Data Privacy Day (or Data Protection Day in Europe) is the perfect occasion to release the latest update of the Data Privacy Periodic Table. 

This is the fifth version of the open project, continuously receiving input and recommendations from industry experts all around the globe. 

So, what does this update include? 

Firstly, let’s discuss what does it not include: 

While a great deal of the recent privacy conversation has revolved around its symbiotic relationship with AI, it has not impacted the arrangement of the Periodic Table. AI was included as a “Future development” in the very first rendition. However, on this topic, see our blog, also published today as part of our special Data Protection Day resources.  

Similarly, the ongoing debate around whether the UK will be able to secure EU adequacy by the Brexit deadline of the end of 2020 has been a topic of keen discussion for many of our North American and European clients. But the urgency of the conversation does not change its position in the Table. A more in-depth discussion of this topic is available here. 

Instead, we have made identified three key privacy topics that demand changes to the Periodic Table, focused on major legislation arriving or being debated, plus, speaking of debates, “Schrems II”.  

The Updates:
California Consumer Privacy Act (CCPA) – and its national ramifications

The most obvious necessary change was to move the CCPA from Future Developments to Core Legislation. To accommodate it, we combined the two Canadian privacy laws of CASL and PIPEDA into “Canadian Data Privacy Laws (CaDP)”. 

On the 1st of January, the CCPA – “the nation’s most far-reaching online privacy law and a potential model for other states” according to the Washington Post – came into force. Of course, its Proposed Regulations are still being debated throughout the industry, as much of this guidance for business’ execution of the CCPA actually exceeds the scope of the underlying law, or creates additional burdens. However, those discussions to one side, it is still a huge moment for US privacy law

Although, 2019 was a big year for US privacy legislation for other reasons. Two federal online privacy bills were proposed in 2019, one from US Democratic Senators, dubbed the COPRA – the Consumer Online Privacy Rights Bill – while Republicans proposed the US Consumer Data Privacy Act (CDPA). There are many similarities, especially around the now commonplace privacy provisions of data security, consent, and transparency. The main differences are in its implementation – COPRA aims to work in tandem with state laws while CDPA aims to supersede them.  And let’s not forget that there were five other notable federal privacy proposals introduced in 2019: 

Online Privacy Act  
Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act 
American Data Dissemination Act (ADD Act)  
Social Media Privacy Protection and Consumer Rights Act    
Privacy Bill of Rights Act 

All of these are in such early stages that none of them warrants inclusion on the Periodic Table just yet – especially when element 114 in Future Developments includes “US States”. However, it would be a safe bet that there will be a change in this area in 2020.  

Children Online Privacy Protection Act (COPPA)

This has been introduced into the Future Developments section, taking the space left by CCPA’s move into Core Legislation.

COPPA is a US federal law, in force since April 2000. Much like the thinking behind GDPR, its scope reaches any online service targeting US users or that intentionally collects information from children in the US, regardless of its country of origin.

The reason it has been added is the introduction of a new bill, the Preventing Real Online Threats Endangering Children Today Act – known as the PROTECT Kids Act.

This bill borrows most of its content from COPPA, but adds a Right to be Forgotten, and, most remarkably, raises the age limit from 13 to 16. This effectively creates the right for parents to demand the removal of their children’s online profiles up to the age of 16. A remarkable indictment of the suspicion of how personal data may be used in the future.

The protection of children’s privacy is an issue that the US takes seriously. In September 2019, YouTube (and by extension, Google) was handed a $170 million fine under COPPA after it was found to be gathering children’s personal data without parental consent and monetizing it. Although, a few days before the PROTECT Kids Act was proposed, YouTube passed all the burden of confirming audience age to content creators and removed most monetization mechanisms from any content marked as “suitable for children” – all to widespread indignation amongst the YouTube content community, many of whom relied on income streams from child-suitable content.

Despite being an enforceable law, COPPA will remain in the Future Developments section while the PROTECT Kids Act and other amends are in discussion.

Schrems II

Do Standard Contractual Clauses (SCCs), adequately meet Europe’s data protection laws? This is the heart of this long-running debate, brought about by the infamous Max Schrems asking whether his Facebook data could be adequately safeguarded in the US.

