GDPR - When Compliance finally got interesting by Carl Gottlieb

Wait. Right. So for everyone in here just now, we have GDPR, When Compliance Got Interesting, with Carl Gottlieb. So if everybody's here for that, I'll hand it over to you. Yep.

So you've got about 30 seconds to get out before we lock the doors. So,

two. Right.

Great, so thank you for the 10 of you that have stayed. So compliance is the most boring thing in the whole of IT. It's awful. Those of you that work in compliance, I think you agree really that it is, but hopefully I'm gonna try to appeal to you today to say why it's not, why it's gone cool and exciting. So my name is Karl Gottlieb. I do a bit of snowboarding in my pastime. That's me looking really cool. I'm also... I run a consultancy company called Cognition. We do a lot of data protection stuff, GDPR, and also do a little podcast called Command and Control. And also, if you're into malware, a little website called testmyav.com where you can download ransomware and infect yourself. So,

data protection. There was a directive that came out of the EU back in 1995 called Data Protection Directive. It basically said, if you're an EU member state, of which there's 28 of the others, this is what you should do. And so the UK looked at it and said, right, we're going to implement that as our Data Protection Act. So you might have heard of the Data Protection Act 1998, essentially how you handle data in the UK. It was directive though. It said what we want you to do, but you implement it how you think best. So you can imagine across all of the EU, across all 28 member states, people handled it differently. So in

that last 20 odd years, things have moved on a little bit in IT, you know, a tiny bit. And also, the needs to harmonize the rules, make them consistent. So we came out with the... I'm not gonna say which antivirus vendor I use, silence. So they created a new one called the Data Protection Act, a regulation. So a regulation is very, very different. A regulation is something the EU creates, and as soon as it creates it, it becomes law in every EU country. There is no implementation, there's no writing of any act, anything like that. So 25th of May last year, EU GDPR regulation came into law in all 28 member states, so it is now law in the UK. So in this

title, what we want you to really focus on are the two middle words, data protection. This isn't about privacy. Now, everyone that's really into privacy goes on about how GDPR is about privacy. It's not. It's about data protection, and the two are very, very different. Ultimately, with GDPR, we want you to focus on all aspects of data protection, whether it be rights, whether it be losing data, whether it be keeping data, ultimately, as a very, very minimum, if you focus on just keeping it safe, that is really where your focus should be. So it has some principles. I don't want you to read all of these too much, but essentially, just look after data. Don't collect too much, don't keep it for too long, get it responsibly,

all that kind of stuff. All of this can really be summarized, these six key principles into Just don't mess around with data. Be responsible, protect it, and respect people's rights. Now what's really interesting about the GDPR, if I go back to those six points, these six principles, they exist as law. These principles exist as law. So what that means is, unlike PCI, you can't find a loophole inside GDPR. Because if you do, the principles will catch you. And so if you say, right, I think I can find a way around this bit and this line item, then if you're not acting fairly, and the regulators will look at that. If you're not acting fairly, you will get done. So the principles are great

because they just say do it properly. And what that means is a regulation versus PCI. It's 100% risk-based, which is great from a data protection perspective, but from an implementation perspective, it's a nightmare because you want people to tell you exactly what to do. So what is personal data? Well, this is really what we're talking about, and it's different to what you may know as PII. Personal data is essentially a much bigger scope. It is anything that can help identify you. So a photo can be personal data, an IP address can be personal data. I mean that a public IP address can be classed as personal data because that can be attributed to an individual. So it's a much, much bigger scope. And you may hear me

refer to the term a data subject. That is you, that is me. A data subject is a person. It's someone that holds data that you control for me. And the data that we're, the scope of it really is anything that can be filed or searchable. The best way I like to think about it is if you've got a temp job somewhere, what's the data you'd want to steal? So anything searchable that you can find That's what you want to go after. What's the kind of thing you're going to steal two days before you leave the job? You're going to search for stuff. So that's computerized, it's paper-based, it's anything in the filing cabinet, backups, anything

like that. Now there's also another type of data, like an extended bracket. We all know as sensitive data, we understand the concept, but we call it in GDPR special categories. Essentially it's all the really private stuff. So racial, sexual preference, union membership, things like that. This is the kind of stuff you have to keep, you have to look down and protect slightly differently. So watch out for that if you ever work in an organisation that handles any of that kind of data. But interestingly, because you have to manage that data better, we now need to start thinking, well, should we be collecting that in the first place? Let's say we're running a conference. Should we be asking for things like ethnicity? Do we actually need it?

Because if you do, fair enough, you've got to go away and protect it really aggressively. But if you don't, why are you getting into that mess in the first place? And really critically, what's out of scope? So what don't we have to protect? And it's all the random bits of paper. You know, it's a notepad in someone's pocket. It's post-it notes. It's stuff on a whiteboard. It's the stuff that, yeah, there might be usernames and passwords on there. but it's not technically classed as personal data, so it doesn't fit inside the GDPR. Yeah, you don't want to lose it and you've got other implications, but that data itself isn't in scope. So, the last bits of terminology I want to throw at you are controller and processor. A

controller is someone that you buy a service from or deal with, so they've got your data. You've got a contract with them, you signed up to them, like Scottish Power, for instance. You buy your energy from them. The process is a person behind the scenes. You've got no relationship with Azure from Microsoft, but they are still processing your data. Great thing about GDPR is a shift from where we are now, currently in Data Protection Act, only the controller can get fined for a breach. Whereas imagine if Azure lost all Scottish powers data, you'd say, well, it's Microsoft's fault, isn't it? Not Scottish powers. Well, under GDPR, that now changes. It's whose ever fault it is

