Jennifer Wu, J.D., CIPP.C, CIPM, one of our data privacy consultants, was recently asked by CMSWire to weigh in on the Zoom privacy discussion. You can read a short extract of Jen’s comments in the full CMSWire article here, while the blog below contains our fuller observations.
Businesses can no longer ignore the importance of data privacy. In this blog post, we round up the questions our data privacy services team hear most often, combined with data from Google Trends, to reveal the most prevalent concerns and areas of most confusion.
Q1: What is the significance of the CCPA, and when does it come into effect?
The California Consumer Privacy Act (CCPA) is a bill aimed at increasing the privacy rights and consumer protection for residents of California, United States of America. The bill was signed into law on June 28, 2018 and became effective on January 1, 2020.
The aims of the Act include allowing individuals to
The significance of the CCPA is threefold.
Firstly, the companies that are in scope are inherently larger ones. The data privacy law affects all companies that serve California residents and meet any of the following criteria:
It’s important to note that the law applies to any companies that “serve California residents”, meaning that the companies affected can be located anywhere in the world as long as they provide their services in California.
Secondly, the law is significant because of its jurisdiction. Some of the world’s largest companies (Google, Apple, Disney) are based in California, and their handling of sensitive data will now be under intense scrutiny.
Thirdly, it is currently “the nation’s most far-reaching online privacy law and a potential model for other states”, according to the Washington Post. This means that while its impact and enforcement will be closely monitored for other states to follow, the very fact that it will likely create disparate data privacy laws from state to state may accelerate the ongoing conversation about the need for a federal data privacy law to avoid data privacy becoming a blocker to business. If you’d like to find out more about CCPA or how we can help you, click here.
Q2: Who has been fined under GDPR so far?
Since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, businesses across the world serving European citizens have been held to new standards of data handling.
The steep financial penalties possible under GDPR have provided an incentive for companies, big and small, to introduce new policies and infrastructures to ensure their ongoing adherence to GDPR. Many have also taken the decision to contract GDPR-qualified experts and Data Protection Officers to help them navigate this difficult change. However, not all businesses have implemented the necessary changes in time, and have thus faced heavy fines from the Information Commissioner’s Office (ICO). These businesses include:
…but there have also been far smaller fines handed to SMEs, undermining the argument that the Supervisory Authorities are only targeting large corporates. Examples include a 9,000 euro fine of a Spanish business that was using video surveillance of its employees without consent, a similar fine for a Cypriot government agency for allowing the police access to personal data without sufficient security, and an 18,000 euro fine for a Swedish school that used facial recognition for monitoring attendance, but did not provide suitable opt-out processes.
Q3: Who does GDPR apply to?
A common misunderstanding is that GDPR only applies to companies with offices or employees in companies belonging to the European Union. GDPR is designed to protect EU data subjects from unacceptable uses of their data, whether the company holding their data is based in the EU or not.
The real test is whether a business is offering services to the EU market, or is monitoring an EU data subject’s behaviour within the EU. if so, then their activities fall within the scope of GDPR regardless of their geographical location.
“Offering services to the EU market” is admittedly not clear and open to misinterpretation. To help, the European Data Protection Board (EDPB) has provided some examples of indicators of which territories an organisation is targeting, including:
Q4: Why is data privacy important?
Data privacy is one of the fastest growing business issues on the planet, encompassing businesses of all shapes and sizes across every industry. Data has never been a more powerful or valuable commodity, and the proper handling of data (consent, notice, and regulatory obligations) is becoming increasingly regulated.
This is because the issue of data privacy has become a highly emotive and sensitive topic for data subjects, as the uses of data become more and more adventurous, personalised and at times, intrusive.
In fact, the importance of data privacy lies, for many, in its morality; keeping private data safe is seen as the ‘right thing to do’. Data ethics dictates that individuals should have agency over how their data, including how well it is protected, how much is given away, under what circumstances and for how long – much like physical property.
For data-intensive businesses, it has had some dramatic effects on their data regimes and, in some cases, even restricting their business models, such as curtailing the free use of automation or the collection and exploitation of data for marketing purposes.
Nevertheless, data privacy also brings massive opportunity. If data privacy is done right – or more specifically, if privacy by design is rolled out – then there are significant opportunities that come from a better understanding of the condition, location, source, use, importance and sensitivity of every piece of data.
By making your data well structured, visible and based on firm ethical and regulatory grounding, you can be more confident in your authority to use it and apply it to achieve your goal. The applications of data are endless, and if privacy is implemented by design then the business can leverage it in automation and machine learning experiments that improve marketing, sales and general business operations.
Q5: What is Privacy By Design?