Schrems asserted that Facebook’s data transfer agreement was not consistent with the EU’s SCCs, and that even if they had been used, those SCCs could not justify the transfer of his personal data to the United States.

In December 2019, The Attorney General of the Court of Justice of the European Union seemed to agree by recommending that the European Court of Justice should “continue to consider” whether SCCs are lawful. Though did caveat by saying they were not to be considered unlawful – currently.

The problem is mainly that SCCs are made between two organizations alone, and do not put any requirement on the respective governments to safeguard that data’s privacy. Meaning in practical terms that data passed from the EU to the US under SCCs is still vulnerable to legal US surveillance measures. And, as the AG of the CJEU asserts, Privacy Shield does not solve this problem.

The result being that SCCs are now very much in question. They currently remain a suitable measure, but their practical effect – and therefore ongoing suitability – is very much under scrutiny.

We have therefore removed “EUx” from Future Developments as further exits from the EU seem less likely – or at least less immediate than this discussion over SCCs, which now takes its place.  You can read more about the outcome of Schrems II here.

As always, let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.

Today, we announced that Calligo has acquired Dublin-based IT Managed Services Provider, DC Networks Ltd.  

DC Networks specialises in IT support, telecommunications and networking and managed Microsoft Azure services, and is one of the most well-respected MSPs in the region. 

The purchase of DC Networks – one of the most well-respected MSPs in the region – is another significant step in Calligo’s continued global growth strategy. In the last three years, Calligo has completed six acquisitions – three in Canada (including Connected Technologies in March last year), one in Guernsey, one in Luxembourg and now DC Networks – creating a well-established, multi-jurisdictional provider of IT managed services that cover the entire data lifecycle, with data privacy embedded at every step.  

This acquisition is a case of DC Networks’ services and skillsets perfectly complementing Calligo’s own portfolio of IT managed services and cloud infrastructure services. In addition, its Dublin location strengthens Calligo’s delivery of strategic data services that can accommodate any regulatory or data sensitivity obligations.

Why is Calligo expanding into Ireland?

“Ireland is a rapidly-growing market, but particularly in its appetite for innovative technology. It is populated by a high proportion of ambitious, data-driven businesses eager to explore how they can make fullest use of their data and make it work harder for them. Ireland was clearly the logical next step for Calligo’s international expansion”
Julian Box, Founder and CEO of Calligo.

How will this benefit existing Calligo clients?

Ireland is also a strategic target. Adding a presence here, alongside our established locations in the UK and Europe, bolsters our ability to provide local, European and international businesses with a full suite of data-centric managed services that satisfy all requirements in data residency, data privacy and data ethics.
Julian Box, Founder and CEO of Calligo.

Why did Calligo choose DC Networks?

DC Networks was an easy choice of company for our first steps into Ireland. It is a well-run business with a portfolio of IT, cloud and managed services that will meld very easily with our own, and it has a rightfully-earned local reputation for client service and accurate delivery. In truth, the business reminds us of ourselves and we are excited by the prospect of adding the existing team to our own, and offering new and existing clients a broadened portfolio of data optimization services with the same client-centric service mentality.
Julian Box, Founder and CEO of Calligo.

What does this mean for previous DC Networks clients?

Synergy is an overused term in these situations, but here it is remarkably apt. The similarities in our service lines, customer focus and underlying missions were striking. We have taken pride in developing strong relationships with our clients, many of whom have been with us for many years, and we know their businesses, needs and data challenges inside out. This acquisition will be an excellent result for our new and existing clients, as the wider portfolio of data services that will be made available to them, including data privacy, automation and artificial intelligence, are exactly what they and businesses across Ireland are in need of.
Robert Doyle, Director of DC Networks

If you have any questions about this exciting news, and what it may mean for you, please contact me via the below. 

Julian Box, Founder and CEO – julian.box@calligo.io

Data optimization is the process of ensuring you are extracting the most value from your data at every stage of its journey, from capture, storage, maintenance and security, to its analysis and insights, and finally its archiving and deletion.

But if that’s what it is, what does it entail and require? It sounds like an enormous amount of work and potential upheaval, so to help, we have broken it down into 12 of the most important steps.  