gets done in the end, and that's great to see. unless you're a processor and now suddenly the world is suddenly all about regulation. So this is really the people that are going to be affected by GDPR primarily. This is me, this is you. This is just a random selection of people that I've found that are in scope. So we've got a classic Italian and this is what all Scots look like, I believe, in the middle. And that's what I do at the weekend, of course. But it's all about Europeans. So, Europeans are the focus of this and anyone that's in Europe, all of us, or anyone from Europe is in scope. What that means is we are all protected by this. If

you're American, currently in here today, you are protected by the GDPR. So, whether you're a resident, a temporary person or a citizen, you've got voting rights, it's all the same. You are all protected in this room by GDPR. Until you're dead, of course, in which case your data protection rights don't matter according to GDPR. You're out of scope. So you might hear me call natural persons as Europeans. Essentially, people get this mixed up all the time. You'll see people talking about GDPR as all about citizens. Some say it's about residents. Some say it's about people that live there or whatever. It's not. If you're in or from the EU, you are in scope. Just remember

that. So try and think about it as actual geographic thing, if you're in it or from it. you have these rights. So I promised on Twitter there's going to be a bit of a catchphrase element to this talk rather than doing little boring titles. So see if anyone can work out what this one might be. It's a bit of an easy starter, this one. I'll warm you into it. This is a big topic for GDPR. Everyone keeps asking about it. Brexit. So Brexit is coming and it doesn't matter. GDPR, it doesn't matter at all. So we are 7th of April now, we've got 285 working days left till 25th of May 2018, which is when GDPR comes into force. We

are currently in a transition period or a grace period, whatever you want to call it. Essentially, GDPR is law, but no one's enforcing it. No one's going to get fined, nothing like that. You're all safe for now. 25th of May 2018, your two-year grace period finishes. Now this is, I'll say it again, There is no grace period after 25th of May 18. We are in it now. The law is out. You should be starting to comply now. So 26th of May 2018, the regulators always saying that first week, they're going to start fining people. So we are in the grace period now. That's great. What about 30th of March 2019 when the UK leaves the EU? So this is when we have the Great Repeal Bill, which essentially

says all of the EU laws... which were applied to us, we're just going to do find and replace and do EU to UK. And in the case of the GDPR, if you imagine we're in the EU GDPR now, post Brexit, we're just going to rewrite it. It's going to look exactly the same apart from EU is going to change to UK and a few other tiny bits. But essentially, any data protection regulation parts of it carry on like for like. So if anyone says anything about Brexit, just say no effect. Five years after that is slightly different because as you imagine you've now got two laws side by side. You've got the EU one and you've got the UK one. So if you imagine you're a UK company,

let's say a bank that sells into Europe, you've now got to comply with EU and UK. Now at this point they're exactly the same, so it's not a problem. Over time, EU might start changing and slightly diverging, and the UK might say, we're going to start diverging slightly. And as they start to diverge, you've now sort of got two laws to comply with, but that's way off. All you need to think about is post-Brexit, exactly the same, nice and simple. So, anyone got any idea what we're getting at here? The key is a really key aspect of GDPR. No, no ideas?

Almost, so we're talking about territorial scope.

Beautiful thing. So essentially what happens about everyone else outside of Europe? So within Europe you've got the great thing of data transfers are seamless. Poland, UK, Ireland, we've all got the same data protection laws. So that means data can freely move. However, everyone else, you have to have the concept of, let's say, an adequacy ruling. The idea is that What about the Isle of Man? They're not in the EU. What about New Zealand? What about all these other countries? And the EU assess each country's data protection laws to see if they are adequate and therefore get this adequacy status. And there's a number of them already out there, such as Canada and Switzerland and Israel. But there's also ones that get special status like the USA. They're in

a kind of funny place with data protection over the years. And so we had to create safe harbor, which is like an agreement of are they good or not? And if they are, we're allowed to trade with them. Safe Harbor wasn't very good, so it got replaced with Privacy Shield, which is out now. The problem with Privacy Shield is it's based on all the amazingly good things America will do with your data because they really care about you. The reality is that doesn't exist anymore. And things like the ISP selling your browsing data in the US mean that, hey, all those underpinnings of those agreements they've got with the EU are starting to crumble. So

what that means is that as Privacy Shield crumbles, the EU is going to have to replace it with something else. So... You've got other countries as well. So let's say you wanted to outsource some stuff to Pakistan, what then? Or let's say you've got a multinational company. Do you have to comply with all the laws separately? There's some other things the EU GDPR has called binding corporate rules or enforceable contracts, essentially saying legally we'll let you trade if you do it in a certain legal fashion. So there are some other mechanisms. But the key question you will get from everybody is, OK, get Europe. What about non-European companies? Do they have to comply with GDPR? And the answer is, if you target, sell, track or access

the data of you people out there, you EU people, you have to comply. So let's take American Airlines. So purely US-based company, for instance, they... Let's say they had one office in the US. The fact that they sell to the UK and to Europeans they are targeting us. The fact they are selling in Sterling means they're targeting us. If you have a surf shop in Sydney that is selling online in Sterling, that is targeting us, so they have to comply. A corner shop in Melbourne that just says local produce isn't targeting us, so shouldn't have to comply. So think about it that way. Think about it as GDPR is all about you, about protecting you, real people, and other companies, if they try to interface to

you, they have to comply wherever they are. So in summary, everyone outside has to comply if they touch you, but also any company in the EU that handles any data, let's say you're a Chinese company based in, let's say you're a company in the UK, you only deal with Chinese people, you still have to comply. Every company in the EU has to comply whatever data you have completely. So it's very, very big regulation, global reach. And if you are one of those kind of foreign countries and you have to appoint like an EU representative, so it touches everyone there, so it is truly massive. So any thoughts on this one? Exactly. So penalties, key point here.