Privacy by Design is a concept designed to guide businesses into becoming more proactive regarding data privacy. Built on seven principles, the concept sets the standards for how data privacy should be built into projects, processes and everyday activities. These seven principles are:
Privacy by Design is important because it is not simply a framework to aspire to, but rather a necessary guideline for complying with privacy laws such as GDPR and CCPA. Public bodies like the ICO mandate that data privacy be upheld to the highest degree at every stage of a project, else face heavy financial penalties.
By incorporating these seven principles, businesses can ensure that they are treating their data subjects legally, fairly and ethically. Whether you are building a new IT system for storing personal data, developing policies that have privacy implications or looking to share data more actively with third-parties, Privacy by Design ensures that you remain privacy compliant from the very start.
We mentioned as long ago as June last year, in our third update of the Periodic Table, that the conversation surrounding AI and Privacy had already gained serious momentum.
Today, it seems that that momentum is unstoppable:
Our Data Privacy Periodic Table initially launched in 2018 to make the world of Data Privacy a little easier to understand.
The first-of-its-kind project pulls together the 118 key “elements” of data privacy and data protection, and was created to help individuals better understand the complex nature of privacy and shed light on its often confusing terminology and how various pieces inter-relate.
Updated: December 2019
Planning for a business’s future can be an exciting time for business owners and office managers alike—what could be more inspiring than the possibility of growth, widespread positive impact, and success?
Unfortunately, there’s a darker side to planning for the future, too. While imagining and planning for the perfect scenarios above is important, the reality is that disaster can and does happen. Without preparing for both the good times and the bad times, a business and its offices can’t succeed.
That’s where business continuity planning comes in.
What Is Business Continuity Planning?
When unexpected disaster strikes, business owners and managers must have a safety plan in place to ensure that their business operations can continue after major events like natural disasters, cyberattacks, or other accidental damages to a company, its physical location, and its infrastructure.
Business continuity planning is the development and practice of a plan which businesses can implement in the event of a serious setback caused by one of the disasters above. These plans include aspects of both prevention and recovery, with the primary goal being to maintain business operations while protecting personnel, data, and assets.
Why Do You Need a Business Continuity Plan?
One could say that the benefits of having a BCP are endless, but they’re more than just benefits—they’re proof that a BCP plan is absolutely necessary.
So, what is this proof of a BCP’s importance?
Organisations with business continuity plans:
Inspire reliability, trust, and confidence in their clients
Build a good reputation (and preserve it during dire circumstances)
Instil the idea of resilience and strength throughout the company’s operations
Are up to the industry standard
Can thrive in any situation
Nobody ever wants their business continuity plan to have to be activated, because it means something disastrous has happened. But they’re a necessity in modern business and having confidence in your continuity planning is achievable.
What is the difference between data backups and a business continuity plan?
Simply having your data backed up and secure is a good start – but it is only a start. Planning for a catastrophic systems failure or a cyber attack, means knowing that:
You can restore data safely and rapidly
Your team will be able to get back using both software and hardware with confidence, soon after a systems failure
Customer service will be maintained
You won’t lose time, money or customer confidence
Take the following as an example. In January 2017, Cockrell Hill Police Department (Texas, US) came under ransomware attack. A single infected server led to the loss of eight years of evidence including video recordings. So far, so bad.
Then, their back-up procedure activated very soon after the ransomware attack replacing their backed up files with a backup of files that had been encrypted by the ransomware and were therefore inaccessible.
Their previously uncorrupted data backup was wiped out by the very system they’d been relying on to preserve it.
Cockrell Hill had a business back up, but they needed a business continuity plan.
Creating an effective business continuity plan
In designing a business continuity plan, it’s important to ask the following questions:
Are the backed-up files easily accessible?
Is the backup device safe, secure and accessible?
Can our operating systems be reinstalled from the backups or just the filesystem?
How long will reinstallation of our operating systems take?
How long will critical file restoration take?
And how long for complete data restoration?
How much time will pass before the business is able to be running at full capacity again?
And how much time must we allow to catch up on anything we had to postpone during the catastrophe?
A Quick Guide to Business Continuity Planning
Get organised from the beginning and start the process of business continuity planning by choosing which members of the company will work together to develop and maintain a plan. Delegate responsibly, and diversify the team in order to gather insight from multiple business branches.
However, ensure that the primary person responsible for organising and maintaining the BCP is someone high on the pyramid. In other words, a senior official like a business owner or an office manager should take point on leading the planning efforts.
Once a team has been established, take action to ensure that all company employees and contributors are aware of the team members and their responsibilities. This creates accountability while keeping the entire office in the loop.
