200 and counting

200 AttributedIt is a big week for all things GDPR (General Data Protection Regulation).

Firstly Thursday sees us hit the 200 day milestone to GDPR Day (25th May 2018).  This is the day when all businesses will be required to comply with new regulation.

Monday saw the announcement that the new Data Protection Bill will be put before Parliament after the summer recess.  The will once and for all settle what will happen post Brexit.  The Bill will to all intents and purposes transfer the GDPR into UK law as a part of the Brexit preparations.

So GDPR is going to happen.  It is time to extract heads out of the sand and get on with preparations.  200 days is not long.  This isn’t something that will only affect large corporations and the public sector all businesses need to prepare.

Let’s put the record straight on the reasons for GDPR.  It is not to persecute businesses and make it harder to do business it is about making sure the massive amounts of data that are exchanged are exchanged in a way that protects the individual.  And that individual could be you or me.  Also nowhere in the GDPR have seen it say that something cannot be done.  Things just have to be done in a way that protects you and me.

Let’s look at some of the reasons this regulation has be brought in.

  1. The current Data Protection act has not kept up with technology and the power of the internet. In 1995 when the current act was written there were 16m, 0.4% of the population.  In March 2017, it was estimated that there were over 3.7bn people in the world using the internet, that is over 49% of the population.  3.7bn people create a lot of data. actually they create over 2 Exabytes of data a day.   If that was stored on Compact Disks it would take more than 1.5 trillion.  That surely has to be managed well.
  2. What we do on the internet has changed.  in 1998 there was no such thing as social media for example.  Also social media had changed.  What started of a great communications device has morphed into a massive data generation tool used for all manner of analysis.  We have become a commodity of the internet.
  3. There has been a lot of talk about the extended powers that will be given to the Information Commissioners Office (ICO).  Yes the fines have been increased, largely this is to encourage businesses to do the right thing and not take the risk of being fined.  Currently the maximum fine that can be imposed is £500,000. To a business turning over hundreds of millions of pounds a year, it may be worth the risk of a fine rather than spending the money on process and technology.  Change that to between 2% and 4% of turnover or between €10m and €20m and the risk assessment may be a little different.
  4. Businesses will no longer need to register with the ICO, so that puts all business within scope.  That has to be a good thing.  No longer is it just large companies that can process massive amounts of personal data, it is as easy for a small or even micro business to have huge amounts of data.
  5. The rights of the Data Subject will be increased.  The most publicised is that of the right to be forgotten.  But that is not the only big change.  Consent will require all organisations that collect Personal Data using consent to review and possibly change there processes.  This could require website modifications and reprinting of paper forms.  If you haven’t got this planned in yet it could be costly.  I’m fairly certain that Web Developers will be in short supply in the early part of next year.
  6. Finally GDPR aims to simplify the understanding of Data Protection across Europe.  There will be one regulation covering all 28 countries, rather than the current 28 different regulation.

If you want to get some idea of what you need to do to prepare, read some of my earlier blogs.  I also offer one day course on implemented GDPR with the National Cyber Skills Centre.   If you haven’t started yet your first job has to be to understand your data.

Image by Tnarlk Innael used under Creative Commons Licence
200 and counting

I’m confused

cd-443032_1920
Computing and technology is as delicate and fallible today as it was 30 years ago!

In the last 3 weeks we have experience 2 major public IT failures.  I am slightly confused how they could both become so massive.

 

I entered the IT industry nearly 30 years ago.  Like so many in those days, I entered from a previous career and  fell into the profession.  Falling into it, we brought experiences with us from previous careers.  One thing we all acknowledged was the fallibility of technology, or anything mechanical.  We made sure we reduced risk wherever we could and where we couldn’t we had a fall back process. So what  is happening in this world today? (oh ‘eck I’m sounding like me Dad!).

This weekend, we saw British Airways (BA) grounding all its flights because of a catastrophic computer failure.  It is reported that this was caused by a massive power surge at their data centre.  We saw images of airports crammed with disappointed passengers and what looked like confused employees.  As I sat watching the news, my only thought was how could a massive power surge cause such damage?

30 years ago when I was involved in setting up my first data centre for a 1,500 bed hospital, we knew that a power surge on our delicate computing equipment could cause a failure we could find it difficult to recover from.  So we installed a clean supply and a bank of Uninterruptible Power Supplies to smooth out that supply and maintain us long enough for generators to power up in the event of loss of power.  I can only assume that BA didn’t do this in their data centre. One that controls thousands of passenger journeys every day!  We also anticipated that a failure could result in loss of important patient data, so we had a ‘hot fail over’ where we could pick up normal IT services, albeit on a reduced capacity, but a service nevertheless.  And that ‘hot fail over’ was housed away from the main computer facility.  Finally we had manual fallback procedures which we had practised.  These procedures included staff assigned the responsibility of communicating with system users and hospital users. I didn’t see any of this on the news reports.