a few people to note, this was actually England losing, so I thought a few Scots would appreciate that. And also, I'll just point out this, this is actually a real photo of some people trying to put off the penalty taker by flashing. Great photo. So, pre-GDPR, this is sort of where we are now, we're still in the kind of Data Protection Act world. The regulator, which in the UK is called the ICO, the Information Commissioner's Office, The reason it's called that is we actually have an information commissioner, it's a real person called Elizabeth Denham, a Canadian lady who's fantastic at her job. And she is pretty hard but very, very fair. And this week fined

a load of these organisations and in previous weeks a few others. These were all charities. And what they all did and all been fined this amount is mishandled data. They didn't get breached. What they did was they didn't get consent properly for the way they were processing donor data. Now, I'll look at that and go, Great Ormond Street Hospital fined £11,000. That breaks my heart to think about how hard that money was to fundraise, but also where it's going to. This is real stuff. This is really affecting real people. And these fines are in the context of two things. They're in the context of the ICO having... the ability to decide what level of fines they give, so they've got control, and secondly, we can

fine up to £500,000 in the UK. Now, post-GDPR, that is changing, so we lose that control and we lose that £500,000 upper limit. So these fines you won't see again against charities. There'll be a lot more. So in the EDGDPR world, you have a fining bracket of up to 2% of your global... revenue of your parent company. So imagine if a Google or Facebook subsidiary got breached. It's based on the global turnover of the parent company. So if you, let's say, had a data security breach, someone leaves a laptop on a tray and there's some data on it unencrypted. Let's say you failed to notify on a breach or you don't get child's consent properly, you can be fined up to 10 million euros or

2% of your global revenue, whichever is larger. You know, this is massive amounts of money and you compare it to the charities, it's going to dwarf that. The key point here is that this fine has to be standardised across the EU. So imagine you've got 28 people fining equally. One can't say, well, I'll give him an easy ride or give her an easy ride. This is going to be based on what everyone's trying to do. So everyone's going to try and level it. And with these upper limits being high, the levels have to be high. The ICO can't say, well, let him off because it's a charity. They can't do it. However, we've got the upper limit, and this is the big one. So 4% of global turnover.

And this is where you are, rather than data security, focusing on things like if you haven't enforced people's rights, so giving people the right to, let's say, erasure or haven't followed some of those principles I talked about. If you acted unfairly and unlawfully, this is where we can have those 4% fines. Now, don't let any idiot like me tell you that people will get fined 4% of global turnover on day one, because it won't happen. It might never happen. The reality is that is the upper limit. and watch for the trends when it starts happening of where those levels go. Because at first people might take it a bit easy and then start going up

and up and up. A key point on the fines is their punishments, but a line in the GDPR, which is really critical, remember this one word, please, the fines are dissuasive. Dissuasive is the word. So I will fine you so that somebody else doesn't breach in the future. This is all about dissuading other people. So the fines have to be harsh on purpose. So, any ideas? Key point of GDPR, I've already mentioned it a few times.

Consent. So, consent is a really well misunderstood area, but essentially, for a lot of things you have to get consent, but not all. A great thing about the GDPR is it's changed those consent models around, so you know you've seen opt-out, tick boxes, pre-ticked opt-ins, all those things, they are now invalid. You can't put an opt-out box or a pre-ticked box that has any value. It means nothing and it's the type of thing that will get you fined. It is a breach of the GDPR. You have to have unambiguous and freely given consent. You can't force somebody to give consent. If you do, if it's part of something else, then it's not freely given. So, everything has to be opt-in.

Now, The other thing to say is you shouldn't ask for consent if you don't need it. And this sounds a bit obvious, but just take a minute to see where I'm going with this. Let's say I have a legal contract with you that says I will handle your data in a certain way and then separately ask you for consent to do something else related to it. You think, oh, that's very nice of colleagues. Ask me for consent and go and sign something. Now, I didn't need it. So I can basically take that consent and tear it up because it's meaningless. But as you as a user, as a consumer, you're thinking, oh, I've got a nice bit of consent over there and I can enforce my rights

against it. The reality is that consent was meaningless. So people have to be very careful that you should not ask for consent if you do not need it. And most times you don't need consent. If you sign a legal contract for something, you don't need someone to keep asking you for consent because it's part of that contract. And... There's many areas where you don't need consent. So for instance, if you're a business, you have what's called legitimate interest if you're already engaged with somebody. You might have a contract, it might be a legal thing, it might be to save someone's life. A recent case came up where in Cumberland, in Carlisle, there was a lot

of flooding in recent years. And so people had to find people's data, access it very quickly and send lifeboats down the street to get to them. That's an example of where we said, well, it's to save someone's life. I don't care about data protection laws from now, I'm just going to rip them up and go and save someone. That's what we call vital interest or basically life saving.

