For GDPR compliance for employee records, the killer application (as Uber and others are finding) is performance management, which would not seem to be a priority for HR business leaders. This will be aggravated by the need to monitor gifts and other activities that may cause a conflicts of interest. We can also note that of the drivers for change, compliance is seen as the least important. …
At the BCS legal day, a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),
“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.
Jan Albrecht MEP”
It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances. …
I attended the BCS ISSG Legal day where the priority was the coming General Data Protection Regulation. I believe that the day was held under Chatham House rules, which means that comments cannot be attributed. I prefer to work on more open terms; it allows me to attribute credit to those who have informed me or changed my mind but the notes have been anonymised. The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement. The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement. I have written these notes over the last week, and backdated them to the day of occurrence. These are a bit less polemic than my recent articles here, but for various reasons I have been reminded that that’s how they once were; I hope these articles are useful to my more technical readers. Some of the discussions and issues may interest those that follow me for politics. …
After attending the BCS IS Security Group meeting yesterday, I began to think about how small (or more accurately, medium) companies might deal with the additional compliance actions required of the GDPR. There would seem to be two design patterns, a golden source, or an all knowing switch. The first pattern led me to consider the SaaS solutions, which should be used to dealing with suspects, prospects and customers (CRM), also any employees that might be employed, with the ERP solution catering for personal data located in the supply chain. Over the years I have been made aware of Sugar CRM & OpenBravo (ERP), more recently I have looked at Financial Services KYC problem, and been pointed at kyc.com, an enhanced CRM system designed for the financial services industry. The gap is an industry leading HR system, and it will surprise none of my long term friends and colleagues, that I think we can assume that fault is in the buying community where the priority would seem to be recruitment and applicant tracking although, of course, payroll was the first SaaS offering by an order of decades. …
Over the weekend, a spat broke out between Jon Lansman, veteran leftist and Tom Watson MP. This twitter exchange pretty much summarises it.
@jonlansman You've revealed your plan. If you succeed you will destroy the Labour Party as an electoral force. So you have to be stopped.
— Tom Watson (@tom_watson) March 19, 2017
Actually this was started because comments Lansman made to a private meeting were leaked to the press via video and blown up into a new conspiracy.
What I want to add, starting from Watson’s tweet, is that I believe it’s the so-called moderates that are destroying the party as an electoral force. The focus on the personality of the Leader and the evidence free proposition that we just need to knock on a few or even many more doors and we can win is wrong.
There are central political questions that need to be answered or Labour will follow the Greek PASOK, the Dutch PvdA, the French PS and its own example in Scotland. …
I returned to NWN2 last night, I should probably take notice of the fact that I find it so hard to return to. The fights are so hard …. This can be fixed … I think.
But the bioware forums have finally gone for ever. …
Here’s an interesting review of the UK’s DP Act and the likely implications of the GDPR/Brexit. The author identifies that the Commission has launched an infraction investigation into the UK’s implementation of the Data Protection Directive, they identify some of the weaknesses and report that despite issuing several freedom of information requests, that the infractions identified by the Commission are secret.
It is suggested that the UK Government will use the Restrictions Article powers to reduce the impact of the GDPR and in doing so may jeopardise the UK’s attempts to obtain an adequacy ruling. I think they’re a bit excitable since UK firms and foreign owned multi-nationals will be able to use model clauses and binding corporate commitments to trade with the EU even without an adequacy ruling, although some firms may choose to relocate, most easily to Dublin.
The article also talks about two court cases which have expanded citizen protection under the DPA using reference to the Directive and the CJEU rulings. After Brexit, the opinions of the CJEU are likely to be irrelevant, …
I posted an article that had taken a long time to get approval for on my employer’s blog, Information Integrity, the final frontier. I argue that the business has not taken integrity as seriously as it has availability and confidentiality. In the blog, I state that,
Information integrity requires an accurate representation of the state of the business and the audit records as to how it got there. Modern systems need to record both; it’s not enough that the system is provably accurate, records are required to ensure that transactions and changes are appropriately authorised.
The key insight is that not only must the true state of the data be recorded but that the person verify this truth must be recorded.
The article talks about strong “Requirements Management” and good “Testing” processes, and then talks about the use of PKI to sign application to application feeds or transactions to guarantee to the system of record that the author is a permitted actor and that the delivered data is accurate and authorised. I also propose that application logs as proposed under the “Application Security” domain of ISO/IEC 27034 should be used to record the authority/author of a database update.
ooOOOoo
Given the startling longevity of this blog, I have made a mirror of the Citihub article and loaded it to this site; integrity: the final frontier, a mirror …
I finally posted on LinkedIn, a short, and I hope, a balanced version of my longer, and more opinionated blog article on the Regulatory Powers Act. …
I am looking at the GDPR, and considering the issue that post-Brexit, the UK will probably have to seek an “adequacy ruling” to allow IT services trade and trade dependent on cross border IT between the UK & the EU to continue. If we adopt the GDPR as part of the so-called “Great Repeal Bill”, then there should be no problem. In the unlikely event that the fUK-EW legislates for greater data subject privacy then the EU may object because it breaks their single market rules; all jurisdictions must treat entities and citizens of the EU equally, whereas if we were to weaken the privacy provisions then the Commission would deny us an adequacy ruling. Today’s insight is that it works both ways. …