Before mobilising your BCP team to begin outlining a plan, take some time to begin by performing a business impact analysis. A BIA includes gathering data about the worst-case scenario. In other words, a BIA will yield detailed information about possible company losses (both monetary and intangible) and the negative effects caused by major disruptions.
The BCP team can use the company’s mission statement and information about the company’s legal obligations to rank the minimal, critical services required of the business and then determine which of these services would be unable to function after a variety of emergency scenarios.
With the results of the BIA in mind, the team’s next task is to outline practical, actionable procedures to follow in the event of an emergency so that business functionality is maintained.
This process will include assessment of any current procedures in place, then filling in necessary gaps using information from the BIA. This might include readiness procedures to prepare for natural disasters or the process of archiving and backing up databases to recover from a cyberattack.
Once a BCP has been developed and reviewed by the planning team, make the rest of the organisation aware by hosting training sessions, designing exercises to make the plan tangible to employees, and reviewing the procedure in detail. Ensure that all employees understand why a BCP is necessary as well as how to implement this BCP in an emergency.
Importantly, help each employee to understand the individual role they can play in the implementation of the BCP. Let them know what’s at stake and how their participation will propel the business forward in a time of crisis.
A business may have one of the most thorough and effective BCPs out there, but this means little if the plan is not reviewed and updated on a regular basis. Include as a part of the plan regular checkpoints throughout the year during which members of the BCP team evaluate the plan and implement company-wide initiatives such as practice drills.
This step has become particularly important in recent years as technology evolves and malicious cyberattacks have risen in number.
Remember, threats are changing all the time, and the BCP must be updated and familiar to the entirety of the business in order to be effective.
Effective business continuity planning saves time, money and reputation
Rebuilding your system requires so much more than simply restoring data – there’s the time required to review what went wrong and make sure you’re not leaving yourself open to risk again. You have to account for the time and energy required to inform your team and your customers and rebuild their confidence after an event like this, whether it’s fire, flood our outside attack.
All in all, having a robust plan will save you not just time and money, but reputation too. In fact, it could save your entire business, because according to a study by accounting firm Touche Ross 90% of businesses without a disaster recovery plan will fail following a disaster. Considering 30% of businesses don’t have a plan in place, this figure is startling.
Last week, Calligo exhibited at IAPP’s annual Privacy. Security. Risk 2019 in Las Vegas, Nevada. PSR is noticeably the most significant event in the privacy industry; attracting privacy professionals across the globe to discuss the latest data privacy news, trends, tech and issues.
Over two days, keynotes and panels explored how privacy and technology must work together simultaneously, discussing topics such as building privacy programmes to accommodate a wide range of data privacy laws such as GDPR and CCPA (California Consumer Privacy Act), Privacy by Design, as well as bridging the gap between privacy and security.
What did we learn?
Data Protection Officers
This topic came up repeatedly, and is a subject close to our hearts – appointing a Data Protection Officer.
Currently, under GDPR, articles 37-39 state that if your business is a public authority or if your business handles and processes large quantities of personal data, you are required to appoint a DPO. However, many companies are either not appointing someone at all, or they’re struggling to find an external candidate due to the expense of hiring the right skillset. And, not to forget arguably the most common mistake companies are making – appointing the wrong person internally.
We have seen many businesses appoint someone internally, on top of an existing position, to act as their DPO. This isn’t always wise.
J. Trevor. Hughes, President & CEO of IAPP
A DPO needs to tick several boxes, which are rarely possible for an internal appointment:
A DPO is a very technical and multi-faceted role, and one that has evolved quickly in recent years and that few have experience in
A DPO needs the latest knowledge of data privacy and GDPR, as well as being able to advise on the data protection and Infosecurity.
A DPO must act independently, with no conflict of interest with any other data or privacy-based role, so cannot hold a role in IT, security, HR, finance or legal for example.
A DPO must have access to the highest management levels
To avoid these issues, organizations are increasingly outsourcing their DPOs. Our Data Protection Officer as a Service (DPOaas) provides companies access to independent privacy consultants who will monitor your compliance, conduct audits and represent your organization to data subjects and regulators.
CCPA
Another hot topic during the event was unsurprisingly the introduction of CCPA. With similar implications as GDPR, CCPA will radically transform how businesses across the USA and beyond handle Californians’ personal data. Also, despite having well over a year to prepare for its arrival on the 1st of January 2020, many businesses are falling short.
Seemingly mainly because of a lack of understanding or awareness of the status of the Californian privacy law itself, organizations are struggling to come to terms with its nuances and requirements, such as data consent, opts-ins/outs and consumer access requests.
