get a handle on their data. With the new Europe-wide data privacy regulations, Exonar is the right business in the right place at the right time – and now growing at a rate of more than 250% per annum.

You can read the full interview here: exo.nr/NatWest

 

The positive impact technological innovation can have on business

Hear the latest Venturi’s Voice Podcast with Exonar CEO – Adrian Barrett

In the latest podcast from IT recruitment specialist – Venturi, Andy Davis talks to Adrian Barrett, our CEO about the challenging world of startup’s and the importance of technological innovation in moving tech industries forward. Andy asks about the vital role of customer feedback. They also touch on choosing the right approaches in business and picking the best technologies.

Adrian is a specialist in creating and growing innovative businesses his previous roles have been the international VP of Lumeta and VP of eloyalty.

You can hear the full podcast here: www.venturi-group.com/podcast/technological-innovation/

 

Topics covered in discussion include:

The challenges of Entrepreneurship and startups.

The importance of a team dynamic and work culture when forming a start-up team and business.

The recruiting strategy at Exonar.

Discussing Investment in new employee’s.

Talking about innovation and technology within tech industries.

Areas where we can see opportunities for innovation outside of technology.

The importance of customer feedback.

The issues around overthinking problems.

Picking the right technologies and approaches in business.

What thought process were undertaken when starting your business.

 

About Exonar

We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at www.exonar.com or follow us @Exonar.

PwC and Exonar bring new data discovery and remediation services to market

PwC and Exonar form alliance to bring new data discovery and remediation services to market

  • Partnership will bring together PwC’s world-leading data discovery knowledge with Exonar’s ground breaking Information Intelligence™ platform to help companies meet future data demands

Exonar today announced that PwC’s Data Discovery team has selected its ground breaking Information Intelligence software to help its clients understand unstructured data in greater depth.

With increasing regulatory and compliance pressure, and the growing need to manage a business better, many companies turn to PwC for their data discovery, review and remediation services. PwC has engaged with Exonar in a number of data discovery projects where understanding unstructured data and its content is needed. This has included pre and post data breach, finding intellectual property stored where it should not be on a network, GDPR compliance and helping clients properly dispose of data to reduce storage and the risk of potential litigation costs.

Exonar is a British company that is redefining how organisations map, categorise and understand all of their data. Exonar solves a problem common to all organisations and their senior information owners, namely “I just don’t know what I’ve got”.

This statement, compounded with “I don’t know where it is or who has access to it” results in information security, regulatory and privacy demands becoming disproportionately challenging. The result is large amounts of risky, unwanted and unnecessary information being stored. In turn, this makes finding and understanding productive, valuable, or sensitive information much more difficult.

Umang Paw, PwC Partner in London, said, “We are excited to be working with Exonar and to add its capability to the portfolio of technology that we tailor for our clients’ specific business needs. We have been working with Exonar for over a year and are seeing real benefits across a number of different scenarios when it comes to helping our clients understand their electronic data.”

“Our technology provides a simple, comprehensive view of where data is being held,” explains Adrian Barrett, founder and CEO of Exonar.

“The platform’s underlying big data architecture provides a view of the whole enterprise, often uncovering repositories that have been forgotten about, or those that present a risk. It works by using machine learning to accurately identify data held in information systems and categorises it automatically into groups such as personal, private and sensitive. The platform does this instantly and then monitors on an ongoing basis every time a change is made.

“By bringing together our unique technology with PwC’s in-depth understanding of the world’s leading businesses, we can give CEOs the assurances they need that data is being managed in the right way to meet the obligations of regulation today and to continue to do so as laws evolve,” adds Adrian.

About Exonar

We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at www.exonar.com or follow us @Exonar.

PwC and Exonar’s new data discovery and remediation services

PwC and Exonar form alliance to bring new data discovery and remediation services to market

  • Partnership will bring together PwC’s world-leading data discovery knowledge with Exonar’s ground breaking Information Intelligence™ platform to help companies meet future data demands

Exonar today announced that PwC’s Data Discovery team has selected its ground breaking Information Intelligence software to help its clients understand unstructured data in greater depth.