If you're under 16, you can't give consent. Now, that's a new one for the GDPR. Some say 13, some say 16. The law says it's 16. However, some countries can say, well, we think someone at 13 is okay. So they can change the law in each country, but generally it's going to be 16. Now, think about that for most websites. If you're under 16, you can't consent to them. So we're going to see that starting to emerge as to how we determine that, because we've got to do some checking a little bit if it's possible, but also 13, 14, 15-year-olds wouldn't be allowed to consent. Cookie law. You know there's annoying banners you all get on websites saying by clicking OK you've

agreed to something you've not read? Well, they are invalid. They always have been invalid. Now, this is the thing not many people know. They never have been valid. They mean literally nothing. You do not need to put them on your website. They are pointless. The reality is that GDPR says you must get consent for anything not first party. So imagine you go to karlgottlieb.com, to my website, and I put my own cookie on just to track you that is all based on my servers. That's a first party cookie, first party tracking. I don't need consent because I've got legitimate interest. You come to my website, you sort of expect me to sort of see your IP address. But what about Google Analytics? So Google come

in, put their cookie and start tracking you. That is a third party cookie, third party tracking. GDPR requires that to now ask for consent. Any other trackers, any other third parties must ask for consent. Now, if you play this out, you'll think that for every website, they're going to ask you five, 10, 20 different consent questions. And the reality is, that's what by law has to happen. But in reality, the EU has said, well, this is nuts. We're going to create a new regulation to sort of fit into GDPR called the ePrivacy one. It's currently in the kind of analysis phase due out end of the year. But the idea of it is that rather than asking you for every website, every consent piece, it's

going to on first browser install, ask you, hey Carl, what's your view of consent? Do you want to opt into third party cookies? Do you want to allow first party cookies? That kind of stuff. Done, that's your global settings set. And then if you ever want to override it per site, you can do. Sounds like a bit of a mess, doesn't exist yet. And that's why this part of the GDPR can't be complied with currently. So if you're looking at GDPR compliance at the moment, thinking about cookies, best advice is to sort of wait and keep a really strong eye on it because it is a complete mess. And if you imagine the whole point of GDPR and consent is to protect you against evil

companies like Google doing tracking of you with cookies, but the people to implement the solution are Google with their main Chrome browser, how's that going to work? It's not in Google's interest to do this. So watch out for that. Last bit about explicit consent. This is the kind of like hitting someone over the head with a stick saying, you joined our mailing list, great. Okay, I'm going to ask you again, is it okay if we actually send you some marketing? It's that kind of overt thing. Now, if you handle sensitive data, that special categories, racial, ethnicities type stuff, that's where explicit comes in. You'll see that occasionally mentioned. So, any idea what all these have in common? Someone's got to get this. Right, yeah, exactly.

So, right brothers at the top in case you didn't know. So, right. So, first right, any idea what this right is? This is classic catchphrase there. Okay, it's the right to object.

Right to object. Right, so a bit of a slow start today I think we're having. First one, so essentially right to object says you can say no to processing and I as a controller have to actually offer you that right. You must, whenever you sign anything in the future, whenever you tick anything, it has to say you have a right to object, you have a right to know what I'm going to do with that data. And direct marketing is actually called that as a very special case if you get involved in that. Essentially you must provide opt out if you're doing any marketing and you must obey it. So we have a lot more rights

about direct marketing now. And anyone involved in the automated decision-making profiling business, this is a key one. A lot more consensus required. And also you can't have this idea the computer says no. You've applied for a loan. Computer says no. Why? I don't know. It just says no. So as we move into more AI, ML type stuff in the future, we have to be able to explain these algorithms in a GDPR context. Even if it's just... We can't explain a lot of it, but here's five reasons we guessed, then that's fine. Ultimately, we have to be very careful about automated decision making because we have the right to object to it. If you sign a contract that says you agree, then that's fine.

So, this is, in my view, the most interesting part of the whole of the GDPR. Any idea what this one is? It's one of the rights. Portability. Bingo. Portability. Bill Murray there. So portability is really, really quite cool. Portability gives you sort of two things. One is right of access to your data. You have all of, especially some of the more interesting ones amongst you, have done Freedom of Information requests just to annoy people. I know there's a few people I can see that are laughing now. Just do this, just the hell of it. But you can do this for anyone that holds your data now. You know, whether it's be a B-Sides conference, whether it be a government, whatever, you can ask for your data. Key thing, it's

now free. It has to be free. Unless you're being a bit vexatious about it and doing it every five minutes and asking for all sorts of stuff, they can start charging. But they have to do it for free, generally, in 30 days. And it's to see all of your data. And they have to give it to you in a format that's human readable, like a PDF. But also, here's the cool bit, you have the right to have it moved elsewhere. So let's say you are currently with a bank. You know you have the idea of fast switching. You can say, well, you've got my data. Please just transfer it all over to RBS. Well, that

applies now to all companies. So imagine you have a Spotify account, and you've got all your, one of the reasons you don't leave, as much as you like Spotify, is you've got your history on there, your playlist history, all the information it's got about you, about what music you like. Well, if you want to go to Google Music, GDPR will mandate that Spotify has to have both an export button, that you can export it and import it into Google Music, But the other cool thing is you can just say to Spotify, I'm lazy, do it for me. And they have to actually send that data across. Now the EU is pushing for APIs that will automatically do this. That's not gonna happen. But essentially, it's your data.

You're in control of it. And you can say to control, like Spotify, give it to a competitor. Very, very interesting kind of scenarios. And if you think about where you're actually locked in certain providers, it's just a bit of a pain in leaving. EU is taking that away. So portability is a great right that you've all got.

