Posts

Free IAPP Web Conference – Registration Now Open

Thriving in Generation Privacy: Capitalising on DSAR Data from the Field

Free IAPP Web Conference – Brought to you by Exonar

Broadcast date: Thursday, February 7, 2019
Time: 8:00–9:00 a.m. PT, 11:00 a.m.–noon ET, 4:00 – 5:00 p.m. GMT

With the introduction of the EU General Data Protection Regulation, the California Consumer Privacy Act and other global privacy laws, people have increased expectations of how their personal data will be handled and protected. This is driving up the number of inquiries for data subject access requests and requests to exercise the right to be forgotten. Exonar recently surveyed a number of organizations to understand how they have been coping with these new and increased privacy control operations, and the results were remarkable.

Join us for this upcoming web conference to hear from the field about these survey results and more, including:

  • The cost of handling data subject access requests. (U.K. public sector organizations example).
  • What the results of a SAR request to a U.K.-based, High Street Bank resulted in.
  • How the world’s leading tech companies dealt with recent requests for personal data.
  • How organizations are profiting from their privacy programs.
  • The toxic data you’re storing and what to do about it.
  • How companies have prepared for Generation Privacy and what you can do now.

Host:
Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP

Panelists:
Adrian Barrett, CEO, Exonar
Phil Lee, CIPP/E, CIPM, Partner, Privacy, Security and Data Protection Practice, FieldFisher, London, U.K.
Steve Wright, GDPR Advisor at Bank of England, CEO, Data Privacy Architect, Privacy Culture, London, U.K.

Book your place now: exo.nr/IAPP-webinar

Sky News interview – UK to raise the bar on cyber security

The UK is set to become a world leader in the race against some of the most damaging cyber security threats.

Our CEO, Adrian Barrett spoke live on Sky News on Monday, 28th January about the announcement, on the current state of cyber security and how this investment will impact the industry. Watch the full interview here:

 

This morning, the Government announced their £70 million investment through the Industrial Strategy Challenge Fund to online services and digitally enabled products by investing in the development of UK hardware solutions to complement software solutions. This means that many UK firms who produce hardware could be offered a financial leg-up to strengthen their cybersecurity, empowering the UK to set the benchmark on the protection of consumer data. Initial reports indicate that this new investment to build on UK strengths in cyber security and increase share of a global market is predicted to grow to £39 billion in a decade.

The investment will help fund research into the development and design of hardware, to make them more resilient to outside threats from the outset. This aims to ‘design out’ many forms of cyber threats by ‘designing in’ security and protection technology/solutions into hardware and chip designs.

More than 40% of UK businesses have suffered a cyber security breach or attack in the last 12 months. Consumers are often the worst affected by mass information leaks than the organisation that held their data. Businesses are having to spend increasing amounts on cyber security, up to 20-40% of their IT spend in some cases. As more and more systems are connected, whether in the home or businesses, there is a need for security that is dependable by design.

Looking to the future, the government aims for R&D investment to reach 2.4% of GDP by 2027– the biggest increase in public investment in R&D in UK history.

Read the full announcement here from the Government website: http://exo.nr/Gov-Invest-Cyber

The Data Protection Officer’s (DPO’s) Toolkit – The 6 Essentials

The Data Protection Officer’s (DPO’s) Toolkit

2018 saw the General Data Protection Regulations (GDPR) in Europe, California Consumer Privacy Act (CCPA) in America, and the Personal Data Protection Bill (PDPB) in India introduce privacy protections to nearly 2 billion citizens.

With enforcement set to take centre stage in 2019, what essentials do data leaders need to keep themselves out of the crossfires of regulators?

6 Essentials of the DPO’s Toolkit

1. Data inventory
2. Data monitoring
3. Data rights fulfilment
4. Data champions
5. Data training
6. Data security

1. Data inventory

The first step to taking control of your data is being able to answer ‘what data do I have?’ ‘why do I have it?’ ‘who can process it?’ ‘where is it stored?’ ‘how and when do I delete it?’

Creating an inventory of all of your data processes is the first step for any DPO needing to comply with global privacy legislations (and mandatory under the GDPR Article 30 Records of Processing Activity).

