Five steps to Compliance

As we entered the ground rush zone for the GDPR a number of organisations issued numbered guidance documents in preparation. I joined in and published a blog article on my linkedin blog called “Beyond Adequate Protection”. This had my five point list of tasks to be GDPR compliant. I summarise them here,

  1. Know and document your personal data catalogue and its lawful purpose
  2. Create an identity solution for your data subjects, so subject access requests can be fulfilled
  3. Build a record keeping solution
  4. Ensure that your incident management solutions are compliant
  5. Implement changes to the software development Life Cycle(SDLC) to include privacy impact assessments

The original article deals with these in a bit more detail but I finish by saying that it’s only this easy if your organisation already meets the need to provide adequate technical and organisational protection.

 …

Managing Compliance Software

Managing Compliance Software

I have just published on my linkedin blog a little essay on managing software used for the purpose of compliance. One key insight which one might consider is that these programs are being used because you have to not because you want to. Also society does not want businesses innovating the compliance software, we need to know it does what society requires not what the business wants. This makes the governing super strategy for these applications one of “operational efficiency”, or in Dan Remenyi’s model, a “support” system. For compliance systems it is advantageous to buy or adopt a package and to adopt the package’s optimum process; society has confidence that companies are complying with the law, and the companies share the maintenance costs and get a superior product and support. In some cases, the requirement that society has confidence that compliance is correct leads to the regulators giving companies the software or running it themselves.  …

Facebook & the European Union

Techcrunch reports that the European Parliament have called for an audit of Facebook’s systems in the light of reported data breaches. Will Facebook be added to the long list of US Tech companies successfully regulated by the EU albeit mainly over monopoly issues. (Google, Microsoft, Intel, Oracle). This is shared power, that the UK will lose should we leave the European Union. …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …

e-voting using the blockchain

I have written a couple of things about e-voting, most comprehensively in an article entitled e-voting; I was in a hurry. I came across this twitter thread which reinforces the arguments I make, although he summarises the problems as secrecy and coercion. Matthew also takes a pop at the advocates of bitcoin though and that’s because its complex, not because its private and horrendously expensive.

There aren’t 833837 items in the thread, or at least I haven’t found that many, I make it about 14. Why not check it out? …

Eternal vigilance

I have been pointed at China’s Social Credit Scoring plans via two routes. The first is this extract published at Wired from Rachel Botsman’s book, “Who can we trust”. This details the Chinese Governments plan to build a social credit scoring scheme, but the sources and incentives are horrendously comprehensive, including their leading match making agency. (It’s taken me some time to read this article, an I have bookmarked and annotated it in my diigo feed.) Worrying things about the Chinese scheme is that voluntary participation becomes mandatory; while rewards and incentives are at the forefront of everyone’s mind today, control and punishment is planned, in the Chinese case in the short term they are talking about foreign and domestic travel restrictions but as I note, the countries leading dating agency is one of the surveillance agencies. There is also talk of social investment loans (helicopter money) which become available on the basis of social scores.

The second route was an article on Medium by someone who got banned from AirBnB. He pointed at an article on Buzzfeed, “A Chinese-Style Digital Dystopia Isn’t As Far Away As We Think” where a series of regulatory decisions in the USA seem to be paving the way to something similar, a powerful illustration that the argument that surveillance is OK if it’s private sector is horrendously false.

One worrying aspect of the proposed Chinese system is that your reputation is as good as that of your friends and we have idiots trying to replicate it with peeple, and reading up on that has started me worrying about Linkedin and its competitors and we all know we should get off facebook.

The wired article came before machine learning and massive scale AI became a hot topic, but it’ll be interesting to see what happens to social credit scores when they let rip with the application of machine learning. The automated derivation of reputation scores also raises issues of safeguarding, libel and context. Safeguarding and libel laws require the machines to tell the truth, in fact safeguarding may require machines to hide the truth. Context requires a level of nuance that we are unsure if machines will ever have, but even if they get there, justice and judges must remain human and the code must be open; China’s & Facebook’s is not!. The GDPR gives data subjects rights, perhaps its time to revisit the seven principles.

Of course in the UK, we have our very own examples of machines and data sharing getting it wrong. Sajid Javid, the Home Secretary has suspended the intra-government and some of the other immigration data sharing as a result of the backlash on the Windrush scandal. (I wonder if this I an excuse to look again at the DPA Immigration Exemption clauses.) Much of what is happening in China and the USA is also happening in the UK, it’s just that the surveillance agents are the US owned datenkraken and the British State have legalised the hacking of their data streams.

What’s happening in China is terrible, but our governments are following suit! The price of freedom is eternal vigilance. …