Month: September 2018

The launch of the Data Privacy Periodic Table earlier this month was a roaring success. We’ve received some excellent feedback, and some people are even printing it off for their office walls!

Some of the comments we’ve received:

“Not seen anything like this before.”

“Very useful for the project I am working on right now.”

“Great initiative and a very innovative way of displaying what is a lot of information.”

But more importantly, we have also had some really constructive feedback and fascinating conversations on new “elements” to include, some to move and even debates on the worthiness of some elements’ inclusion.

All in all, it’s been a really exciting launch. We have now completed some updates to the Table and a new version is now available below. As always, some notes on what we have done are underneath, along with reasoning behind why some input has not been pursued.

This is however by no means a finished project. We still want your feedback as the data privacy world changes under our feet. Case law might mean that new central components of privacy may be demanded, or new independent bodies may be formed. And of course, new core legislation will always be likely.  So submit comments below, or contact me directly.

The Updates:

Data Protection Authorities

We were asked by a number of readers to add DPAs to the Independent Bodies section on the far right hand side, but we have decided against it. Such terminology was deemed too GDPR-focused, which we are trying hard to avoid with this project.

Although, we have taken on board the sentiment of the comment and recognized we needed to add enforcement bodies alongside the Local Legislators that were already included. We have therefore added in Local Regulators, in place of the EU, on the basis that we needed to make room somehow; didn’t need two European organizations; and were wiser to include the European Data Protection Board instead.

Audit

It was suggested that we ought to add “Audit” to the Central Components. We have decided to add this instead to the key skills and traits of the most reliable privacy advisors, as “Auditing Skills”.

This is because performing an audit is one thing, but it is quite another to be constructive with it. We find that many external advisors conduct audits of organizations, only to leave them with a list of actions and criticisms, and offering no plan or input as to how to remedy them. This “ivory tower” syndrome is in our view irresponsible and unhelpful. We would rather emphasize the need for audits to be augmented with honest consultation and support, alongside a practicable plan of action based on technical and legal knowledge. Anyone can criticize, but few can (or will?) help organizations improve.

KYC

We received a very perceptive comment that we had included Background Checking in our section focused on legislation and practices that conflict with privacy if exercised irresponsibly, but that we had omitted KYC.

To many, these will appear synonymous. But in actual fact, background checking is primarily focused on employees whereas KYC is, as the name suggests, focused on customers. A good point that we have accommodated in our new version.

Reflection and the Right to be Informed

The element Reflection was the one that engendered the highest number of comments, which was understandable as we were trying to describe a great deal with a single word. The intention was to articulate the right for a subject to review and correct data held about them. “Rectification” was not enough as we wanted to encompass the right to review the data, beyond simply the right to Access. Reflection was where we ended up.

However, this has become a moot point. We have removed this element to replace it with the Right to be Informed – the right for a data subject to be told how their data will be used.

Clearly this is a controversial decision, as it suggests we are prioritising some Rights over others. To be clear, we are not doing this. We feel that Reflection / Rectification is sufficiently addressed by Accuracy and Availability in the fundamental principles of data protection for us to remove it in favour of R2BI, without the underlying sentiment of the Right disappearing. In addition, we are confined by the practicalities of this project – just as with the EU decision above, there is a set number of elements in the real periodic table (118) so we have to make hard choices of what survives and what does not!

Interestingly, the R2BI may be a universal right, but the way it manifests in various legal frameworks varies enormously. For instance, the GDPR states the right must be protected proactively through clear instructions in the privacy notices. In contrast, Canada’s PIPEDA simply states that such information should be available, with no stipulation of it being published proactively.

We also find in our client engagements that R2BI is confused with the right to Access. For the sake of clarity, the R2BI is concerned with understanding how data is used, while Access is simply a matter of a subject being able to view what data is held.

As always, let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.

Calligo is delighted to announce that it has passed two fundamental compliance audit requirements for the provision of its IT and Business Cloud Services:

• ISO 9001:2015 – Quality Management System
• ISO/IEC 27001:2013 – Information Security Management System

What this means for our customers

ISO 9001:2015 – Quality Management System
Aligning our processes with ISO 9001 helps ensure that our clients receive consistently high-quality services, and that this standard of delivery is protected as we and our clients scale.

Furthermore, it ensures that every aspect of our business, from the most outward-facing (such as service delivery and project management) to the “back office” (such as finance, procurement and HR) are equally robust, accurate and supportive of our clients.

Crucially, it also ensures that our processes are repeatable, understood and efficient. This allows us to free up more resource to serve our clients’ needs.

ISO/IEC 27001:2013 – Information Security Management System
This standard assures clients that we have put in place, and continuously maintain, an effective information security management system. It includes the design and execution of a continual improvement programme to ensure the ISMS can grow and change along with the business and the technologies used.

ISO 27001 supports us in protecting the confidentiality, integrity and availability of the data clients entrust us with. At the very core of the standard is the need to identify and manage risk with minimal disruption to our clients.

How we consider the award of these standards
These standards are at the heart of everything we do – every service we deliver, every change we consider and every innovation we pursue. Simply put, we would consider it irresponsible for data optimization and privacy specialists to act in any other way.

To find out more about the attention we pay to our governance and compliance, and the other certifications we hold, click here.

Today we’re launching our Data Privacy Periodic Table – the first-ever collection of the key “elements” of the data privacy world, regularly updated as new elements come to light. It is intended to help privacy professionals better understand the industry in which they work, and shed light on its often confusing terminology and how various pieces inter-relate.