Discover and document your organisations’ data practices; this will give you the best possible platform to comply with global privacy regulations and get the most value from your data.

2. Data monitoring

So you’ve documented your data practices, but is that really how data is being processed on your network – Is your data inventory reflective of your true data practices?

The answer is usually no. Luckily, the days of manual data audits and ‘privacy compliance platforms’ with no data monitoring capabilities are over and cutting edge data discovery and compliance technologies like Exonar are now available.


By monitoring your data estate you can make sure your marketing leads stay in your marketing department, your payroll files stay within your payroll department, and your Top Secret Project X documents remain exactly where you want them to be.

3. Data Rights Fulfilment

2019 is the year citizens take back control of their data.

Personal information belongs to the individual it relates to and organisations are required to provide full access to that data upon request under the GDPR in Europe (within 30 days) and CCPA in
America (within 45 days). In Europe 48% of Generation X and Y have exercised their right to access with over a third of all European citizens having done so since May 2018.

As a data leader, you must have a permanent and robust process in place for being able to respond to subject access requests (SARs), detailing the personal information you are processing and what you are using it for.

Subject Access Requests (SARs) can take days to fulfil if you are relying on manual data discovery so employing a data discovery tool to help you can reduce your SAR response time from days to minutes.

4. Data Champions

Data is big and it’s only getting bigger. A DPO is (for now) only human and keeping your data estate in compliance is only possible with a little help from some friends.

Once you’ve got your data inventory you should have a good understanding of your business units that have data processes that fit into natural silos e.g. Sales, HR, Legal, Payroll, Customer Services, Operations A, Operations B.

Assign a data champion for each business process, ensure they understand what the data inventory says about expected data practices, and empower your data champions with the resources needed to keep your data estate in compliance.

Data champions within their business units will often understand the nuances of data processing in more detail than a DPO so delegation of responsibility is key.

5. Data Training

Data protection is a collective action problem. If you have thousands of employees it only takes a small number of bad practices to throw your compliance programme into disarray.

If you have a strong handle on your data inventory, are monitoring your data repositories, and have data champions willing to help you, delivering an organisation wide training programme to communicate expected data practices is the way to embed a culture of privacy into your organisation and reduce your exposure to insider breaches.

As with most leadership, communication is key!

6. Data security

So you understand your information estate and your employees are doing their utmost to process data appropriately; now it’s time to lock down your high risk systems.


Your data inventory and data champions should be able to give you a clear view of the IT systems (and locked filing cabinets) that store and process your most valuable data.

Identify your high, medium and low risk IT systems/applications/shared drives/data repositories/locked filing cabinets, communicate those risks to your information security team, and seek assurance that cyber security controls are in place that are proportionate to the sensitivity of the data processes.

 

Embracing the crossover between data privacy and cyber security will best allow you to demonstrate that you have adopted data protection practices that are proportionate and appropriate for your organisation.


With these 6 tools you will be in an excellent position to navigate the data privacy landscape in 2019 and beyond.

 

Beringea Leads £6.5m Investment in Exonar Alongside Downing Ventures

Sector leading data discovery and governance platform, Exonar, a vital tool for the modern data age

London, 21st January 2019: Transatlantic venture capital investor, Beringea, has announced that it has led a £6.5m investment in Exonar, a leading data discovery and management software firm. Downing Ventures, the early stage investor, has also participated in the round alongside notable existing investors, Amadeus Capital Partners and Winton Ventures.

Enterprises are facing a fundamental change in the way they process and store information. An exponential increase in data volume means organisations must find new ways to understand the risk as well as the opportunities in their data. Driven by new regulation, cyber threats and competition, organisations who use data they hold effectively will survive and thrive.

Exonar discovers an organisation’s most sensitive, valuable and personal information. By simply plugging Exonar into a network, an instant view of all structured and unstructured data is provided, enabling the creation of inventories, security of sensitive data and regulatory compliance.

Recent research by EY found the UK’s largest firms spent over $1.1bn to comply with the EU General Data Protection Regulation (GDPR) before it came into force in May 2018, while the same research found that Fortune 500 companies had spent $7.8bn.