So, any idea on this right? This is quite a nice simple one. No? Rectification. I think that's what it means. I haven't really read it. So, rectification is a simple one. Essentially, if someone's got inaccurate information on you, they have to update it. They have to. It's law. And they have to in undue delay. So you're talking in a kind of like, if it's simple typo days, you know, that kind of thing. They can't take years about it. And if it's incomplete, they have to rectify it as well. So there's plenty of places where something might have been written that you need to get changed. And this is quite an important one, but quite a simple one as well. I think that's what

rectification is. So any ideas on this one? Another key, right? It's probably one of the biggest ones. Erasure. Erasure, exactly. Yeah, and there's probably a lot of people who don't even know Erasure, but an amazing group from the 80s. So, the right to erasure, you might have heard of it as the right to be forgotten. Essentially, it's your data, so you're in control of it. GDPR is about giving you power, so you as a data subject are in control of it, mostly. So, if you say to a company, I used to be a customer of Scottish Power, but personally I did. So, I can say to them, well, do you still hold the data on me? You know, portability,

access requests, that kind of thing. Okay, delete it. You know, why do you need that data? And if they can't come up with a good legal reason why, then they have to agree with your request. They have to delete it. Interestingly, let's say someone's published an article on you, and that's been published elsewhere as a copy of that data. Let's say this happens with Google or news organization. If they agree to erase it, they have to then go out of their way to talk to anyone else that might have a copy of it and erase that as well. It's your data. You're in control of it. There's certain limits, if you've got an interesting past,

the press might have got freedom of expression rights there. And there's also things like public health interests and scientific research. But generally, it's your data. So an interesting case is, let's say, a bank. They have a legal requirement to keep the data for seven years. But do they need to keep every single financial Do they need to have your name and address? What information do they need to keep? So from a right to erasure perspective, you might get them to be able to erase most of it, but some they have to keep legally. Then after seven years, arguably, they can get rid of it. So as controllers and processors, we need to be very clear that we only keep and get the minimum amount of data possible.

Minimization is a critical thing to think about. As much as we all love a bit of big data and machine learning, gathering as much into a big data lake and analyzing it, GDPR is all about minimization. You collect only the minimum amount of data you'll need. Last thing about erasure is if you ask someone to delete a record of you and it's on a database inside a backup tape, they can't edit that. So there's only certain limits. So if you're a business thinking about the right to erasure, there are certain aspects where you say, well, I can do everything on my live database, my back-end database, but a tape backup or a piece of microfilm,

I can't touch that. So do as much as you can. It's a risk-based compliance measure. Does that apply to paper records as well? So if the paper records are in scope because they are searchable, fileable, that kind of thing, then it's no different. So if you can edit them, It depends how, really. So if they're easy to redact, for instance, let's say it's a piece of paper, and you could just maybe rewrite it or delete it, that's one thing. If it's just going to be a nightmare, then you say, it's not possible to edit it for whatever reason, and therefore we're not going to. Well, what, Raspberry Pi? Yeah, it could happen. But yeah, there's only so much you can do with Erasure,

and there's many organizations out there worrying about their backups, and ultimately, do the best you can. And for the gaps you leave behind, just have a good statement for. So when the ICO come knocking and asking you, you go, well, here's what we did. Simple. So most of your techies in here, so I've got an obligatory techie slide. This is what you all look like when you're hacking, I assume. So where does kind of data security and all the cybers come into this? So

there's no specific requirements. And this is the really weird bit about GDPR, is everyone's expecting another PCI. It's not. It's all risk-based. So it's things like manage data securely. Basically, do the best you can. So what this really means is focus on, remember those two words I said at the start, data protection, focusing on protecting that data, whether it be from access control, breaches,

Breaches are an interesting example because most breaches come from things like phishing, from externals, from phishing and malware. Well, those are two easy things to start. There's some good anti-phishing tech out there, there's great anti-virus out there. But if you're trying to tick the box by just saying, well, we've got anti-phishing, we've got anti-virus, and are still getting infected, then you know your control is failing. You know you haven't really got a control. Do the basics, but do them well. Actually do them right. And the last thing you want again is the ICO come in and say, well, have you got antivirus? Yes. Have you ever been infected? Yes, yesterday. Well, you're not safe, then are you? So things like antivirus, anti-phishing access control, encryption, that's

a basic one, full disk encryption on everything. Again, if you haven't got it, expect to find. It's just the kind of simple control you should be doing. And I mentioned earlier on, you're gonna be subject to actually lower penalties for the data security side, which is a bit odd, but that's why they roll. So, this is a picture of, anyone know who that is? It's not Harry Potter for people. Exactly, it is the former head of TalkTalk, who, you know, former, because they had a very big breach. And breach notification is a really big aspect of GDPR that you need to be aware of. So they handled it really, They, she, whatever, handled it really, really badly and said they were on top of it.

The scope was this, the scope was that. And as a TorTor customer, you didn't know what was going on. You didn't know what to do. Do you reset passwords? What's really going to happen? And she lost her job. And in the GDPR world, you have to focus on severity. What's actually going to happen for the data subjects? The people affected. The ICO doesn't matter. The controller doesn't matter, the business. It's about us. It's our data. When someone says on a Friday night, hey Carl, we've just looked and someone's claiming on Twitter that our customer database is on Pastebin. The first thing you should be thinking about is, okay, well let's have a look. Is it

actually our data? And that sounds simple, but is it really? You know, if someone put in a database of let's say 100 details, 100 customers, would you know it is your database and not someone else's? And that's quite a big challenge. Unless you start seeding the database with certain bits of data, let's say fake people or whatever, it can be quite hard to determine that. But once you do, you've now got to think, what's the real impact going to be? Do I need to get straight on the phone and tell people, hey, change your password immediately? Is this put a letter in the Financial Times tomorrow? Is it not a problem, it's just a ransomware