And whilst businesses play catch-up, another stream of conversation that followed was “what’s next?” Privacy does not stop with the GDPR and CCPA, and with proposed privacy laws from many more US states and countries, what will the next new round of obligations look like? And how will businesses prepare?
Bridging the gap between privacy professionals and Infosecurity
A subject that many privacy professionals can relate to – being able to understand and be understood by IT and Infosec teams.
As privacy laws evolve, they are driving an ever-increasing technical agenda. For example, GDPR’s Privacy by Design requirements are not an issue of legislation, but of technical oversight. Performing these obligations therefore naturally requires privacy professionals and their counterparts in technology and security to co-operate.
Unfortunately, both sides tend to speak a different language. Some words have completely different meanings on both sides of the fence. For example, to a privacy professional, the word “ensure” implies a guarantee that a certain action will be taken, but the same word to a security professional means that there will be vague oversight of a situation. These are far from the same thing! Unsurprisingly, the split lexicon of the two teams can lead to misunderstandings that have substantial commercial and reputational impacts on the business.
Calligo’s Jennifer Wu, Privacy Consultant, even presented on this topic on the Little Big Stage during PSR. Jennifer highlighted the common mistakes both sides are making and how it’s hindering Privacy by Design. She also made recommendations on how to avoid these issues, and how Privacy teams and IT / Infosec teams need to build a better working relationship, which depends on speaking the same language.
If you missed Jennifer’s presentation or would like to discover how to understand or be understood by your CISO and CIO, our ebook “The Privacy Rosetta Stone” provides real-life case studies on three businesses who encountered this language barrier, the impacts it had on their businesses, and how they fixed the problem. It also includes top tips on how to identify a good and bad Privacy and Technical relationship and how to create your own Rosetta Stone.
To read the latest update (August 2021) to The Periodic Table of Data Privacy, click here.
The Data Privacy Periodic Table continues to be well-received and widely shared and commented upon. Since our last update in January, data privacy has barely left the news.
Proposed fines have been awarded to some of the biggest brands, including British Airways (£183.4m) and Marriott Hotels (£99m – announced 24 hours after British Airways), AI and automation commentators continue to debate how to progress within the boundaries of Privacy by Design, and there have been constant updates to new local and national draft laws.
The British Airways fine in particular is interesting as it represents only 1.5% of BA’s turnover, far behind the maximum 4% that the GDPR permits. To the casual observer it therefore seems a light penalty, but in fact it is probably a carefully chosen figure – more than enough to provoke shock and awe across the industry and media, but not so high as to be easily challenged. It’s also a far cry from the £500,000 that the ICO’s powers used to permit, continuing the trend of Supervisory Authorities being willing and perhaps eager to use their powers to punish the most grievous and negligent offences.
And so to this update of the Data Privacy Periodic Table. While data privacy has largely been kept at the forefront of our minds by brash headline-grabbing fine announcements, the changes on this occasion are conversely driven more by the subtleties of the laws themselves.
The updates
Changing “Controller” and “Processor” to “Owner” and “Executor”
When we first launched this project in September 2018, we were determined to make sure it reflected the wider privacy world and was not just a Periodic Table of the GDPR. This is harder than it sounds, despite the principles of the GDPR appearing to be reflected in almost all national privacy laws drafted since.
As new laws have been drafted since, it has become clear that the terminology of “Controller” and “Processor” (elements #40 and #41) has become too specific, though not unique, to the GDPR. The roles and demarcation are very common, but the names are not consistent.
For instance, the draft Indian privacy bill describes a role that is ostensibly the same as that of a GDPR Controller, and names it “data fiduciary”. Hong Kong uses the term “user” (which has created enormous confusion in client engagements when discussing collecting the data of website visitors or SaaS platform customers!), and the CCPA refers to “service providers”.
We therefore felt that “Controller” was becoming too GDPR-centric and have changed it instead to “Owner”.
For some, this will be appear to be unwise wording. After all, the central ethos of data privacy is that the data subject is the ultimate owner of their personal information, and not a brand who simply holds a record of it. However, we wanted to use a term that conveys an obligation to oversee the treatment and physical safety of the data – in other words, they are not the owner of the data (that will always be the data subject), but the owner of the responsibility.
Meanwhile, for the same reasons of GDPR-centricity, we have changed “Processor” to “Executor”.
We considered “Agent” but it risked being too easily confused with “Controller” / “Owner” who is often said to have “agency over data”. Plus it suggests being in the direct and total control of the Controller, which is not accurate.
We considered “Proxy”, but we felt it implied too much control over the decision-making.
And we considered “Intermediary”, but it didn’t feel quite representative of all types of data exchanges between the two parties.