Data discovery technology is proving vital to businesses that can easily hold petabytes of data across their entire information estate. The significant growth of data value has led to industry analysts estimating that the global data governance software market will grow 22 per cent annually over the next five years to a value of $3.5bn by 2023. Exonar is well positioned to provide the technology needed to support this extensive growth.

Exonar was founded by Adrian Barrett, a visionary with substantial experience in data, analytics, and information security who has previously worked for Cisco and Lumeta, a global network data specialist. He is supported by an experienced management team with decades of leadership experience in global cyber security and technology companies such as BT, Fujitsu, Veritas, Symantec and EMC.

Adrian Barrett, CEO and Founder, commented: “These are exciting times for Exonar. To receive significant backing from Beringea and Downing Ventures reinforces our belief that the Exonar platform has a significant role to play in enterprise-level data discovery and management. We have a clear vision for future development and the investment will enable us to further enhance our product, enabling our customers to meet current and future data demands such as GDPR and CCPA swiftly, simply and at scale.”

“Data is the backbone of modern business. And yet, it also poses an existential risk, which has traditionally required substantial resources and investment to manage. Exonar transforms this dynamic with a platform that maps and understands petabytes of information in seconds.” Stuart Veale, Managing Partner of Beringea, commented: “Beringea has backed Exonar’s leadership and pioneering technology to create a cornerstone of data governance.”

James Lewis, Investment Director at Downing Ventures, commented: “Not a day goes by that we don’t hear about the importance of accessing and making better use of data in all our businesses – Exonar is at the forefront of shaping and solving this challenge and we’re delighted to be part of the journey with Adrian and the team.”

– ENDS –

Notes to editors

Media contacts:

Henry Philipson, Head of Communications, Beringea

Email: hphilipson@beringea.co.uk

Mobile: +44 (0)7837162546

About Exonar

Exonar is a data discovery software company based in Newbury, Berkshire. Founded in 2013 by Adrian Barrett (CEO), Exonar discovers an organisation’s most sensitive, valuable and personal information, therefore providing the answer to an all-too-common statement – “I just don’t know what I’ve got”.

By simply plugging Exonar into a network, an instant view of all structured and unstructured data is provided, enabling the creation of inventories, security of sensitive data and regulatory compliance.

For more information, please contact Exonar: Tellmemore@exonar.com

About Beringea

Beringea is a highly active growth capital investor with $715m under management and offices in the UK and US. It supports high-growth businesses with annual revenues of more than £1 million, investing between £1 million and £20 million to help companies scale.

With a successful track-record of investments spanning 30 years, Beringea has more than 60 portfolio companies across its US and UK offices. The company has a history of strong partnerships with management teams, often reinvesting in its successful entrepreneurs.

Its core areas for investment include digital media, business software and services, and consumer industries. With an extensive range of expertise across the team, and an ability for spotting and following opportunities, Beringea’s portfolio includes companies in a range of sectors, and its team continues to be at the forefront of emerging trends.

http://www.beringea.co.uk/

About Downing Ventures

Downing Ventures is an evergreen fund investing in seed to Series A companies, with the possibility of follow-on investments. It invests in a variety of technology sectors including consumer internet and mobile, enterprise software, financial technology and health technology. The fund has a portfolio of around 45 companies as of October 2018. Downing Ventures work alongside a number of investment partners and accelerator programmes and incubators, including the London Co-Investment Fund.

 

The Gift of Charity – Reducing Data Labour Post-GDPR

Charities are under-resourced by design; there is always more that can be done to help, yet resources are often limited.

Many operate across multiple jurisdictions, have donors from around the world, and rely on technology to connect workers to the people and processes in need of their support. With a decentralised working model and resources always feeling stretched, charities are under pressure to both optimise and protect their data.

This pressure has led to bad data practices in the past. In 2017, pre-GDPR implementation, the ICO fined 11 charities for misusing personal data. The charities in question set out  to create more targeted profiles of potential donors, and shared data between themselves to create large common pools of donors. Those charities and fines were as follows:

  • The International Fund for Animal Welfare – £18,000
  • Cancer Support UK – £16,000
  • Cancer Research UK – £16,000
  • Guide Dogs for the Blind Association – £15,000
  • Macmillan Cancer Support – £14,000
  • The Royal British Legion – £12,000
  • The NSPCC – £12,000
  • Great Ormond Street Hospital Children’s Charity – £11,000
  • WWF-UK – £9,000
  • Battersea Dogs and Cats Home – £9,000
  • Oxfam – £6,000

In a post-GDPR world, the fines would’ve been higher; an eventuality nobody in the data protection industry would want to see come to fruition against any charitable organisation.