incident? What is the real impact? And the impact is so important that you need to base everything around that and your whole breach notification plan. So you may have to inform the ICO, say, yeah, been infected with ransomware. That doesn't sound like a problem. Yeah, it was on the main database. And I think all the data is gone as well. You may have to inform the data subjects, phone them, email them, whatever you think will help notify them and help them genuinely. But you've got to do this in 72 hours. And that's not a lot, especially if it happens on Friday. And the other thing to be aware of is who actually caused the breach? So remember our Scottish Power example with Microsoft Azure. Let's say, and

by no means am I targeting them, just using it as an example. Let's say it was Microsoft Azure that screwed up. As part of the breach notification, the controller of Scottish Power have to tell you what to do about it, why it happened, what we're gonna do, how we're gonna help you. And if you don't know where the breach happened, then you can't really help. So you have to get straight on and investigate in your data maps, you know, oh, it was actually an Azure failure. as Microsoft has to come back to you without undue delay and inform you. So you've got this kind of breach notification conversation going on between the two of them, so what the hell do we do? And all this is

inside your 72-hour window. So if you're a processor, you haven't got a 72-hour window, you might have like a day window. And if you're a controller, your processors need to be absolutely on the ball, because you need to be able to phone them up and say, well, it's this database, what happened, what we're gonna do about it, is there an issue? So the whole concept of breach notification is really, really critical. And what I'd always suggest to people is play out the scenario. Imagine it's 6 o'clock on a Friday. Someone says, we've seen the database on Pastebin. Go. You've got 72 hours. Go. What do you do? And you play it out. And it's so,

so scary because it's so tough to know how to proceed. So any thoughts on this one? Critical role actually more than you think for some of the people in here. Yeah, Data Protection Officer. So the Data Protection Officer is this person inside a lot of organisations that is your data person. He, she is the governance person. It's the person that's not responsible, but your key advisor. This person is the one you should be going to to say, I've got a career about GDPR and they are your expert there. Now, you only need this specific person if one of these three things happen. You handle lots of data, you handle lots of sensitive data, or you're a public body, or you act like one. So if you're

a water company, you are providing public service, therefore you need one. What that essentially means is lots of data if you're a large company. The old guidance, which is out of date now, said 250 employees or 5,000 records. If you ever hear those numbers, They don't exist, that's irrelevant. It's now essentially lots of data. So try and think about some of the people you deal with, whether it be your own organisation, your partners, some of your people you could give your data to, they will probably need one of these. But this person is a magical person because firstly they have to be an expert on GDPR, any data protection law in any country they work with, infosec cyber security stuff and the business and the marketing of

how all the data flows in and out. But they can't be in IT. So if you look at this line here, they can't have the conflict. There's a huge issue about conflict, and a German company was just fined very, very heavily for having their IT manager also be their DPO. Because the issue is, let's say you work in marketing, and you're also the data protection officer shouting at the IT guys to do better with data. At the same time in marketing, you're still collecting data and collecting consent. You're in the doing. Governance person can't be in the doing bit.

There's a lot of organizations out there that say, yeah, we need a DPO, and I've got no idea where they're going to get one from. Is it an internal person they can promote? A lot of people are promoting their internal legal counsel to be the DPO or saying, do more. But the issue is, imagine if you're a lawyer thinking about GDPR. You just say to the business, just stop. it's too risky all of this, just stop doing anything, a lawyer would say shut the front door. It's much, much easier. Whereas a sales guy would say, yeah, open the front door, let's just be a bit riskier and our risk assessments are a bit different. So

it's a real challenge. Generally in the industry, we're seeing a lot of legal counsels, like in-house legal person with the DPO, but the issue they will face is not understanding a lot of cyber security stuff. So you see a lot of companies like ourselves offering virtual DPAs, which is where we get a person doing a day a week, a day a month as a DPO. So the important bit though for all of you in here is what does it mean to any of you? Because as I said at the start, compliance is the most boring thing in the world, but not if it actually relates to something like cash. So the first thing to say

is you've got rights. GDPR is about empowering you as real Europeans. You've got control of your data. It's not like PCI or ISA or any of this kind of stuff. It's about protecting you and giving you rights. So you have things like portability. And critically, you can cash in. People have been talking about whether this is the next PPI wave of ambulance chasing, whether that happens or not. The reality is that... Whilst I talked about administrative fines earlier on, that 2%, 4% of turnover, you can now sue. And also an association could sue on your behalf, like a consumer association. So let's say TalkTalk, they got fined by the ICO, £400,000, great. But when it happens next time, no problem for a class action lawsuit. You

get behind that and claim a few thousand pounds each. Suddenly administrative fines, like a 400K fine, are blown way out of the water. fines, as you'll hear everyone talking about GDPR every day, like idiots like me, they are great, but the compensation that people like yourselves will claim from class action lawsuits is where the big, big issues are going to happen financially. But hey, we all love Compo. So what about us in the industry? What can we do? Well, there's a massive supply shortage, and I can't explain how big the shortage is. It's ridiculous. People have talked about there'll be a need for it. 90,000 data protection officers worldwide, of which there's almost like 90,000 more data protection officers worldwide in the next 12 months. The shortage

is ridiculous, and the expertise required are quite extensive. So there's a big thing from that side. But also what about the auditing side, like the offensive kind of stuff, which a lot of you are being more interested in? Well, at the moment, a lot of assessments are very much, we found a vulnerability, give us some cash. Well, as a kind of chief exec, I don't really care because it means nothing. And most IT security managers will take a pen test report and put it in the shredding bin anyway. So what actually matters? Well, if you can find some data, whether it be inside the organization or outside, suddenly your data assessment report, your pen test report, your red team report, whatever you want to call it, becomes very, very