“Executor” meanwhile is a sufficiently recognised legal term to be understood, while striking the right balance between performing a role that is instructed at a high level, but that also allows suggests enough freedom in the performance of the role to bear some responsibility.
Data Protection Impact Assessments vs Privacy Impact Assessments
A big conversation currently is the difference between a Data Privacy Impact Assessment and just a Privacy Impact Assessment. GDPR requires DPIAs, while the industry has always been accustomed to PIAs, and has mistakenly conflated the two.
So, what’s the difference?
We could spend thousands of words on this, but in brief terms, a PIA is a process that privacy teams use to assess how changes to the business affect the overall privacy strategy, impact Privacy by Design, and whether they create new risks.
Meanwhile a DPIA is more targeted, both at an individual process, and on the impact on the data subject. The two processes certainly overlap, but they also have different aims. They should both be performed, in tandem, with any change to the business – but by no means should one replace the other. Accordingly, we have split them out in the table, as elements #27 and #28.
To make room, we combined “Suppliers” and Partners” in the bottom half of the Central Components of Data Privacy section, where various types of data subject are listed, to create a new element, “Third Parties”.
“Data Protection Officer” now “Privacy Officer”
Just as with Controller and Processor above, we feel that the GDPR-centric title of Data Protection Officer “DPO” hasn’t become universal, or even as commonly used as anticipated.
Russia does use the term, as does the Indian privacy bill, but Brazil’s draft for example simply refers to “Privacy Officers” whose roles are arguably more akin to CISOs, especially given there’s no requirement to avoid conflicts of interest. The CCPA has no requirement for the role at all, although commentators are widely recommending that having one would be best practice regardless.
In essence, there is too much variety in nomenclature, and even in the exact requirements or necessity of the role itself, for us to continue to use DPO as it is commonly understood. We have therefore switched it to “Privacy Officer” (element #39), intending it to refer simply to an internal supervisory role where the rights (ethical as well as legal) are represented within the business. Whether an organisation is compelled to appoint one or not, it is surely prudent to have such oversight in place.
Replacing ICANN with US States
The ICANN saga (element #114 in the Future Developments section) appears to have reached something approximating a conclusion – for now at least. As of May, the WHOIS directory has been redacted and access is now controlled. And while conversations continue over whether this affects anti-terrorism efforts and the like, and a long term solution is still being sought, there is unlikely to be major change for some time.
We are replacing this with an area of far greater disorder and confusion – the various privacy laws of the US’ individual states. Three states – Nevada, Maine and California – have passed their local laws (though see our previous update as to why we are still keeping the CCPA in Future Developments rather than Core Legislation), and as many as 11 have bills in progress, and five have been toppled in some way, including Hawaii’s that was vetoed only a few days ago.
As many know, there is talk of whether these states’ bills will create enough pressure for a single federal bill to be introduced, but for now, and perhaps for quite a while yet, we suspect the states will have to continue to handle data subject protection themselves.
(As a side note, did anyone notice our deliberate use of USSs for this element, not be confused with USSS, the United States Secret Service – an ironic potential confusion for this topic!)
As always, let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.
The need for Artificial Intelligence within businesses is becoming far more apparent. As companies become more data-driven, they want to ensure they extract all possible value and insights from their data.
Whether the objective is to gain or maintain a competitive edge, improve customer experience, reduce costs, or increase productivity, automation and AI has the power to transform businesses, making it the buzzword within the business world.
Artificial Intelligence, and Machine Learning in particular, have without doubt become the hottest topics of discussion throughout the business and technology worlds.
Development, breakthroughs, benefits, ethics, data privacy – there is so much information being published almost daily about AI.
Which naturally makes it confusing for those taking their first steps into discovering how and where AI might make a difference to their business.
To help, we have tried to distil all the AI commentary from the last few months to just the five most useful articles. These handpicked stories provide an overview on AI, guidance on how to implement and scale it across your business, and then some specific examples of how it is transforming financial services – one of the industries that we feel stands to gain the most from the use of machine learning.
Combined with our material on how to discover where in your business would stand to gain the most from AI, these five articles give you a complete overview on how to use machine learning to catch up with the competition.
AI is exciting; it’s evolving by the day; the capacities are seemingly endless. Has all the noise around AI softened the impact of this great revolution?
James Vincent’s article dispels the misunderstandings surrounding AI and shows how broad the term is, from smart homes to healthcare, all the way to improving business processes. He explains the process of machine learning and how it is a fundamental subfield of AI, and highlights the amusing misunderstandings of its power and dangers.