12 Steps to becoming data optimized
Data Privacy Regulations

Data privacy laws are complex, widespread and evolving. From Europe’s GDPR to California’s new privacy legislation, CCPA, as well as industry-specific regulations, it’s essential to identify which frameworks you must adhere to, plus any that may become applicable as your future strategy evolves.

Data ethics

Is what you want to achieve with your data ethical? This is a question of more than whether it is line with the regulations (see the previous point), but is it in line with their underlying sentiment and purpose? Where does your project sit on the spectrum of using data to deliver services, insights and capabilities that are genuinely equally beneficial to them and you, versus exploiting their data and privacy (and potentially legal loopholes) to largely your ends?

Privacy by Design

Have your projects, processes and core activities been built with privacy in mind? Privacy by Design helps businesses be proactive when it comes to data privacy, ensuring it’s planned into the project from the very start, and in such a way that privacy does not hinder any ambition or objectives. If privacy is an afterthought and implemented retrospectively, then it will invariably restrict functionality and diminish the project’s effectiveness. Privacy should never be an obstacle to progress, only a safeguard to ensure that progress is ethical.

IT Security

With cybersecurity attacks on the rise, businesses need to go above the standard anti-malware and ransomware technology to protect their data. This includes implementing IT security practices that combat social engineering, such as multi-factor authentication and employee awareness training.

Cloud Migration

Migrating to the cloud (whether public, private or hybrid) not only gives you workforce access to your data and a wide range of applications from anywhere – the key to making your data work harder for you – but it also provides the flexibility and scalability your growing business requires, while removing the cost of managing and maintain on-premise equipment.

Cloud Management

includes the ongoing maintenance of your cloud environment – incorporating connectivity, capacity, resilience and cost-efficiency amongst others – but also the need to maintain vigilance over your data residency and continuous regulatory compliance.

The right productivity tools

Improve collaboration and productivity within your business by introducing the right tools, like Microsoft 365. Key to your selection of platform is whether your employees will be able to share data within their teams and externally – and do securely, reliably and compliantly – and also whether they will be able to collaborate. Remember true collaboration is more than sharing files and working on them simultaneously. It also includes efficient project management and the ability to reach answers faster by using dialogue-based tools such as IM and video conferencing instead of relying on outdated email and attachments.

Data is arguably the greatest cost for any IT function – and certainly the one most likely to grow and, if not managed appropriately, create uncertainty.Cost management includes capacity planning, SLA management, granular understanding of costs per department, service function and project (not just per technology), forecasting in line with business strategy and integrating with Risk and Supplier Management.

Data Analytics

This, and the two points below, are the key to data optimization. Taken together, everything above is simply typical IT processes and strategy. But in a modern business, their purpose is to prepare the business for these next three points, where data’s value is actually exploited.

Data analytics is the process of using data to make informed decisions. This may be a case of simply using performance data to learn how to improve processes or projects, or maybe using historical data to predict outcomes. These processes however rely on human interaction to query data and test assumptions.

Artificial Intelligence

Meanwhile, Artificial Intelligence, and Machine Learning in particular, is where this human interaction is removed. Instead the responsibility for testing assumptions, learning from outcomes and evolving the algorithm(s) is handed over to the machine. All at a speed and degree of complexity that no human team could ever reach.

Productivity

Your business needs to be as productive as possible, which will inherently require greater collaboration. Tools such as Microsoft Office 365 are ideal platforms for data-sharing, communication and project management – and even data insights. Make sure your business has the skills to not only deploy and maintain these tools, but also to train your teams in their effective use.

Automation

For many businesses, the greatest data optimization benefits are often gained from identifying what processes drain the most resource time, or are most repetitive or formulaic – and probably demoralise staff the most! Many find these are comparatively simpler matters of automation rather than the more adventurous deep insight projects. For example, automating the process of rejecting or progressing inbound job applications, or helpdesk support and first line customer service, or as many accountants do, automating the collection of documents from clients for personal tax processes.