With increasing regulatory and compliance pressure, and the growing need to manage a business better, many companies turn to PwC for their data discovery, review and remediation services. PwC has engaged with Exonar in a number of data discovery projects where understanding unstructured data and its content is needed. This has included pre and post data breach, finding intellectual property stored where it should not be on a network, GDPR compliance and helping clients properly dispose of data to reduce storage and the risk of potential litigation costs.

Exonar is a British company that is redefining how organisations map, categorise and understand all of their data. Exonar solves a problem common to all organisations and their senior information owners, namely “I just don’t know what I’ve got”.

This statement, compounded with “I don’t know where it is or who has access to it” results in information security, regulatory and privacy demands becoming disproportionately challenging. The result is large amounts of risky, unwanted and unnecessary information being stored. In turn, this makes finding and understanding productive, valuable, or sensitive information much more difficult.

Umang Paw, PwC Partner in London, said, “We are excited to be working with Exonar and to add its capability to the portfolio of technology that we tailor for our clients’ specific business needs. We have been working with Exonar for over a year and are seeing real benefits across a number of different scenarios when it comes to helping our clients understand their electronic data.”

“Our technology provides a simple, comprehensive view of where data is being held,” explains Adrian Barrett, founder and CEO of Exonar.

“The platform’s underlying big data architecture provides a view of the whole enterprise, often uncovering repositories that have been forgotten about, or those that present a risk. It works by using machine learning to accurately identify data held in information systems and categorises it automatically into groups such as personal, private and sensitive. The platform does this instantly and then monitors on an ongoing basis every time a change is made.

“By bringing together our unique technology with PwC’s in-depth understanding of the world’s leading businesses, we can give CEOs the assurances they need that data is being managed in the right way to meet the obligations of regulation today and to continue to do so as laws evolve,” adds Adrian.

About Exonar

We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at www.exonar.com or follow us @Exonar.

A Headlining Week for Privacy, SARs and Err, Trees

Privacy Has Been Hitting the Headlines

What We’ve Been Reading And Writing This Month

Personal Information and Subject Access Requests
Plus – Saving Trees for Privacy?
IDC Insight - Exonar Probes Depths Where No GDPR Solution Has...
When GDPR goes live, people will be able to submit subject access requests to current and former employers
Apple actively promoting Privacy as a selling point but...
Apple actively promoting Privacy as a selling point but…
At Apple, we build privacy into every product we make, so you can enjoy great experiences that keep your personal information safe and secure.
How the GDPR will disrupt Google and Facebook
…seen in an Apple store in Chicago – Exactly what GDPR should stop
Normally one of the bastions of privacy data, below is a sign that was spotted in an Apple retail outlet in Chicago recently. In essence, it assumes full consent is given for Apple and it’s…
Subject access requests: revised guidance from the ICO -...
At 9.24pm (and one second) on the night of Wednesday 18 December 2013, from the second arrondissement of Paris, I wrote “Hello!” to my first ever Tinder match. Since that day I’ve fired up…
Get our free GDPR report
You have the right to get a copy of the information that is held about you. This is known as a subject access request.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Download our report: the impact of GDPR when privacy regulations change
In May next year, the UK’s Data Protection Act will be superseded by the GDPR. The GDPR is designed to give citizens more control of the information organisations hold on them and how that…
We Are Hiring - Marketing Executive - Exonar
SARs can be over 800 Pages long.Where do we start?
I did my own SAR on my own bank. This is it (actually, it’s less than half of the information they hold on me but they filtered the request). Arrived via DHL in 2 huge boxes…
Heineken Pet
The Somewhat Related Section – Planting trees for privacy. Really?
Yes, odd, we know but this 90 second video explains all – we felt bad after the SAR experiment on the left, not just for trees but for the employees that have to generate SARs…