Moreover, while The Verge shamelessly re-uses the much-repeated example of using machine learning to recognise images of cats, the point James is making is serious – automated decision-making can give businesses a competitive edge. But only provided it is deployed correctly, with suitable respect to data privacy, bias and sensible business objectives.
This useful article highlights the dangers of not addressing these fundamentals, and concludes by quoting Kai-Fu Lee, a renowned AI researcher, that we are currently in the “age of implementation” – only emphasising that those who are not investigating how and where to implement AI to improve business processes’ accuracy and effectiveness will soon be left behind.
With all the PR about how AI can change your business, it’s unsurprising that businesses are jumping headfirst into this technology. However, for many, this haste has meant the projects have not all been plain sailing, resulting in them meeting more challenges than advantages.
We see this problem in many of the businesses we speak to about AI, where they have previously tried to deploy machine learning into business processes, but have not seen the benefits they expected. This is why we liked this article from Information Week, as it describes a business’ more pragmatic route to jump-starting an artificial intelligence project. All the speed, but less of the haste.
The article provides seven key lessons, based on the barriers organizations have faced when implementing AI without sufficient prior consideration; from ensuring you have mapped out exactly the business challenges you want AI to address, to ensure you have the right team in place, the right data, and buy-in across the company.
These steps echo exactly our own thoughts and practices for deploying AI, which is why our AI Value Discovery Service has been designed to discover where the technology will be most impactful to your business, whilst addressing the obstacles that would otherwise derail the project. For more on the thinking behind this service, and a sneak peek of the process it goes through, download our free white paper here.
According to a recent Gartner survey, 37% of organizations have already implemented AI into their day to day business, with many other businesses looking to introduce the technology. This article from InfoWorld highlights the ways that large organizations like Facebook and Twitter have maintained the advantages machine learning first gave them by scaling its use from a small number of uses cases far wider across the business.
Whilst it sounds daunting especially for SMEs who do not have the same resources as these two tech giants, or have even deployed their first project, it also shows smaller businesses how to make sure their first use case is not simply a “point solution”, is inherently scalable, and that maximum value is planned for from the outset
AI and machine learning has the ability to transform businesses within the financial sector, and this Forbes article discusses the competitor advantages the technology has to offer. From chatbots and personalised customer service to providing 24/7 banking services and preventing and detecting fraud and money laundering, AI is in widespread use protecting and serving the financial services industry.
However, the article does touch on a key barrier within smaller financial companies: the high salaries of AI expertise. This creates two trends – a tendency to look outside the business for experienced support, plus a lack of tolerance for AI projects that fail to add value.
Our artificial intelligence and machine learning services not only give smaller financial institutions access to this expertise, but our practical approach ensures that no technology is deployed before a clear financial case is scientifically discovered.
Building off the Forbes article above that looks at where AI is currently proving valuable for financial services, McKinsey Global Institutes predicts that from the $5.6 billion that banks are expected to spend on implementing AI in 2019, the financial industry could see a return of upwards of $250 billion.
The additional angle this article covers is the potential compliance challenges businesses face when deploying AI, especially if machine learning is to determine credit risks for potential new customers. The main question being asked is whether AI’s output is transparent enough given regulators’ requirements for fully explicable decision-making – the so-called black box problem – which in turn leads to concerns over whether AI can truly be unbiased if it naturally dependent on the data it is given. Or more accurately, data that humans have chosen to give it. There is no silver bullet to this, but some solutions include ensuring the team managing the AI project is diverse, although this inherently requires an even greater salary spend.
These five stories provide an excellent primer for businesses investigating the opportunity that AI presents to their business. And the key theme across them all is clear: finding the right use case for your AI project is more than half the battle.
There is probably no business technology topic with more column inches dedicated to it than cloud computing.
Topics range from the virtues and drawbacks of private, public or hybrid, to the complexity of migration, or cloud’s suitability for certain industries, businesses or use cases. Not to mention the excitement over more futuristic topics such as the quantum computing race.
From huge GDPR fines to alleged privacy trends for 2019, our roundup blog covers the top 5 stories about data privacy you may have missed this year so far.
They are not necessarily the articles with the biggest headlines, most surprising stats or even necessarily the most well-known. But taken together, these 5 stories paint the clearest picture of where the privacy world sits right now.
1- Data Privacy – will it be as in vogue as it was in 2018?
This article on TechRadar discusses that while privacy was simultaneously an exciting but also chaotic topic in 2018, this year, will we see a decline in interest or will it remain as high on the agenda?
The answer is most likely, “yes, it will remain on the agenda, but for different reasons”.