Data governance and information management

The management and structuring of the vast amounts of data that businesses consume and generate every day underpins every one of the other 12 steps above. This ranges from the need to identify data’s source and legitimacy, to simply controlling the amount of data from a cost perspective or capacity planning, through to securing it, structuring it, delivering it, backing it up, and understanding its archival requirements. Not to mention appreciating the data regulations that may apply to it throughout, and documenting the appropriate policies so they can be enforced and evolved.

After all, most innovative projects – whether AI or automation or even simple data analytics – fail because the necessary data is not available, structured or even originally legally obtained.

Data Privacy questions you need to answer to determine if your compliance is up to scratch

Due to the evolving nature of data privacy laws, either with new laws being introduced and enforced or clarification on existing laws, businesses need to review their privacy compliance constantly.

However, our Data Privacy team is often called into organizations who have worked hard to achieve compliance some time ago, and whose business and the regulations that apply to it have changed, leaving their compliance undermined. By failing to adapt to new regulations, update necessary security measures or monitor how changes to the business affect which laws it must adhere to, many are left dangerously exposed.

To help, we’ve put together our top 10 questions you need to answer and continuously revisit to ensure your data privacy compliance is up to scratch for 2020, and beyond.

10 Data privacy questions your business needs to ask

Have you incorporated “Privacy by Design” into your projects?

Ann Cavoukian’s 7 Principles of Privacy by Design ensure businesses consider data privacy, security and data protection from the very start of new technology projects or changes to process, and crucially in such a way that prevents the new initiatives’ objectives being undermined. Unfortunately, too many businesses implement privacy only as an afterthought, meaning functionality almost always has to be curtailed, turning the privacy function from business enabler and protector into “business blocker”.

Have you incorporated “Privacy by Design” into your projects?

When a data breach occurs, many businesses panic, compounding the impact. Advance planning and regular stress testing however will ensure you have a clear proportional and flexible strategy focused on protecting and informing your customers, and your business in the process. Such pre-preparation will reduce the damage to your organization’s reputation if there was a data breach.

Is access to data on a need-to-know basis?

An important question to ask is who has access to your data and is it necessary for their work and business operations? You may find that some of your employees have privileged access to sensitive data or to information they simply don’t need. Also, do you know which of your suppliers have access to your data – including employees? If so, you’ll need to ensure there are contractual protections in place determining the level of access permitted and the remedies in case of a data breach.

Do you know what kind of data your company collects and processes?

Gathering data is vital to any organization but exactly how much data is needed and what kind of data is it?

Most privacy laws around the world require organizations to be transparent about the data they process. The GDPR for example requires companies to maintain a detailed and explicit record of every item of personal data they collect and use – the Record of Processing Activities, or RoPA. But this is more than a paperwork exercise. It is also of enormous practical value. By understanding the source and purpose of every piece of received data, the company can better determine what data they genuinely need to receive and what the next steps – including disposal – need to be.

Is your company’s privacy notice an accurate reflection of what your company does with personal data?

The way data is captured and processed must be accurately and transparently stated in a privacy notice or privacy policy that is freely available and easily accessed. Have you updated your company’s privacy notice recently?

Have you considered the impact of Brexit on your GDPR and wider data privacy obligations?

If the UK leaves the EU under a no-deal Brexit, the UK is a third country without data adequacy and no surviving status quo. Overnight, it becomes an illegitimate territory for EU personal data. There are a series of measures that businesses active in the UK will need to consider or revisit, some of which are part of standard GDPR adherence, but some that are specific to Brexit itself .

Does my organization need a Data Protection Officer?

Under many privacy regulations, organizations need to determine if they need to appoint a Data Protection Officer (or similar titles). For example, under GDPR, if your business is a public authority or is processing personal or sensitive data at large scale, you are mandated under Articles 37-39 to have a Data Protection Officer. If you last reviewed your need for a DPO some time ago, it might be worth revisiting this as you may have breached the threshold. It is also worth checking the duties of the DPO under the various frameworks, as these are changing. It’s also worth noting that whilst DPOs can be appointed internally, they might not be suitable for the role, an option to overcome this is to outsource this role to a specialist.

Does your company have a process in place to respond to data subject access requests and/or complaints?

