I have posted two articles on linkedin, one on Requirements Analysis and its importance in both cyber-security but also in ensuring a project meets its business need, the second is on the skills requirement of a CIO, I emphasise that they need to be good with people. This is not always at the top of the list of qualities that boards look for. …
The UK Govt have issued a consultation on how or whether to implement a Central Bank Digital Currency. I have written up my thoughts on LinkedIn & Medium and have some further notes on my wiki. I look at the arguments in favour, cite some Swedish sources, who are four years ahead of the UK, and conclude, “This is ideologically dangerous, technically complex, and a solution in search of a problem.” …
As the UK government sorts out the argument with EU over the border between Eire & Great Britain, rejoining Horizon Europe becomes a possibility although it seems that Rishi Sunak is not so keen. In an article on Linkedin, called “Horizon Europe, more than just cost”. I note that in the final year of Horizon the UK rresearch entities were granted €5bn. The most important point made by my article was that the value of Horizon is as much the contribution of the other partners, some of whom must be from a 2nd country. The value of Horizon to researchers is the leverage of the domestic investment as much as the grants. …
I wrote a piece on Release Management on my LinkedIn Blog. I talk about the minimum properties of a change control authorisation system, the minimum evidence required before agreement can be issued, the need for emergency change control process, the need for post implementation reviews, treating failures as incidents and applying problem management tools to them, and ensuring that there is an appropriate segregation of duties. …
Elon Musk has taken over twitter; I wrote a short piece on LinkedIn on the deal, its funding, and the technology. Since then some, including the FT (£) have commented on its funding, not the least the bank loans and thus collateral required. The linkedin article and this has some interesting links commenting on the deal, or at least I think so. Also I quote some sources about the fear of the world's town square being owned. For more, use the "Read More" button ...
I have just posted to my linked in blog, on the reference from the Austrian courts as to whether victims of a data breach need to prove harm for compensation.
The Advocate General is not so sure, although on my CIPP(E) course the instructor was clear; a breach of rights is a harm.
I look at the GDPR, the DPA 2018, which confirms that in the UK, ‘“non-material damage” includes distress.’.
I conclude by noting that, “My experience in tracking the citizen’s panels of the Conference on the Future of Europe (CoFoE) is that Europe’s citizen’s, the children and grand children of facist and stalinist societies are looking for greater enforcement, not less.” Politicians in the EU are under pressure to go in the other direction. …
I wrote a note on information systems programme evaluation and management on my linkedin blog. It considers business value vs reliance and observes that this technique permits the management of software products to have different governance policies, that measuring competitive advantage is hard, that IT strategy must be aware of business strategy which will drive the build vs. buy decision together with other project management decisions. Importantly it decries the practice of buying and adapting a software package. These ideas were first taught to me by Dan Remenyi. …
Data Protection Officers roles were revised by GDPR and the member state implementations. Here is a reminder for those that need it.
Article 37 states that a processor or controller requires a DPO if it is a public authority, if it requires regular sys systematic monitoring of data subjects on a large scale or if it processes special data.
A DPO may work for multiple companies, but Article 38 requires the DPO to be adequately resourced and supported.
The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks specified in the GDPR Article 39.
Article 38 states that the DPO must be involved in in all issues which relate to the protection of personal data, be properly resourced to perform their duties and to maintain their professional expertise, not receive instructions on the conduct of their duties, not be dismissed for doing their job, and report to the highest levels of management.
The tasks of the role are defined in Article 39, the job is to advise the highest levels of management on their obligations, to monitor compliance including the assignment of responsibilities, training and operations’ audits, to assist and monitor the data privacy impact assessments, to cooperate and act as a contact point for the supervisory body, in the UK, the ICO.
I have used the EU text as the source of my summary and is reproduced overleaf/below ...
This post was originally posted at linkedin.
When evaluating Data Protection laws and enforcement appetite, one sometimes needs to refer to the 7 principles. These were agreed by the OECD in 1980 and I summarise them below.
Europe’s privacy laws are constructed by building legislative infrastructure based on treaties and then the creation of law. This diagram below shows the time line of European infrastructure (above the line) and law (below the line), it was made in a year or so ago and thus does not have the UK’s departure from the EU, nor the assignment of “Adequacy” by the Commission.
While much focus today is on the EU’s GDPR, the principles that underpin it, are more broadly accepted than that law, and in some areas, the GDPR maybe found wanting.
This blog post originally appeared on my LinkedIn blog. …
I posted a note on cyber security on my linkedin blog. I post some pointers on the standards and controls needed to defend against a cyberattack and implement “adequate technical and organisational” protection. It looks and links at the NIST cyber-security framework and lists some of the necesary controls to implement a reasonable defence and prove “adequate technical and organisational” controls. If you do what I suggest badly, you might get away with it, if you do it well, you might stop and or recover from attacks. …