The main thrust of the privacy news cycle in 2018 was simple – GDPR’s arrival, the confusion it caused, especially in relation to Brexit, and the domino effect it had globally, as more and more countries adopt their own very similar legislation.
But in 2019, the emphasis shifts. Now we are talking about its enaction and extension.
Big brands are being hit with hefty fines, theoretically being held up as examples to all businesses of the seriousness with which Supervisory Authorities are dealing with transgressions. While this will be true for some, many smaller companies are thinking they can hide under the radar. This is just one of the many misperceptions that we highlight in our Tales from the GDPR Frontline – a collection of anecdotes of the mistakes and oversights that our Privacy team has noticed amongst our clients.
As for its extension, this article also highlights the change in privacy conversation from GDPR to ePrivacy i.e. the storage of data, the use of cookies and electronic communications. In codifying privacy rights and requirements, GDPR has created a foundation on which to build, and it seems the specifics of ePrivacy (see the long-running conversation over the Regulation’s timeline in particular) will be one of the first new building blocks.
2- Tech Tent: Facebook’s Planned Privacy Pivot
In this article and supporting Podcast, Rory Cellan-Jones, technology correspondent for the BBC, notes how times have changed. Gone are the days where people openly share every detail of their lives on social media, and in particular, on Facebook. Instead, consumers are increasingly concerned about where their data is being stored and how it’s being treated.
Facebook, over recent years, has been accused and found guilty of mishandling its customers’ data regularly, and has been late to the game in adapting to the changing mentality of “privacy-first”.
After a number of scandals Facebook’s CEO, Mark Zuckerberg, has announced in a blog post that the company is changing the way it thinks about privacy and how it wants to implement stronger privacy controls, and make Facebook a “privacy-focused platform.” This in the face of its track record:
I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform — because frankly we don’t currently have a strong reputation for building privacy protective services. But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.
But this BBC article was not chosen to show how Facebook has changed. The point is wider than that. The world view of privacy and acceptable use of data has changed dramatically, and for some, too quickly. Facebook and Google will not be the only ones to suffer from this. Businesses of all sizes, and even execs and department heads, that have grown accustomed to practices that are not strictly privacy-first will find this new world cumbersome, obstructive and frustrating, making the prudent and balanced introduction of Privacy by Design principles vital to their ongoing success.
3- Google GDPR fine shows ‘embarrassing’ extent of how firms misuse people’s data
Nearly a year on since GDPR came into effect, over 200,000 cases have been reported resulting in €56 million in issued fines. An article on this remarkable statistic is available here, and arguably this should have made the top five stories, but there is one fine that stands out the most.
In January, the most significant GDPR fine to date was issued to the technology giant, Google. CNIL, the French regulator, issued the €50 million (£44 million) fine after receiving and investigating reports on how Google handled people’s data.
They found that Google had “not sufficiently informed” people on how it collected their data and a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. Rather than go into the details here of what the decision teaches the privacy industry and wider business, check out the blog post written by our Director or Data Ethics and Privacy, Sophie Chase-Borthwick.
Moreover, it looks like this is the tip of the iceberg. Ron Moscona, a partner at international law firm Dorsey & Whitney, states “The penalty imposed on Google by the French regulator can be seen as a warning shot at the digital industry at large.” And, with complaints filed against Amazon, Apple, Netflix and Spotify, we’re sure to expect to see some hefty fines hitting the headlines soon – notwithstanding the point made above: it won’t be just the big brands.
4- Consumer Data Privacy: Why We Need A (Single) Federal Law
Building on the point made in the first article, and the domino effect that GDPR had, this article argues that the United States needs to follow the EU’s footsteps and enforce a national data protection law that all businesses and organizations would need to adhere to.
When GDPR was enforced, it prompted numerous discussions of data privacy regulations across the US, resulting in California being the first state to act. The California Consumer Privacy Act (CCPA) was adopted in June 2018 and is set to become state law on January 1st 2020 (although there are proposals afoot that could impact that).
As it currently stands, this new law enables Californian residents to have the right to know what personal information businesses collect, from where they got the data from and how it will be used. It also makes it easier for consumers to file lawsuits against companies who suffer a data breach, prompting more organizations to start pre-emptively examining their data privacy and security processes.
Privacy is clearly a rising tide, but with more and more legislation likely to come to the fore, adherence for companies whose activities cross national borders, whether by virtue of employees, customer base or suppliers, will become increasingly confusing. This is what triggered our Data Privacy Periodic Table project – an ongoing and regularly updated collection of the key points, or “elements”, of data privacy.
5- Data privacy doesn’t mean data security – Here’s how to protect your business
This article from Verdict raises one of the most important, but often forgotten, points of data privacy. The relationship between data privacy and infosecurity, and the equal importance of both.