Under the GDPR legislation, EU citizens can request access to their data, find out if their data is being processed, and request a transfer of their data to another system. There must be a process in place which states who handles these requests. They must also be able to retrieve all the data as well as securely transfer the data to the person who made the request. This must be provided free of charge and without “undue delay.”

Are you ready for CCPA?

The California Consumer Privacy Act (CCPA) comes into effect on 1st January 2020 and will affect any business that serves Californian residents, has at least $25 million in annual revenue, as well as any companies of any size that have personal data on at least 50,000 people or collect more than half their revenue from the sale of personal data. It’s estimated that only 44% of in-scope businesses are prepared – are you one of them?

How Calligo can help

If any of these questions appear relevant to your business, submit an enquiry or book an initial free consultation with the Calligo Privacy Team.

Privacy by Design (PbD) is based on seven principles that help businesses be proactive when it comes to data privacy and build privacy into the very heart of their projects, processes and core activities.
The concept was created and defined by Dr Ann Cavoukian, Ph.D, an Executive Director of the Global Privacy & Security by Design Centre and previously the Information and Privacy Commissioner, Ontario, Canada. Work began in 1995 but it was formally launched and accepted in 2010.

Why are the 7 Principles of Privacy by Design important?

Privacy by Design is one of the key principles of data optimization – the art and science of making the most of your business’ data without compromising your legal obligations or data ethics.
It’s not just a framework to aspire to; privacy laws, such as GDPR explicitly mandate that organizations need to consider Privacy by Design at the earliest stages possible of any project, and throughout the entire lifecycle. This is key to ensuring ongoing adherence to the regulation – and many more as the structure of GDPR is emulated in more and more territories’ own privacy legislation.

When are the 7 Principles of Privacy by Design relevant?

Fundamentally, if any activity is dependent upon or even tangentially connected to, the use of personal data (so, most activities then), Privacy by Design is essential to ensure that you are continuously treating your data subjects legally, appropriately and frankly, ethically.

What are the 7 Principles of Privacy by Design?
  1. Proactive not reactive; preventative not remedial
Proactively anticipate privacy-invasive events before they happen, rather than rely on identifying and reacting to issues as they threaten.

2. Privacy as the default
   This insists that the maximum degree of privacy should be delivered by default, from the very start and throughout its lifecycle, automatically. A key part of this is ensuring that only as much data as is genuinely necessary is collected, no more. If this is ensured, then the potential to undermine privacy is markedly reduced.
3. Privacy embedded into the design
   To ensure that privacy is integrated into the initial stages of a product’s design and architecture as well as IT systems and business practices. By considering privacy at the design stage, privacy can be achieved at the same time as ensuring the functionality and productivity of the project. In contrast, if privacy is retro-fitted, it will invariably hinder the project’s capability as the original design will have relied upon illicit freedom in the use of data.
4. Full functionality — positive-sum, not zero-sum
   This ensures that whilst privacy is embedded at the very core, functionality doesn’t suffer. Businesses need to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made.
5. End-to-end security — lifecycle protection
   An essential part of data privacy and protection is security. Privacy by Design ensures that IT security is present from data collection, through to storage and eventual deletion.
6. Visibility and transparency
   This makes sure that all stakeholders (particularly data subjects) are informed of the business’s privacy practices and policies and that they clearly state how data will be processed, stored and erased, as well as any technologies used.
7.  Respect for user privacy
   Provide data subjects with all the tools required to uphold their privacy rights – from clear and transparent privacy notices, strong privacy defaults and user-friendly interfaces. As well as ensuring all personal data is accurate and up-to-date.
   
   The seven principles of Privacy by Design enable organizations to design better products and ensure that they are privacy-compliant from the very start.
    
   If your business is facing a new data project, our team of Privacy Architects can help.
    
   With equal expertise in cloud technology and environments, data insights such as machine learning, data analytics and data visualizations, as well as data privacy legislation, our team will ensure your data project does not overtake your Privacy by Design obligations, nor hamper any of your ambitions.

Artificial intelligence and its subset, machine learning, have undoubtedly been the buzzwords of 2019, especially within the business and technology worlds. With hundreds of articles making grandiose claims regarding how AI will transform businesses, many organizations who have already deployed AI within their businesses are struggling to see results, often deeming the projects as failures.