We have categorized the elements mimicking the traits of the categories in the original scientific version. For example, the far right of the original periodic table is reserved for the Noble gases – stable, inert, and unreactive. This seemed an ideal match for the independent legislative or regulatory bodies. Similarly, the column dedicated to the Alkali metals on the far left, with their characteristic volatility, was a fitting location for the universal rights of the data subject, as if meddled with, both are likely to cause an explosion!

We have created a table on the main Data Privacy Periodic Table page that sets out why we have categorized the elements as we have.

Also, below, we have added some additional explanatory notes to explain our thinking for various elements’ inclusion and position.

We’d welcome any comments, or suggestions for new additions – contact me here for any recommendations or drop a comment below.

We also plan to release new updates to this table on a regular basis as the data privacy world changes. Each time we update the table, we will publish similar blogs, all of which are accessible off the main Periodic Table page.

Ethics

The location usually reserved for Hydrogen was the perfect place to put Ethics. It is the spot for the first element in the atomic order and is also the most common element in the universe.

This high status for ethics within data privacy is no exaggeration. After all, privacy legislation is the codification of what society deems to be the ethical and appropriate way in which personal data can be processed. Like Hydrogen, ethics is the most fundamental, original, and abundant element of data privacy.

‘Compliance’

This element, number 21, is expressed in inverted commas for a simple reason: it is impossible. It is a frustrating myth that continues to revolve around data privacy that compliance can be achieved. It cannot, at least not in the way that businesses commonly understand it i.e. a one-off demonstration of adherence to certain rules.

Data privacy regulations are not designed for “single point in time” adherence. They require ongoing efforts and constant vigilance to ensure that data subjects’ rights are protected. A business’ data and processes are far too fluid for any assertion that adherence now means anything for adherence in the future, making claims of “compliance” utterly empty – and so-called certifications of compliance utterly worthless.

We discuss this in more detail our Myths and Fairy Tales of GDPR which discusses more of our thoughts on this and other common GDPR misunderstandings.

The 9 Myths & Fairy Tales of GDPR  The 9 most dangerous misperceptions that undermine organizations’ GDPR observance and strategies   Download

We have included the ePrivacy Regulation in the future developments section (and recent reports suggest it will stay there for some time), but have also included the ePrivacy Directive in the Core Legislation section as until the Regulation is passed, the 2002 Directive is in force and very much applicable.

Elements 73-78 list end-users, employees, customers, suppliers, marketing databases, and partners. Collectively, these could be categorized simply as “data subjects”. But this would ignore the unique ways in which each type of data subject’s personal information needs to be addressed, handled, and treated. The data you will likely have on your employees, the permissions you may have, and the nature of its processing differs enormously from how you may collect, use and store your databases of marketing targets.

EUx

The data privacy ramifications of Brexit are critical, most notably whether the UK is officially an adequate state in the eyes of the EU. But this exact scenario could be repeated in other EU countries. Italy, the Netherlands and France have all had robust parliamentary discussions over whether they should follow the UK and leave the EU. The inclusion of this “element” emphasizes the need for privacy professionals to be as up to date as possible on geo-politics and its impact on data privacy, in addition to understanding the law already in force.

Japan-EU adequacy

The announcement of Japan and the EU’s agreement of “reciprocal adequacy” is the latest addition to this section. It means that they each recognize each other’s data protection regimes as “equivalent”, and therefore agree that personal data will be to flow between them once the law comes into effect later this year. We have written a full blog on this announcement here.

ICANN/WHOIS

This is a lesser-known data privacy news cycle, but potentially wide-reaching in its impact. ICANN coordinates the naming conventions of the internet and works to maintain its security, stability, and interoperability. Its WHOIS database is a free service that allows uses to check the ownership of domain names.

This enormous repository of personal data is the subject of a 15-year discussion over data privacy, which has glowed white-hot in the wake of GDPR. Questions have repeatedly arisen over the nature of data WHOIS collects, how it is made available and who to, and whether the data required by WHOIS is more than strictly necessary (and therefore contrary to the data minimization element of GDPR and other privacy legislation). These have in turn led to ICANN’s plans for improved privacy being consistently rejected by European legislators. The story is ongoing (August saw the third plan rejected) and likely will be for some time.

Artificial Intelligence and Societal Values

These last two additions to the “Future developments” section are the two areas of progression that we feel will most influence the future of data privacy in the short and medium-term. As mentioned above in the Ethics section, legislation is typically the codification of society’s ethical values at that time. But what if those values change? Realistically, data privacy is not going to become a less inflammatory issue, but it might well become even more volatile. This would potentially result in legislation becoming more punitive, wider-reaching, and providing a deeper protection of data subjects.

Probably a more imminent driver for legislative change is developments in how we use technology to process, manipulate and optimize our data. The most oft-cited example of this is of course Artificial Intelligence. It is a perfect example of a field of technology where there is dramatically more potential ahead of us than the experience behind us. This in turn means that current privacy legislation will be rapidly found wanting, inadequate and out-of-date, just as it has been before.

The GDPR was one of the first new legislative frameworks to be built in direct response to advancing technology. Previous data privacy laws could not accommodate the way in which data collection and use changed. Fast-moving and ambitious fields of data science such as artificial intelligence will inevitably trigger plenty more new introductions. And taking nearly a decade to implement them, as in the case of GDPR, simply won’t be an option.

More updates to the Data Privacy Periodic Table are available here.