The exact nature of it is constantly debated. Do they overlap? Are they symbiotic? Does one underpin the other? Or is one a sub-discipline of the other? Regardless of the outcome – which may vary from business to business anyway – one thing is clear: they are not the same.
We find that many of our clients, prior to working with us, considered robust infosecurity disciplines and infrastructure synonymous with privacy, or alternatively, they considered the two unrelated.
We take infosecurity’s role in privacy extremely seriously. In fact, our privacy teams comprise as much infosecurity experience as legal expertise. No matter what your personal views on the debate, one thing is certain: when it comes to the protection of data subjects’ data, both fields are equally important. So much so that breaches of any description will always point to failings in both fields.
Data privacy 429 is probably one of the fastest-growing conversations the business world has ever seen. After all, it is a perfect storm:
It is new
It is emotive
It is unresolved
It is constantly changing
It overlaps with other new, unresolved and constantly changing business conversations, such as Artificial Intelligence, businesses’ use of data and even global politics
The media cycle is peppered with big, eye-catching brands and big fines
However, with so much noise being made about data privacy – whether about GDPR 429 or other debates on national, local or sector-specific regulations; its implications for AI and IoT; its overlap with Infosecurity or even simply best practices for privacy in business – it can often be overwhelming and confusing.
So who should we be listening to and why?
We’ve done the hard work for you and have searched high and low for some of the most insightful and astute influencers in the data privacy world. We believe these are the voices worth listening to in order to stay informed and updated with the latest news and debates within data privacy, data security and data protection.
Jed BracyWorking for the International Association of Privacy Professionals (IAPP), as an editor of Privacy Perspectives and Privacy Tech. Jed is fully immersed in data privacy and writes about the ongoing views and developments of data security and privacy. He also blogs about the intersections between technology, society and privacy and writes feature articles for The Privacy Advisor and Privacy Tracker. |
 |
|---|
Ann Cavoukian PhDDr Ann Cavoukian is one of the world’s leading privacy experts. She is presently the Distinguished Expert-in-Residence, leading the Privacy by Design Centre of Excellence at Ryerson University. Dr Cavoukian served three terms as the Information & Privacy Commissioner of Ontario, Canada, where she created Privacy by Design. She has received numerous awards such as being named as one of the Top 10 Women in Data Security and Privacy and earning the Meritorious Service Medal by the Governor General of Canada for her outstanding work on creating Privacy by Design. |
 |
|---|
Sandra WachterDr Sandra Wachter is a lawyer and Research Fellow in Data Ethics, AI, robotics and Internet Regulation/cyber-security at the Oxford Internet Institute. Sandra specializes in technology, data protection and data privacy law. She often delivers talks on data ethics and privacy; and comments on the most topical news as it appears. |
 |
|---|
Eric VanderbergEric is well known for his insight on cybersecurity, data privacy and protection. He shares the latest updates on privacy breaches within large organizations and comments on the key mistakes these companies often make. Eric is the author of several books, and he frequently writes articles for magazines, journals, and other publications. |
 |
|---|
Omer TeneOmer Tene is Vice President and Chief Knowledge Officer at the International Association of Privacy Professional (IAPP) where he leads the creation of content as well as sharing relevant news, articles, research and knowledge within the privacy world. He consults with many businesses and governments on data privacy and data management, as well as cybersecurity. Omer also contributed to our pre-May 2018, discussing the implications of GDPR. |
 |
|---|
 |
Periodic Table of Data PrivacyThe Data Privacy Periodic Table is an industry-renowned, easily digestible view of how the privacy world fits together
|
Graham CluleyGraham Cluley is a public speaker and independent computer security analyst. He reports on the latest security issues and data breaches as they happen and is the co-host of award-winning podcasts on “Smashing Security” which discusses the world of cybersecurity and online privacy. |
 |
|---|
Sheila FitzPatrickSheila FitzPatrick is a worldwide expert in data privacy and data sovereignty laws, especially GDPR. She is a consultant Chief Privacy Officer for all industries, including the technology sector and is a regular speaker at national and international privacy conferences. Shelia shares news and articles of GDPR, data protection, privacy and regulation. Shelia was a contributor to our GDPR Interview Series and discussed how businesses can overcome the confusion over GDPR. |
 |
|---|
Rebecca HeroldRebecca Herold is known as the “Privacy Professor”. She is an information privacy, security and compliance consultant and serves on many advisory boards. Rebecca has written numerous articles and books on data privacy and information security and also hosts a podcast called Data Security and Privacy with the Privacy Professor. |
 |
|---|