The measures we put into place were not cheap at the time and took some justification, weeks of writing business cases I remember.  When we lost power to the computer suite and no users noticed, it was justified.

Since then, technology has moved on and many of the things that were expensive then, are now pennies now.   Especially when you put them against the cost of initial implementation and the cost of losing systems businesses have become to rely on. Finally there is the reputation damage, which is not always acknowledged.  This is anecdotal, but the view in my local on Saturday was heavily toward avoiding flying with BA for the foreseeable future.  Sure this will be forgotten over time but what will be the immediate cost?

Have we become complacent?  With our always on society and IT Service companies offering 99.999999% up time are we forgetting the fallibility of these devices?  I would suggest we probably are and it is time to re-evaluate.

One of the first lessons I learned about managing IT was three letters C I A .  No not the US intelligence agency, but maintaining Confidentiality, Integrity and Availability.  Those three letters stand as much today as they did all those years ago, even now, whenever I consider changes to IT or assessing risk, I recite CIA.  In fact they are probably more poignant. Risks haven’t reduced, they have changed and in some areas increased.  I don’t know how much this failure will have cost BA or how much WannaCry will have cost the NHS.  One thing that is certain, it will be more than putting technology, people and processes in place to reduce and manage the risks!

My final though this morning was:  what will the ICO make of both of the NHS and BA incidents?  They both involved personal data.  One involved damage through encryption and the other non availability at the point of need.  Watch this space.  There could be even more cost winging its way.

I’m confused

257 days and counting

fear-1172407_192025th May 2018 is now only 257 working days away.  Some reading this may wonder what the significance of that date is.  Actually, according to a survey I conducted recently, probably about 33% of readers will be asking that question.  Friday 25th May 2018 is GDPR day.  The day our current Data Protection Act is retired in favour of the European Data Protection Regulation.

257 days sounds quite a lot.  5 days in business can be a lot, but when it comes to GDPR, 257 days isn’t much time at all.  In the days left businesses need to:

  • Know what data they hold and what they hold it for.  They will need to take time to document and audit data.  Recording the data held, where it came from and where it is send to.  Even for small businesses, this is not a small task.  In this day and age small businesses can hold masses of data.  This could however be an opportunity for a cull of unwanted and out of data.
  • Review all current privacy notices.  This could included development time on websites.  Get in quick web developers are going to get very busy and costs could start to increase as we get closer to 2018.
  • Ensure that procedures are in place to support the rights of the data subjects.  There have been changes, such as the right to be forgotten and portability of data.  Processes should be put into place now.  It is too late once a request is received!
  • Understand, if appropriate, how the business will deal with child consent.  Again this is likely to require changes to the websites.  I will repeat the warning about getting in quick.  Costs will rise next year.
  • Put in processes to monitor for and manage data breaches.  There will be a legal requirement to report data breaches that compromise personal data within 72 hours of noticing them.  Delays in reporting will not be looked on favourably by the ICO.  Neither will data breaches that are not discovered for prolonged periods.
  • Review business processes to ensure that data protection processes are built in.  Here the business has a great opportunity to modernise and streamline processes.  This will take time though.
  • Appoint a Data Protection Officer if one is required.  These will be in short supply initially and recruiting for such a key position could take some time.

Looking down the list, it becomes clear that 257 days is not long.  So for the other 46% of my survey that said they didn’t understand the implications of GDPR, you do now.  For the 35% that said they didn’t know when they would start implementation, now would be a good time and for the 37% that have not committed and resource to this yet, do it.

The EU gave businesses two years to comply with this new regulation.  Admittedly, communication hasn’t been brilliant from the various quarters.  However, ignorance will be no defence and penalties will be harsh.  Don’t get caught out start your compliance activity now.

257 days and counting

GDP…What?

I must confess.  Until last summer I didn’t know much about GDPR.  I had heard a new data protect regulation was on the way, but that was the sum of my knowledge.  I felt that was a little shameful, as a person who specialises in assisting businesses understand information risk management.  After all data protection is about managing your risks around the data you hold.

I went off and searched for information and found an abundance, probably too much and too complex and much of it aimed to scare, talking about fines of 4% of global turnover.  But I recall that I had to go and find information.  Nothing at that point had been ‘pushed’ to me.  Not that I can recall anyway.

