Five steps to Compliance

As we entered the ground rush zone for the GDPR a number of organisations issued numbered guidance documents in preparation. I joined in and published a blog article on my linkedin blog called “Beyond Adequate Protection”. This had my five point list of tasks to be GDPR compliant. I summarise them here,

  1. Know and document your personal data catalogue and its lawful purpose
  2. Create an identity solution for your data subjects, so subject access requests can be fulfilled
  3. Build a record keeping solution
  4. Ensure that your incident management solutions are compliant
  5. Implement changes to the software development Life Cycle(SDLC) to include privacy impact assessments

The original article deals with these in a bit more detail but I finish by saying that it’s only this easy if your organisation already meets the need to provide adequate technical and organisational protection.

 …

Facebook & the European Union

Techcrunch reports that the European Parliament have called for an audit of Facebook’s systems in the light of reported data breaches. Will Facebook be added to the long list of US Tech companies successfully regulated by the EU albeit mainly over monopoly issues. (Google, Microsoft, Intel, Oracle). This is shared power, that the UK will lose should we leave the European Union. …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …

e-voting using the blockchain

I have written a couple of things about e-voting, most comprehensively in an article entitled e-voting; I was in a hurry. I came across this twitter thread which reinforces the arguments I make, although he summarises the problems as secrecy and coercion. Matthew also takes a pop at the advocates of bitcoin though and that’s because its complex, not because its private and horrendously expensive.

There aren’t 833837 items in the thread, or at least I haven’t found that many, I make it about 14. Why not check it out? …

Eternal vigilance

I have been pointed at China’s Social Credit Scoring plans via two routes. The first is this extract published at Wired from Rachel Botsman’s book, “Who can we trust”. This details the Chinese Governments plan to build a social credit scoring scheme, but the sources and incentives are horrendously comprehensive, including their leading match making agency. (It’s taken me some time to read this article, an I have bookmarked and annotated it in my diigo feed.) Worrying things about the Chinese scheme is that voluntary participation becomes mandatory; while rewards and incentives are at the forefront of everyone’s mind today, control and punishment is planned, in the Chinese case in the short term they are talking about foreign and domestic travel restrictions but as I note, the countries leading dating agency is one of the surveillance agencies. There is also talk of social investment loans (helicopter money) which become available on the basis of social scores.

The second route was an article on Medium by someone who got banned from AirBnB. He pointed at an article on Buzzfeed, “A Chinese-Style Digital Dystopia Isn’t As Far Away As We Think” where a series of regulatory decisions in the USA seem to be paving the way to something similar, a powerful illustration that the argument that surveillance is OK if it’s private sector is horrendously false.

One worrying aspect of the proposed Chinese system is that your reputation is as good as that of your friends and we have idiots trying to replicate it with peeple, and reading up on that has started me worrying about Linkedin and its competitors and we all know we should get off facebook.

The wired article came before machine learning and massive scale AI became a hot topic, but it’ll be interesting to see what happens to social credit scores when they let rip with the application of machine learning. The automated derivation of reputation scores also raises issues of safeguarding, libel and context. Safeguarding and libel laws require the machines to tell the truth, in fact safeguarding may require machines to hide the truth. Context requires a level of nuance that we are unsure if machines will ever have, but even if they get there, justice and judges must remain human and the code must be open; China’s & Facebook’s is not!. The GDPR gives data subjects rights, perhaps its time to revisit the seven principles.

Of course in the UK, we have our very own examples of machines and data sharing getting it wrong. Sajid Javid, the Home Secretary has suspended the intra-government and some of the other immigration data sharing as a result of the backlash on the Windrush scandal. (I wonder if this I an excuse to look again at the DPA Immigration Exemption clauses.) Much of what is happening in China and the USA is also happening in the UK, it’s just that the surveillance agents are the US owned datenkraken and the British State have legalised the hacking of their data streams.

What’s happening in China is terrible, but our governments are following suit! The price of freedom is eternal vigilance. …

Big Copyright strikes again

Big Copyright strikes again

This time in the European Parliament. They want upload filters and to tax ISSP’s reuse, but you can do something about it.

Last week a committee of MEPs voted 15 – 10, reported here by one of its members, Julia Reda, the sole Pirate Party MEP, in favour of the EU Copyright Directive’s disastrous Article 13. This misguided measure will introduce upload filters that would change the way that much of the Internet works, from free and creative sharing, to one where anything can be removed without warning, by computers. They also voted in favour of Article 11, which Europeanises a German & Spanish law and places a monetary liability on internet software service providers who use snippets of news articles originally published by for-profit publishers.

This article explains why the measures are wrong, and points to the campaign sites. It was amended on the 5th July after the vote to report the result, which was that the Parliament voted to re-open the discussion in plenary.

Here are the votes, interesting splits. …

Privacy & compliance, reprised

I have had a look at the changes in Law, and thus the potential changes in data protection strategy since I first wrote about the conflicts between privacy, compliance and law enforcement.

The US courts have been siding with citizens and their privacy rights, the ECJ has been doing the same. Parliament has been going in the opposite direction, although the Supreme Court has declared the Data Retention laws to be contrary to Human Rights Law and should we actually leave the EU we will find obtaining an “Adequacy” agreement harder than we’d hope as the EU Parliament, Commission and the EU Data Protection Supervisory board focus on the rights of privacy from Governments. This will be a significant problem if the ECJ strikes down the model clauses and binding corporate rules.

I briefly touch on the fact that the European Laws are meant to be implementing the globally agreed seven principles of Data Protection, of Notice, Purpose, Consent, Security, Disclosure, Access and Accountability and that in a rights based jurisdiction, these rights must be protected from the Government as well as from Corporates.

 

The language has developed since 1980 but these principles were agree by the OECD in 1980.

I conclude the article by saying,

Today, under EU law, the lawful purpose would seem to be more flexible, cross border transfers are more restricted, and may become more so, and the EU is more concerned about nation state compliance; it’s what you’d expect from a political entity consisting of states and the children of people surviving fascist or Stalinist rule.

This political heritage should be remembered by those that see these laws merely as a business burden, …