Security professionals representing top UK companies have gathered opposite the Tower of London to demonstrate their solidarity in taking information security seriously.
The event kicked off Security Serious Week, dedicated to businesses which take security seriously and want to share their IT security experiences with other businesses.
The campaign, spearheaded by Eskenzi PR, has attracted support from 70 organisations, with more than 50 of the world’s experts in cyber crime and security offering their time and expertise free of charge to others who want to become more security savvy and cyber aware.
Large businesses, universities, associations and government bodies are supporting the campaign, including Unilever, Lloyds Banking Group, BT, HP Security Voltage, Canon UK, HSBC, Publicis Groupe, GlaxoSmithKline, the government’s Department of Culture, Media and Sports, and leading IT security suppliers.
“Security Serious is all about the IT security industry, and the professionals that work within it, getting together to take security seriously,” said Yvonne Eskenzi, director and founder of Eskenzi PR.
“This campaign is about those that can’t learning from those that can – it’s simple really. I plan to bring together our leading experts to convey their words of wisdom to those people and organisations who want to become more security savvy,” she said.
The campaign includes a series of webinars about key information security topics, including social engineering and security awareness, top ways to protect sensitive data, next-generation security, dealing with the shortage of cyber security skills, cyber insurance and incident response.
Prepare for the EU General Data Protection Regulation
One of the most topical webinars available to view is entitled: Will you be fined under the new General Data Protection Regulation?
The webinar is presented by Steve Wright, chief privacy officer at Unilever, who has spent the past two years getting to know the implications of the regulation.
He believes that big data governance, cyber security and privacy are all inextricably linked as they share common objectives and principles, and therefore require satisfactory safeguards and assurances.
From a business perspective, this can be achieved by building data trust and assurance programmes based on the fundamental principles of transparency, accountability, protection, integrity, confidentiality and availability, accompanied by clear policies and delivered through comprehensive training, integrated procedures and a robust compliance regime.
Unilever’s digital ambition – to connect with one billion consumers around the world – pushes the boundaries of functionality, connectivity and personalisation.
Wright’s role is to work collaboratively and integrally with the business, to help steer and shape the digital conversation and leverage the power of data analytics, while also ensuring the business remains compliant with laws around the world, but still competitive and acts in a moral and ethical way in relation to the rights of individuals.
The webinar demonstrates that the EU General Data Protection Regulation (GDPR) is fundamentally right because strong guidelines are necessary to ensure people do not lose trust in the digital economy.
“We now share so much data everywhere online – personal data on Facebook and Twitter, as well as payment details – it’s important to protect our identity and privacy,” said Wright.
He believes there five key effects of the GDPR:
New legal requirement for explicit consent to be obtained prior to conducting profilingThe potential impact of this could affect an organisation’s consumer brand experience plans and/or personalisation ambitions, and, in some circumstances, could render existing consumer databases useless, as this law will be applied retrospectively.
Enhanced consumer rightsTo respond to consumer requests, enquiries and complaints in a repeatable and efficient way, and to fulfil this law, organisations should design for a straightforward “contact us” and “right to be forgotten”.
Joint liability for processors and controllersThe GDPR expands the scope of application of EU data protection law requirements in two main respects. The first is data “controllers” – for example, people who determine why and how personal data are processed. The second is that certain requirements will apply, for the first time, directly to data “processors” – for example, people who process personal data on behalf of a data controller. Processors, such as technology suppliers or other service providers, established in the EU will be subject to the GDPR’s direct statutory obligations for processors, as opposed to just the obligations imposed on them by contract by the controller. The biggest change is that controllers which are not established in the EU but collect and process data on EU residents through websites, cookies and other remote activities are likely to be caught by the scope of the GDPR. E-commerce providers, online behavioural advertising networks, analytics companies that process personal data are all likely to be caught by the scope of application of the GDPR.
Data breach reportingThis is particularly prevalent if an organisation were to suffer a consumer data leak as an organisation would need to notify, within 72 hours, the data protection authority and, where appropriate, the consumers affected. In addition, consumers need to have the capability to easily “contact” the organisation and under this new law, consumers will have other rights such as the ability to launch a “class action”.
Safe HarbourThe EJC ruled recently that Safe Harbour was an invalid mechanism to provide assurance that EU data subjects were being treated fairly and lawfully. This affects many major suppliers, including Oracle, Salesforce, IBM, Amazon and Microsoft.
What organisations need to do:
Test current and future data protection complianceIn Europe, organisations need to test their level of compliance against 40 to 50 questions relating to data protection.
Establish your data protection officer networkEstablished a network of geography-based data protection officers who will spend approximately 10% of their time on data protection and privacy issues.
Ensure privacy by designEmbed privacy by design into large data programs/architecture.
Conduct privacy impact assessmentsWhere possible, create an automated process for marketing. This will help marketers understand and mitigate privacy risks before activating marketing campaigns. This is a requirement under the new regulation. The requirement includes any new inception of technology, product or service – think e-commerce and mobile commerce.
Ensure accountabilityEnsure allocated ownership and responsibility is identified for all relevant management teams.
Provide training Organisations need a comprehensive training/awareness campaign and need to upskill staff handling personal data across key human resources and marketing functions.
Ensure watertight contractsReview existing and new standard privacy-related contractual clauses and ensure they are being incorporated into contracts with third parties and strategic partners.
Enable data breach reportingTest breach notification procedures in readiness for new reporting guidelines, including simulation tests.
Safe HarbourCreate a small project to work with applicable third-party contracts to impose EU model clauses.
With 4,000 amendments since the drafting of the GDPR in the past two years, Wright said there is a lot to get to grips with and it is imperative and essential that organisations get their houses in order before the regulation becomes law.