Now I have an interest in understanding the regulation, but what about the general business population, how much do they understand?  I have been doing a few seminars on GDPR recently; whenever I ask the audience how many know about it, there is normally less than 10% who admit to knowing anything.  Then they appear almost embarrassed to be in a minority.  This prompted me conduct a short survey amongst local businesses to understand the level of understanding and preparedness.  I can’t admit to it being scientific, but the findings are quite concerning.

The questionnaire was sent to local businesses, randomly selected from the Chamber of Commerce membership database and my own contacts.  It included a combination of small, medium, large and public sector organisations.  There was a 24% response rate, with 81% saying that they currently hold data that can identify individuals.  The responses were completely anonymous.

The first question asked how aware businesses were aware of GDPR?  32.5% declared no awareness at all, but 46.5% said they were aware of GDPR but did not understand how it would affect the business.  That is 79% of businesses who, as yet, have done nothing to prepare or don’t even know about it.  We are now only a year off the deadline for compliance!

Some businesses have started to examine the implications, but 34% of the respondents said they didn’t know when they would start.  This coupled with the fact that 37% of the organisations have not yet defined or allocated any resource to the implementation.  Even more concerning when 42% indicated that they thought implementation would take between 6 months to 1 year or even longer.

Why aren’t businesses prepared?  Why is knowledge of GDPR so low?  Well I take you back to my first paragraph.  I think businesses still have to go in search of the information.  When you find it, for most business leaders, it can be scary.  Some generating the FUD (Fear Uncertainty and Doubt) that we had with cyber a few years ago.

There has been little information pushed from the powers that be.  When I compare GDPR to Auto Enrolment, I think every business leader in the country got personal correspondence from the DWP clearly telling them what they needed to do, however there has been nothing similar on GDPR.

The ICO has some excellent publications: ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’, being just one.  Isn’t it time to the Government started pushing this information out to businesses and not expect them to stumble upon it?  This is a big change for many businesses and they need support.

GDP…What?

I do get fed up!

directory-466935_1920

I’m not the sort of person who is naturally overflowing with optimism. I’m cautious with my optimism.  That way I’m rarely disappointed.  However I do get increasingly fed up with our society’s tendency to see only the negative side of things (I must be getting old).  Something which has recently come to a head as I work more on implementing the new European General Data Protection Regulation.

This regulation comes into force in May 2018.  Just over a year off. It isn’t being dropped on us at short notice. Actually we are given two years notice.

Let’s put GDPR into context. It replaces a piece of legislation that is 20 years old. Legislation that was put in place to protect our privacy in the technological world that existed at the time.  That world has changed beyond recognition.  In 1998 there was 147million users of the internet worldwide, actually when the laws were written between 1994 and 1996, there was more like 16million. Today there are in excess of 25 times that amount, over 3billion (information source Internet World Stats).  The amount of data being transmitted every minute is colossal and the current laws governing the management of that data are outdated.  GDPR has been developed to protect this data: Data that belongs to you and me.

In 1998 Biometrics were a thing of the future, science fiction.  Genetics data was something only considered by healthcare and high level research.  This form of data, our most private, has no protection under current data laws.  So we have to move on.

In recent weeks I have presented to a number of business leaders.  I have received a mixed response, very little of it positive.  Some complete overreaction stating that it will prevent business.  GDPR isn’t meant to stop businesses doing what they do, just ensure they do it in a way that protects the data subject and makes the laws universal across Europe.  That has got to be positive.

One area of negativity is around consent.  And particularly having to re-consent.  This is a great opportunity to not only clear out obsolete data from systems but also validate that the people you are communicating with are reading your communications and you have the correct details.  Why would anyone want to put effort into communicating with people who don’t want to hear your message or not longer exist?  Over time that is more wasted effort than an exercise of validating the data you have.

I was recently at a presentation by Lord Digby Jones.  It was enlightening.  He talked at length about how great British industry is, but how now more than ever it needs to embrace and be positive about the challenges we face.  Let’s start looking at this new legislation as an opportunity not an obstruction.  We have to embrace it and it will be much easier embraced positively.

It is at times like this I think of the Charles Darwin quote:  ‘It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.’  This is as true for business as it is the animal world.

In future blogs I will consider some of the impacts of GDPR and ways that I thing businesses could benefit from it.

I do get fed up!

Easy does it GDPR could be a gentle stroll

countdown-small

I haven’t written a blog for a while because I have been busy.  Busy preparing for the future.  I have, hopefully, secured my website, made better provision for the security of my tech and got a couple of certifications to show my customers I’m serious about this stuff.  But that was not the only reason.  As I sat down to write this blog there were 464 days 14 hours and 41 minutes to the implementation of the General Data Protection Regulation (GDPR).  Oh that is now 464days 13hrs 34mins, so we better get a move on.