In order to prevent a repeat of 2017 in a world with higher consequences, charities are seeing data privacy and data protection both as a necessity (for GDPR compliance) and as an opportunity (taking control of your data leading to improved donor targeting and performance analytics).

However, a webinar of 300 prominent charity sector leaders, hosted by Advance in April 2018, revealed that only 5% of attending charities felt they were GDPR compliant, with 75% saying there was significantly more work to do.

So, what can the charity sector learn from industry on closing the compliance gap, whilst also not draining resources needed to provide essential services?

Organisations are turning to technology to solve the data problem, and free up their time

The latest International Association of Privacy Professionals (IAPP) and EY Information Governance report showed that:

  • Amongst companies preparing for GDPR, 57% were investing in technology in 2018, up from 27% in 2016.
  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.

Data Protection Officers spend most of their time trying to answer, ‘What data do I have? Where is it? Who has access to it? How is it secured?’ and in 2019 it’s no longer possible to be literally ‘hands-on’ with data. It’s therefore no surprise that organisations are turning to data discovery and privacy compliance technologies to ease their data burdens.

The era of the technology enabled DPO is here – what do I do?

3 simple steps for identifying and deploying technology to help you with your DPO role:

  • Discover your data – Identify which repositories, applications and platforms hold personal data and monitor those repositories
  • Define bad data practices – Define sets of rules for each area of your business processes that use personal data. Ensure those rules are configured into your technology and triggers defined for identifying bad practices/data breaches
  • Communicate findings to the organisation – Let the team know about the trends you’re finding in personal data and let the organisation know where things need to be improved or where things are going well. Communication is key for data leadership.

By protecting personal data, charities can safeguard themselves from the regulators and maintain focus on the essential service they provide. Here’s to a more secure 2019!

Trump, Brexit, Cambridge Analytica – Global Data Privacy Regulations

Privacy legislation advanced leaps and bounds in 2018 with Europe (GDPR), California (CCPA) and India (PDPB) pioneering the way for privacy protection for their citizens.

For many organisations, 2018 was the year that ‘data privacy’ became the two most cumbersome words in the professional lexicon.To comply with new legislation, organisations assessed their data practices and ability to protect citizens’ privacy rights in accordance with new legislations. With GDPR fines of up to €20m or 4% global turnover, 2018 was the year that businesses started taking data privacy seriously.

2018 Key Privacy Events

Europe and the GDPR – May 2018

Europe implemented the GDPR in May 2018 providing European residents the right to access and erase their personal information upon request, whilst mandating organisations to report security breaches to affected citizens.

In the UK, reporting of data breaches to the Information Commissioner’s Office (ICO) increased by 260% in the three months after May 2018 compared to the same three months in 2017; a remarkable cultural change in identifying and reporting data breaches.

The ICO also levied its first successful fine against AIQ, the Canadian data firm linked to Cambridge Analytica, before levying another fine against Cambridge Analytica itself for failing to comply with a data subject access request (SAR) from Professor David Carroll.

Key Privacy Trigger:

Cambridge Analytica, Brexit and Trump – 87 million US and UK citizens were psychologically profiled and micro targeted with political messaging and misinformation to influence the Brexit and Trump vote. There are 11 ongoing criminal enquiries into breaches of electoral law in the UK and illegal data practices are the cornerstone of those investigations. These investigations will escalate and conclude in 2019 heightening citizens’ understanding of how their privacy rights were abused.

USA and the California Consumer Privacy Act (CCPA) – July 2018

California announced the incoming CCPA which will come into effect on January 1st 2020. The CCPA provides similar rights to access and erasure as the GDPR, and also requires organisations to disclose which third parties they buy and sell personal data from upon request.