Why is this? More often than not, it’s because the business decided on where to implement AI, instead of discovering where it would have the most beneficial impact within the organization.

Just because a given process is the most painful, labour-intensive or inaccurate, it doesn’t mean that it is the most suitable process in your organization for the introduction of AI.

So, how do you discover where the most profitable and practical use case for AI within your business is? Our Data Insights team believes there are three stages to successfully discovering where AI is most beneficial within your business.

Step 1: Data Ethics

Data ethics is an important starting point for any data-orientated project and has been a popular discussion point in 2019, especially when it comes to AI.

But what does data ethics entail? Here are some of the questions our Data Insights team pose during our projects:

  How will you ensure that AI treats your customers and employees appropriately and that decision-making is transparent?

   How will you identify and mitigate risks to safety, happiness or profit?
 
   Do you have the right permissions to use personal data for automated decision making?

  Do you have the skills and deep understanding of your internal data processes to ensure your AI project will be built on ‘privacy by design’?

Step 2: Data Maturity

Before searching for where to deploy AI, you need to be sure that your business is even capable of taking advantage of it. This is a multi-faceted requirement, ranging from your business’ technology infrastructure and skills to your data discipline and even your board-level and wider culture. Only once all of these pre-requisites are met can you start investigating where AI can be deployed.

   Is your strategy data-led?

  Is your day-to-day operational execution data-led?

  Is your technical architecture suitable?

   How robust is your data governance? And importantly in terms of historic data-gathering, how robust has it been up until now?

Step Three: Discovering the right use case

Now that your data insights project will be ethical, appropriate and you can be sure that your business is prepared for both the introduction of the project, and to make best use of the outputs, you can start the search for the best place to implement it.

But how do you find it?

  Strategic Review

Apply your strategic objectives to each of your business functions to identify where the most urgent needs, shortfalls and challenges exist.

  Impact Assessment

Identify what benefits can be anticipated from tackling each of these, whether hard (cost reductions, revenue generation, compliance, etc) or soft (culture evolution, digital transformation, competitive advantage, etc)

  AI Relevance

Once you can see where the greatest benefits are to be gained, is AI the right technology for delivering them? AI is most impactful when it is given the freedom to be creative – you might find analytics or automation may be more appropriate.

  Data Audit

What relevant and useful data do you have available to you, whether proprietary or external?

To find out more about each of these questions in all three stages and how to answer them all – and others – download our guide to finding the right use case for AI in your business.

Calligo has once again passed two key compliance audit requirements: ISO 9001 and ISO 27001.

These certifications cover our entire European and North American presence, and have been updated to encompass our complete service portfolio, “Global Data Optimization and Privacy Services”.

What this means for our clients

ISO 9001:2015 – Quality Management System

ISO 9001 is the world’s most widely recognized quality management standard. By aligning our internal processes with it, we are assuring our clients that our services will be delivered to a consistently high standard, even as we scale.

 Holding an ISO 9001 certification is objective evidence that we take the high-quality delivery of our services seriously. It was therefore important to us that we ensured that our audit covered our entire service portfolio and all our global locations. Every client of any service should be able to expect the same high-quality service from us.

ISO/IEC 27001:2013 – Information Security Management System

This standard assures clients that we have put in place, and continuously maintain, an effective information security management system (ISMS) – a framework of policies and procedures that keep our own and our clients’ information secure. Our clients can continue to be confident that the confidentiality, integrity and availability of their data is our top priority. The audit involved an extensive assessment of potential vulnerabilities and risks to the business, and the creation of a set of mitigating processes that ensure our ongoing resilience.

Combined with ISO 9001 above, we are showing that we are independently certified as capable of managing clients’ data securely and responsibly, and delivering consistently high-performing services that make their data work harder for them.

ISO 27701 arrives to guide privacy pros through the complexity of privacy implementation and Privacy by Design.

Within the press release and introduction released last month announcing the world’s first international standard for information privacy management, the International Standards Organization (ISO) noted that: Privacy has become a “significant business concern” Cybersecurity is “a growing concern” Costs of data breaches are rising Legal obligations are “increasingly stringent” Protection of privacy is a “societal need” The quantity and types of PII are increasing… …as are the variety of circumstances where organizations need to co-operate with one another to process it And finally, many organizations are simply not ready and need guidance

Quite a backdrop for a new, and clearly essential, ‘Privacy Information Management System’ (PIMS)!