interesting. Add that to vulnerability, responsible disclosure, and suddenly you get into an interesting place. So let's say you find some data on Twitter about, or let's say PaceBit, and you find some data of a company. As soon as you inform the controller, the 72 hour clock starts. Now I'm not saying you could do this maliciously by doing it on a Friday evening, but think about responsible disclosure now in the sense, as soon as you disclose it, if they are technically aware and you've got an email date to prove it or even post it publicly, They have to act when it's related to data. Saying, oh, I've got vulnerability, they might not have to act. But if you say, I found some data on

the dark web about you, they've got to act immediately. There is no waiting. Now, that could be a really interesting place for research of how you might want to approach it and things. Whether you want to think, tech is great, but if I can use tech assessments to get to real data, that is the stuff that instantly gets the chief exec. All this stuff will get straight to the boss, the chairman, the chief executive of any company. So data focused stuff is the one that will really make a big difference. But from a business, what about the benefits? It sounds all quite negative, what I'm saying. Well, it's not. If you're a business, this can

be fantastic. So most businesses are fairly generally bad at data protection. But if you can be the ones that come out and say, look how good we are because we're so ahead of the curve, we're GDPR compliant, we're doing lots of great things, then There's a huge PR angle to that. So there's a great competitive advantage. I mentioned before about Spotify and Google Music. Well, the data portability thing is interesting because if you've got organizations and customers that are locked in to like, it's sticky because they can't leave, it's just too painful, that disappears. So if you're a small organization, let's say a small medical company or a small mortgage provider, you can say to us, just leave BUPO or leave whoever these big medical companies and come to

us with one click. It doesn't cost you a thing. We'll take your 30 years of medical history out and type anything into a form, and we're a startup. Go. That is certainly very interesting because it really is competitive. And if you, as a company, embrace the competitive advantage idea, then, hey, you can turn GDPR into a really good money-making venture. And the last thing, really, is just about risk. Every organization I speak to about GDPR says, oh, yeah, it's so dull, Carl. Yeah, but chief executive's giving me two million quid to fix it. He doesn't know what it's going to cost. He's just going to fix it. So, yeah, I'm going to want to buy

a load of toys and a load of people and a load of consultants and build a stock. And suddenly, there's this money coming in to actually get things right. So as much as... Regulation can be a bit painful. A lot of people are using it as a driver internally to that business case that's been rejected year on year on year to get all the good stuff, all the good processes done right, all the patching done right. Now is the time because GDPR says you've got to do it all. So ultimately, everybody wins. It's a fantastic place to be. And I would hope you come away with this thinking, I as an individual benefit, companies benefit, and... I think we can all win out of it.

So, thank you very much.

So, on screen, I've put on a little website. It's not on screen. It is now on screen. It's called the GDPR guy. It's basically a little GDPR high-level website. Just kind of a little look at it. Give me a shout on Twitter and have a chat. There's so much to debate and chat through about GDPR because it's a real world thing that, yeah, please feel free to look at that. And we're going to do a little podcast on that to sort of make an audio version. So yeah. But any questions on the exciting world of compliance? Can a company, there's two questions about the DPO role. Yep. Could they take a lawyer and somebody from the security

team and create a virtual person? Could they, in the same part of this,

Could they stay work one day a week in that role and a four days a week in their normal role? So the question is about a virtual DPO inside an organisation. Now, it's quite blurry the lines. Technically you have to nominate a person's name. So even if it's a third party company, let's say KPMG, they still have to say the person that is the DPO is Jane Smith for the organisation. How they actually act on a day-to-day basis that it can be one minute this role, one minute another role, one minute that role, or a day a week or a day a month, it doesn't actually matter, it's as long as you are the figurehead. And what being a DPO means is that if you do any

project relating to data, the DPO has to step in and assess it and do what's called an impact assessment and say, I've looked at it, you're being way out of line, everyone, you need to do this, that and the other. And if you don't follow their advice, you have to document why. So they are the expert that you can follow, but you don't have to.

Yeah 200.

Yeah.

Okay, so a few things. So the question really was about enforcement, extra-territorially. and also the staffing. The first thing to say about the ICO is they've got nowhere near enough staff. They're looking for 200 places to be filled in Wilmslow and Cheshire in England. Hopefully they will do it. One thing, just a quick point about the ICO. Any fines don't get paid to the ICO. They get paid to Central Treasury in Westminster, so there's no real bias there. So what happens if, let's say, an Australian company has to comply with GDPR and gets fined? They have to nominate... just to trade an EU representative. So they become almost like the EU office of that company.

It can just be a lawyer, it can just be a person on the street, but that is their representative. And so that is the, as a data subject, I can sue in my country. I don't have to go to Australia or anything like that. And then it's the legal mechanisms work between the UK ICO and their regulator. Now, the foreign regulators that you can transfer data with anyway, are already deemed adequate, so there's already that inter-country relationship anyway. But outside of that, it comes down to regulators getting involved, which is messy. And clearly, trying to sue someone in Australia is going to be a different kind of world. Now, interestingly, Australia is not on that adequacy list. So it gets quite complicated. But ultimately, you

do have the rights and the regulators there to enforce those rights for you.