The CCPA has led to New York following suit with data privacy regulation of its own, and there are talks of federal privacy law being developed in 2019 as the complexity of state-by-state data privacy laws seem too impractical to overcome. This point was made clear after the two largest American data breaches of 2018 affected Americans across all 50 states.

  • Exactis – 340 million records breached
  • Marriott Hotels – 323 million records breached

Key Privacy Trigger: California Consumer Privacy Act and the right for Americans to sue

The CCPA provides California residents with a private right of action, allowing individuals to pursue their own lawsuits against organisations (rather than waiting for regulatory enforcement action). Individuals can enact this right when a breach occurs due to a demonstrable lack of appropriate security controls.

In the USA, a litigious society, we can expect the individual right to sue to drive interest in data privacy rights at a quicker rate than in the build up to the GDPR, which will in turn lead to federal calls for those same data privacy rights.

India and the Personal Data Protection Bill (PDPB) – September 2018

6 months after the Indian national identity system was breached exposing the data of 1.1 billion Indians, India announced their personal data protection bill. Openly modelled on the GDPR, the PDPB gives Indian citizens rights to access, erasure and the right to report breaches to a new Indian data protection authority (DPA) that will also have the power to influence rulemaking (unlike the ICO in the UK) and levy hefty fines.

The PDPB will also include sectoral consideration vis-a-vis the CCPA, and include provisions for national security concerns similar to the Chinese data protection regulations (CDPR).

Key Privacy Trigger – Aadhar Data Breach

In March 2018 a breach of India’s national identity database left personal and biometric information of 1.1 billion Indians exposed. The data was of sufficient detail to open bank accounts, enrol in state financial programmes and register SIM cards, sparking a nationwide debate on data privacy, national security and a 6 month turnaround to announcing the PDPB.

What to Look For in 2019

  1. Public outrage at AI’s abilities to psychologically profile and microtarget citizens in real time

The investigations into AIQ/SCL/Cambridge Analytica’s role in both Brexit and Trump campaigns will escalate through 2019. As indictments are served in relation to data crimes, the public will develop an understanding of how AI algorithms psychologically profile and microtarget them in real time.

The focus on authoritarian regimes’ use of these data practices to suppress opposition via social media platforms will come under specific scrutiny. This will lead to a strengthening of the political movements calling for AI transparency and major regulatory reform for big tech and microtargeting data practices.

  1. Big Tech vs Regulators battle it out over US federal privacy law

The fight over details of the CCPA are ongoing and we can expect the lobbyists of Google, Amazon, Facebook and Apple to continue actively resisting tighter regulation at each opportunity. We can expect pushbacks on citizens rights to access data, a sparking of a conversation surrounding consent for data usage, and an attempt by journalists to reveal the network of third party data analytics firms who would be the worst violators of new data privacy laws.

  1. The first £100m GDPR fine?

It is difficult to understand the privacy impact of a data breach, especially when the number of citizens affected runs into the hundreds of millions. These are numbers too large for individuals to comprehend but the privacy impacts will be accounted for by regulators in the form of mega fines in 2019.

The maximum fine for Facebook under the GDPR is an approximated $1.6bn and with investigators across the world scrutinising the data practices of multiple technology companies, 2019 could be the year of the first truly eye-watering fine.

Aviate, Navigate, Communicate – Concord Compliance post-GDPR

2018 has been a horror for aviation and data breaches. British Airways, Cathay Pacific, Air Canada, Delta Airlines and Arik Air all fallen victim to major data breaches. In the case of British Airways, a 15-day cyber attack in July compromised 244,000 credit card details. The breach sparked a criminal inquiry by the National Crime Agency (NCA) and BA now faces a maximum fine of nearly £500 million, with the Information Commissioner’s Office (ICO) investigating the incident.

Why is aviation a high risk sector?

Airlines, airports and their service providers process millions of passenger, crew and employee information, customer lists, details of business contacts and sensitive business information across hundreds of jurisdictions. The complex and international nature of aviation and the detailed nature of the personal data required to participate, often across national borders, make aviation an attractive target to attackers, and a difficult one to defend by security professionals.

How should Data Protection Officers react?