So what do you need to know about it?

Most importantly, it supplements ISO 27001, the widely-adopted Information Security Management Standard. According to the ISO website, 27001 “is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.”

This is absolutely the right way to think of any PIMS – as an extension to the well-understood and widely-applied practical thinking of an ISMS. The symbiotic link between data security and data privacy is well-documented and obvious. Take the GDPR for example, and how many references there are within it to “technical and organisational measures.”

But still, making this theoretical link a reality – and going a long way towards achieving Privacy by Design in the process – remains complex. Not least because of the lack of a common language between Privacy pros and their IT and Security peers, as our Privacy Rosetta Stone project revealed.

Achieving Privacy by Design should be any data-centric business’ goal, and for that, Privacy and IT & Security need to collaborate effectively. This requires clear and transparent communication, which is notoriously somewhat less than common between the two departments.

But if these two departments cannot communicate between each other clearly, then there is zero chance of the importance, requirements and urgency of privacy being communicated across the wider organization.

Thankfully, ISO 27701 helps bring the two parties together. It creates a common goal for data protection, using language that IT & Security will understand (it is based on “their” 27001 after all), while enforcing the practices that Privacy demands.

It does not totally fix the communication issue that is endemic between the two departments, but then it never intended to. It does however put Privacy into a practical IT & Security context. It outlines practical steps, measures and requirements that stop IT & Security thinking that privacy is not their territory, or worse, solved simply by securing the network.

In essence, implementing ISO 27701 cuts to the chase. It helps you bypass the noise, frustration, misunderstanding and delay of typical Privacy-Security initiatives and help you take meaningful steps faster towards a privacy-centric culture.

It can’t solve the problem entirely. Privacy and IT & Security still both need to work harder to improve the transparency and frequency of their communication, especially in more complex or innovative projects. But ISO 27701 lays strong foundations for effective collaboration and ongoing regulatory adherence.

We’re delighted to announce that Calligo has been shortlisted in the “Best Cloud Computing Provider” category of Computing’s Technology Product Awards 2019.

Calligo’s submission was shortlisted by the judges on account of how our cloud infrastructure services are specifically designed to support the wider objective of Data Optimization and Privacy. Our entire service portfolio – of which Cloud Infrastructure Services are a key component – is designed to deliver the maximum business benefit from every data interaction, while meeting all applicable data privacy regulations across all relevant jurisdictions.

Our Cloud Infrastructure Services are absolutely vital to this vision. CloudCore, our public cloud platform launched in 2012, represents a powerful combination of high performance, data residency and security. Calligo provides industry-leading SLAs across all aspects of service provision, including performance, availability and uptime. It was also the first public cloud platform in the world to offer data residency guarantees, and the first to be certified under the information security standard, ISO 27001:2013. Meanwhile, its customizable data residency workflows restrict the movement of any sensitive data – including any copies for back up purposes – outside nominated jurisdictions.

But the judges were most impressed by how CloudCore underpins the wider breadth of data optimization services. For instance, it complements our Data Privacy Services, that combine an unusual blend of legal, technology, security and change management expertise. Our teams guide clients through their cloud infrastructure strategies, ensuring that their design and data management processes support their national, international and industry-specific data privacy obligations, and “privacy by design”.

Similarly, we regularly combine CloudCore with our IT Managed Services and Productivity services, such as Microsoft Office 365, to support our clients in the day-to-day access, security and use of their data. And CloudCore is also the basis of our Data Insights Services, using machine learning to deliver value adding, privacy-conscious automation and IoT projects to businesses around the world.

2019 is already proving to be an exciting year of recognition. In July, Calligo was named as of the finalists in Computing’s Cloud Excellence Awards 2019 in the category “MSP of the Year”, as well as being ranked amongst the world’s top 100 Managed Service Providers by Channel Futures on their MSP501 List.

The winners of the Technology Product Awards will be announced on Friday 29th November 2019 in London. Wish us luck!