The GDPR is probably one of the most significant pieces of legislation to affect UK businesses this century (I’ve always wanted to write that!).  It will, in some way affect all businesses.  464 days 13 hrs and 32 mins (time is ticking) in business terms seems an age, but in GDPR terms it isn’t.  I’m a small business and implementing the basics has taken me since Christmas.  OK that hasn’t been full time. I had to earn a bit of money as well, like all businesses,  but there are still things to do.

After completing the GDPR practitioner course in December 2016, I thought I ought to get my own ‘house in order’.  In January full of new year spirit and flu, I set off to be a beacon of compliance.  I don’t hold personal data, so I thought I would sail through the process but I wanted to take the opportunity to do things properly and look at how I worked. Implementing GDPR is a great opportunity to look at the way you work and whether it’s for compliance or not, question your processes and take the opportunity to make improvements.  This is not a message I’m hearing amongst the scare stories of fines 4% of global turnover.  This could be, if looked positively be a great business opportunity, one that could save money as well.

I will confess.  some of my practices had slipped.  First I set about examining what security of my information meant to me as a business.  My risks are probably in line with most small to medium businesses, so I decided to look at the Cyber Essentials certificate and also the IASME governance framework.  Working through these made me think about the what I had in place to protect my data.  I wasn’t too bad, but needed to tighten up in a few areas to achieve certification.  In doing this though I have laid a great foundation for the rest of the GDPR work.  That has to be good.

As I said I still have things to do.  I have to examine how I am going to manage the cookie policy on my website (I drop one security cookie) and also develop a privacy policy and a few other bits and pieces. These I will do over the coming months.  Another key message: start now and pace yourself, implementing GDPR will be a cross country run not a sprint.  Start early and it could even be a gentle stroll.

When I was thinking about implementation of GDPR, for some reason the Millennium Bug issue came to mind.  Eradicating the bug was incredibly successful, as someone who was involved in getting a significant piece of software compliant, I know that the work was really necessary.  On 1 January 2000 the press where stating that it had been over hyped.  It hadn’t what had happened was that businesses had planned and taken time to look at and correct the issues.  Some had even improved their applications.  Time, that is what is needed with GDPR.  And you now have 464 days 13 hours and no minutes.

Easy does it GDPR could be a gentle stroll

There are 3.5 billion internet users!

And I read the this morning that in 2016, 1.6 billion personal records have  been leaked, breached, stolen call it what you will.  It also appears that the trend is only set to increase.

I did a little digging around and found that there are approximately 3.5 billion internet users about 40% of the world population.  This means that potentially 45% of the internet users could have had their records leaked.  OK you say, some will be duplicates and there will be other statistical anomollies that I don’t really understand which  will reduce the percentage; but even reducing this number to 35%, it is an alarming statistic.  If 35% of the world population were to suddenly be struct by the same disease would we be so calm?  No there would be mass hysteria.  Would governments be working together to resolve the issue?  Yes, I’m sure they would.

It appears to me that the cyber-crime is not being tackled in a coordinated way.  All governments seem to take an independent approach.  Our own government has a Cyber-Security strategy based on making the UK the safest place to be online.  Whilst well intentioned, this is surely wrong.  Internet based crime is a world wide problem and can only be managed with a coordinated approach across the world.  It is no use the UK being the safest place to access the internet when my records travel across the world, way outside of our jurisdiction, just to travel a few miles to my insurance broker for example.

Europe is going some way to tackle the issue with the introduction of the European General Data Protection Regulation (GDPR). This is due to be implemented in 2018.  It standardises the measures across Europe that businesses should take to protect personal data.  It also stipulates what measures need to be put into place if data is being shared outside of the participating countries.

The GDPR is a great step and it is clear that considerable thought has gone into it and tying it into security frameworks.  There will be some teething problems I’m sure, but it will be a massive step forward.  Now we need to turn to law enforcement.  The GDPR will deal with the processors of data if they get it wrong, but why can’t the law enforcement agencies start to do something similar?  Where there is a common approach to hunting down and prosecuting the perpetrators of internet crime.  It has taken 10 years to develop the GDPR, getting 28 member countries to agree a single approach takes time.  If it can be done for the data protection laws surely we can agree some standards for co-ordinating criminal investigation and prosecution of the culprits.  That would start to have a massive affect, currently the chance of getting caught are low and if caught the chances of being convicted are also low.  Anything we can do to improve this has to be good.

Featured Image by: frankieleon used under Flickr Commons Licence

 

There are 3.5 billion internet users!