According to the Federal Aviation Agency, pilots are given the following priorities: Aviate, Navigate, Communicate. Data Protection programmes within aviation can be analogously prioritised in the same way:

Aviate

“The top priority — always — is to aviate. That means fly the airplane by using the flight controls and flight instruments to direct the airplane’s attitude, airspeed and altitude. The instruments directly in front of the pilot provide important information on how well the pilot is doing with respect to basic aircraft control”

For a Data Protection Officer, basic aircraft control means being able to answer: ‘What data do I have? Where is it? Who has access to it? How is it secured?’. With an oversight of data, DPOs can then start to develop insight.

For that initial oversight, data discovery technology is being turned to as the answer. According to the 2018 EY-International Association of Privacy (IAPP) Information Governance report:

  • Amongst companies preparing for GDPR, 57% are investing in technology in 2018, up from 27% in 2016.
  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.

As the aviation industry comes under increasing scrutiny for the security of its data practices, the minimum that is expected is for those at the helm to have an accurate oversight of their data.

Navigate

Figure out where you are and where you’re going. Turn oversight into insight.

For data protection officers, navigation is about understanding where privacy risk lies, and what needs to be done to mitigate it. Is it in the sales and marketing platform with 8 million passengers? The HR department with the pilots’ files? The partnership programme with the right to work documentation?

Understanding privacy risk means understanding the context of data. To do this, DPOs need to ensure that the uses of data are legitimate, that the reasons for processing are documented, and that the processes are mapped and understood.

  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.

By mapping the business process, DPOs can develop a real, intuitive understanding of where privacy risk lies in the organisation, mapped to a business process that is described in language that the rest of the organisation can understand.

Communicate

Make sure your passengers are aware of standard safety procedures and know what to do in the event of an emergency landing.

Once you’ve mapped your data to your business processes, you can articulate expected data practices for each of those processes, allowing you to deliver tailored training for data protection for your different sets of employees.

The better the oversight and insight into the data estate by the DPO, the better communicated the messages for data protection will be.

In 2018, periodic training and manual data audits have their limits. With new solutions available, creating rules within a data discovery technology to automatically monitor for acts of non-compliance is the way to give the DPO the level of oversight and insight needed to best protect data.

For concord compliance: aviate, navigate, communicate.

John Tsopanis
Data and Privacy Director, Exonar

Would Espionage at the Marriott mean the Maximum GDPR Fine?

Marriott Hotels recently announced that 500 million residents of its Starwood subsidiaries were affected by a data breach. 327 million of those residents were reported to having had ‘some combination’ of their arrival and departure information, passport numbers and account information accessible by an attacker from 2014 to 2018. Encrypted credit card details were also taken in the breach, with Marriott yet to confirm whether the keys for decryption were also taken.

Why is this breach so serious?

Persistent access to the database, particularly to “arrival and departure information”, would have allowed the attackers to view the travel schedules of millions of clientele as they stayed in luxury hotels across the world. With a number of commentators suggesting espionage as a potentially powerful motivation behind the attack, this breach has been talked about as a security issue as much as a privacy issue.

It seems today (December 7th) that those fears took one step closer to reality.

Reuters have reported that an investigative team that’s looking into the Marriott Breach found “hacking tools, techniques and procedures” that are associated with hacking groups working for Chinese intelligence.
www.msn.com

Espionage and intelligence gathering is believed to be the motive behind the attack because the hackers were inside the database for so long, and only took copies of the names, addresses, passport details and in some cases, credit card information, in 2018.

This suggests that access to the system would have been of value for intelligence gathering purposes, although the report also suspects that multiple groups of cyber criminals may have had access to the database, making it difficult to attribute this breach solely to China.

How will this play out under the GDPR?

When European regulators assess the privacy impact of this breach the possibility of millions of European residents’ planned locations being surveilled over a 4 year period will be a difficult one to provide mitigation for, especially if security controls are proven to be substandard.

With government officials, industry lobbyists, and senior executives from around the world using the luxury Starwood hotel chain, the citizens affected by this breach are citizens who are much more likely to attract attempted acts of surveillance, extortion or blackmail, and this raises both individual and national security concerns.