Yes. Do you know the reason for that? The second question is, what in your view constitutes a significant breach of the individual rights? Because that's one of the key things to determine whether a breach is happening when they enter a report. Okay, so question is one, why are people delaying trying to handle GDPR? And secondly, what is a breach essentially? So most people are delaying, especially in the kind of mid enterprise space, because they just think you've got a year. And it's like when you start the revision for your exams, you think you've got a month to go and you do it tomorrow and you write a really good revision timetable. It's just a long way off. People have been afraid of

Brexit, think that's going to change anything. There's also the view of it's just ages away, it's not a problem. But as I said, it's 285 days away. There's a company I work with that has a change freeze from May to January every year. So I think we worked out they've got like 60 days left. It's just nuts. So we have to be very careful. So what constitutes a breach? GDPR, don't think about a breach as being the breach, the kind of talk talk data leaving kind of breach. Think of it as a breach of compliance. So not asking someone for consent is a breach. In the case of Honda, which was fined this week, what happened there was they were sending out several hundred thousand emails to Honda customers

saying, When you bought a motorbike, we didn't know if you'd actually consented towards telemarketing you, sending you emails. So would you mind, because of GDPR, complying and just saying, I consent? They got fined £13,000 for that. They got fined £13,000 for asking for consent. And the reason was, you can't ask for consent for marketing by doing marketing. And so that was the issue. So you've got to be really careful. But that was all triggered by one Honda customer complaining about one email. So impact from a kind of breach, a fine perspective is so low that you can say, we have to cover all bases and potentially we can get screwed for even the smallest thing. So it doesn't have to be big. Now I asked the ICO

about ransomware and said, is getting infected with ransomware a breach? of compliance and Elizabeth Dunnan's response was if you get infected with ransomware and get your files encrypted, can you categorically say that no files were sent out to a CNC server? I can't, can you? And some ransomware that came out over Christmas included that, it does a lot of exfiltration. So if you assume that every virus infection potentially includes exfiltration, the ICO said we want to know about every virus infection potentially. You know, that's kind of scary stuff. And for most companies, it'll be, well, I don't really want to tell them about that. But now you're going to have to. So ultimately, it has to be play it safe, inform. They said, we want to

know before the press knows. So if you go with that line, inform the ICA before the press, then the best way forward on that. Yep. Is there any protection for those disclosing the pictures? Yes. So what, the DPO? Sorry? Yeah, so... If I answer your question right, so are the breach notifiers protected? So in a company, the person notifying should be your data protection officer. And they're in this kind of weird place where they see something bad's going on, let's say a breach of compliance. They have to get on the phone to ICO or email and say, yeah, something bad's happening. The DPO role is protected under EU law, which means that you can't be fired for doing your job.

So what if they say, spot some data on Pastebin and...

Yeah, so ultimately it's about... So yeah, no, it's a simple answer. If I spot some data on Pastebin and say, that looked like 10 people's addresses, inform the ICO, there's no issue there. The challenge is whether you start turning it into something else. Now we all know about Troy Hunt's Have I Been Pwned? I'm talking to him a lot about GDPR because I've been speaking to a lot of experts and it's very problematic because what he's doing essentially is scraping quite sensitive data about people and putting it into a database without consent. So think about that. If you are purely doing research and handling personal data, you've got some exceptions. If you are doing stuff that is corporate, you're going to sell a service and might

threaten intelligence involving personal data, like scraping dark web stuff. Really think about this because that gets quite sensitive.

Got it. So, the question is really about tracking and behaviour analytics, especially in the marketing industry. So, EU goes quite heavy on the whole direct marketing thing, so you've got to be very careful of it, get a lot of consent. Some new views are coming out about that in the e-privacy regulations, look out for that. There's a lot of... Yeah, just look for e-privacy regulation. But, ultimately, you have to be getting consent at the start in the marketing world for anything you're gonna do with that data. You can't, like Honda did, go back and say, we didn't get consent a few weeks ago, can we have consent now? No, because you're gonna get fined for it. So think about getting the right consent you need

first time, every time. And from a website visitor perspective, we have this issue where we have to get the consent, but there's no browser mechanism for asking for it or providing it in the background. Nobody's gonna be saying, do 10 pop-ups. So we have a problem at the moment.

Yes, so our cloud processors, yeah. How do they manage the risk of that? Carefully. So this is the issue. I mean, I had a customer, let's say Iron Mountain. Essentially, let's imagine big warehouses full of tape backups. And someone says, you know, your warehouse is full of personal data. How are you protecting it? And they go, we don't know what's in there. I had an archiving company say, we shouldn't be compliant because you can't see what's on the tapes. So it doesn't work like that. You are a processor. So all you can do is manage the risk like anything else. And for those, physical controls are going to be more important, but things like still having to handle erasure, portability, all that

kind of stuff. So portability, for instance, for them, someone might say, I want to move from Iron Mountain to another cloud provider, just go and move it. So they've got to start thinking about those kind of stuff as well. They don't get exceptions.

Yeah.

So there's nothing, yeah, so essentially, yeah, process of this controllers. The main way is actually to go after the controller because they're the ones that were in control of the data and they decide how it's gonna be processed. The process then gets involved as they get dragged in, but then usually the controller, the zero is gonna get fined, but then has a legal, to say, actually we've apportioned all blame, it was all the control, all the processor, and then pull it back. So it's still quite believe it's not happened yet, but they are in scope.

If it's got personal data on it, it's in scope.

No, you've got to know. This is a frustrating thing. So essentially, it's your responsibility to know what all the data is, all the personal data is, and where it's going. You don't have the ability to say, I didn't realize. So yeah. Great. Thank you, everyone.