For European regulators, there are two serious harms to reckon with:

  • Millions of individuals whose privacy and security were compromised over a 4 year period, and whose personal information has been taken by potentially multiple cyber criminal groups
  • Threats to national security if proven that the motivation behind the attack was for surveillance reasons by a nation state

With lawsuits filed we may see the first truly large GDPR fine for this breach. The maximum fine has been estimated at £117m (4% of global revenue) and if the regulators find evidence of negligent data practices, there are enough potential harms to enough citizens that could justify its levy.

For citizens affected this breach is difficult to reckon with and it might be time to ask whether we can place a price on a data breach that affects individual privacy and national security in this way.

For data privacy and information governance professionals this breach poses serious questions about our ability to govern and protect data of this detail at this scale. Is some data too big to protect or is it that we’re not taking the issue of protecting it seriously enough? If it’s the former then the priority for innovation has to shift from ‘let’s do big data’ to ‘let’s avoid too big data’. This would mean a recession in data practices. If it’s the latter then this is a wake up call for organisations to discover and protect the data they process. Citizens’ right to privacy and security must come first.

John Tsopanis
Data and Privacy Director, Exonar

The Era of the Technology Enabled DPO has Begun

Confucius once said ‘Life is really simple, but we insist on making it complicated.’ One can only imagine Confucius’ reaction to a roundtable with a DPO, CISO and CIO in 2018. ‘You connected what, why?’ ‘You understand this behaviour, how?’ ‘Robots are storing information, why, how and where?’

Staring bleary-eyed back at Confucius the tech leaders might retort, ‘We aren’t making it complicated, we are the ones managing complexity.’

Herein lies the reality for the technology leader in 2018; the advance of technology lies outside of our control, and like the frog in the boiling pot, the heat to protect critical data is starting to bubble, with little support for upgrading the more resistant capabilities of those who find themselves in the pot.

In a search for that extra protection, DPOs in particular are turning to technology, and here’s how.

The Era of the Technology Enabled DPO has Begun

The 2018 EY-International Association of Privacy (IAPP) study showed that 56% of businesses believe they are not entirely GDPR compliant with 20% of businesses believing full compliance is impossible.

To understand how DPOs are turning to technology to close the compliance gap, let’s look at how spending on data privacy/GDPR compliance has changed over the past few years.

The EY-IAPP report has a few telling statistics in this regard:

  • Amongst companies preparing for GDPR 57% are investing in technology in 2018, up from 27% in 2016.
  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.
  • IT and Information Security are now responsible for housing 30% of GDPR/information governance programmes up from 14% in 2016.
  • Right to Be Forgotten and Subject Access Requests were voted the two most difficult GDPR obligations to fulfil. Both currently rely on manual data discovery processes across multiple applications and platforms.

The observed compliance gap, alongside the shift away from human-resource spending to technology spending, suggests that the problem of data discovery, compliance and security is one whose solution supersedes the capabilities of even the best-intentioned human resources.

At the same time the number of DPOs are on the rise, with DPO vacancies up a staggering 700% from 2 years ago.

We can learn two things from this:

  • Data Protection Officers are turning to technology to help discover and protect data
  • Despite the increase in technology uptake, the human role of directing technology is more important and involved than ever.

And so the era of the technology enabled DPO has begun. Fortunately, technology for DPOs seeks for the most part to automate manual process, making the marriage between humans and tech in data protection truly Cyborgian in nature.

This marriage should seem intuitive as the first role of any newly appointed DPO is to answer, ‘What data do I have? Where is it? Who has access to it? How is it secured?’. It’s unrealistic for Data Protection Officers to be literally hands-on with data in 2018 hence smart data discovery and control tools coming to the fore.

So what technology solutions can help?

Data discovery and compliance technologies like Exonar in the UK have emerged in the past 18 months with plug in and play solutions for automated enterprise data discovery where previously none existed. The solutions discover data automatically to create accurate, real-time, classified inventories of information that allow DPOs to see a full breakdown of data and its sensitivity across an organisation, enabling DPOs to govern and protect data effectively.

Through the marriage of DPOs and data discovery technologies, data protection programmes can instantly become much more achievable, accurate, and less work for those involved. The era of the technology enabled DPO has begun.

https://iapp.org/media/pdf/resource_center/IAPP_EY_Gov_Report_2018.pdf

John Tsopanis
Data and Privacy Director, Exonar