Skip to main content
EU Map & Logo

Ready for GDPR? 5 Simple Steps!

According to Kroll Ontrack & Blancco, 4 in 5 IT managers are unaware of the upcoming changes to Data Protection regulations, The EU General Data Protection Regulation (GDPR).  This certainly means they can’t be preparing for it either… and unlike the Data Protection Act 1998 which it will supersede the penalties can be huge – 5% of global turnover or €100,000,000 (whichever is greater!).

What is GDPR?

The GDPR will be a common set of data protection rules across the European Union. Technically it will be an EU Regulation which will be implemented in law in all member states – the purpose being to harmonise data protection across the EU and (potentially) centralise policing for international companies.

At the moment it is still in draft form, but expectation is that although some changes have been made over its course through the European Parliament, it will be adopted in late 2014 or early 2015 and come into force in 2017 – allowing at least 2 years for companies to transition.

What’s different?

There are 5 main differences to the Data Protection Act in the UK

  1. Three New Rights For Data Subjects:  The Right To Be Forgotten, The Right To Data Portability, and The Right To Data Erasure.
  2. Mandatory Breach Notification. It becomes mandatory to report data breaches to the regulator within 72 hours, and data subjects must be notified if harm will occur.
  3. Explicit Consent. You must obtain explicit consent to hold the data from the data subject – opting in will become the norm.
  4. Penalties. As mentioned, the penalties rise significantly for negligent data breaches – rising to 5% of global turnover €100m for more serious breaches.
  5. The Data Protection Officer.  Public sector bodies and organisations processing over 5000 subjects data in 12 months must appoint a Data Protection Officer whose responsibility it will be to conduct risk assessments, analysis and to safeguard the data.

Don’t Panic – We’ve Got 2 Years!

Don’t Wait Either.

With such huge changes proposed there are the usual elements of the IT industry who either professing impending doom or who are suggesting that it won’t happen.  Neither seem likely to me – GDPR will happen in some form, likely to be close to the current drafts; and there is no impending doom.

There is at least two years until you have to be compliant, so there is plenty of time to start to integrate the new principles now so the change can be almost seamless by the time it becomes mandatory.  Data Security is becoming a large differentiating factor for consumers, so make sure you’re ahead of the game – I’ve got 5 simple steps you can start with now to make sure you’re ready come 2017:

5 Simple Steps to GDPR Compliance.

1.  Understand Where You Are.

Before you can start to think about how you’ll comply with GDPR you need to know what data you have now, where it is and how it is protected.  Undertake an audit of what you hold today, and what you’re likely to take on in the next few years.  Once you have this, assess how relevant it is – do you need to keep it?  Does it have value?   Of course you should be destroying data when it becomes unneeded under the DPA’s Principle 5… but check and delete.  If you don’t have it, you can’t lose it!

2.  Obtain Consent & Engage.

Now you know whose data you’ve got, remember that you’ll need to have their consent to hold it in a post-GDPR world.  You can use the next two years to obtain that consent when customers and data subjects contact you naturally.  Develop the processes for obtaining consent now – a simple ‘Do you mind if we hold your details?’ in a contact centre conversation will suffice.  Don’t try and obtain in surreptitiously, in small print or otherwise, people won’t take kindly and it’s not in the spirit of the regulations:  would you want your data held like this?

If you start asking now, by 2017 a huge proportion of the relevant data you hold (remember to destroy ageing data!) will be opted in and you won’t be one of the organisations embarrassingly seeking retrospective consent.

3.  Update Your Policies.

As the GDPR will enshrine a right for data subjects to see your privacy policy, this is a great opportunity to update it and make it obviously available – put it on your website.  You can use the results of your audit from step 1 to make sure it’s accurate too.  Ensure it is written in plain English and is easy to understand.

Update your Breach Policy & Detection.  With stiff penalties for failing to report breaches in a much shorter time scale than you might be used to working, it’s important that your process internally means that any breach, no matter how small, gets to your Data Protection Officer (or equivalent for smaller companies) promptly and you have a plan on how to react.  Ensure that everyone in the business knows the importance of reporting data loss promptly – include it in your recurrent data protection training from now onwards.

4.  Identify Responsible Person.

If you’re a public body, or process data on more than 5,000 subjects then you’ll need someone to fulfil the mandatory role of ‘Data Protection Officer,’ but even if you’re smaller you’ll want to identify one person in your organisation who can ensure you’re compliant.  Someone with experience of data protection principles and a good view of the company will be ideally place.  Resist the temptation to appoint someone from Finance or Legal teams unless they’ve genuinely got a good understanding of the data identified in point 1.

Use the time between now and implementation to make sure that they have conducted relevant Data Risk Assessments and mitigated risk wherever possible.

Then, importantly, empower this person – get senior management or the board involved to ensure that everyone knows about the changes and the importance of them (there’s €100m at stake here!).

5. ‘Change-In’ The GDPR now.

Come 2017, most companies won’t be operating exactly the same systems, in the same state, as they are today. This means the natural business changes which keep driving them forward can be used to ensure you’re designing in GDPR principles from today onwards.  Simple ideas and some best practice:

  • Select a data protection framework now (COBIT, NIST or ISO) and judge all new changes against it.
  • Build in monitoring and reporting tools which report loss.
  • Obfuscate and encrypt data wherever possible, especially on test systems.
  • Adopt ‘Opt In,’ ‘Data Portability’ and ‘Data Erasure’ functions in new software, now.
  • Audit your systems – consider getting external auditors to both probe your defences and your processes.

A series of small changes over the next two-to-three years will mean you’re ready for GDPR when it becomes law.

If you’re in doubt at any point, ask yourself:

Would I want my data held and processed like this?  Does this seem fair?

HM Revenue & Customs Logo

HMRC Anonymous Data? Be Careful…

This weekend we awoke to hear of plans by Her Majesty’s Revenue & Customs (the UK tax authority, akin to the IRS in the USA, but with more power) to start selling anonymised tax data where doing so “would generate clear public benefits, and where there are robust safeguards in place.”

Although there is no formal announcement on the HMRC news section, you can see some of the press coverage on The BBCThe Guardian or The Telegraph.

You’ll see that one of the Government’s own MPs has described the plan as “borderline insane,” a tactic no doubt employed to garner some headlines and ensure that his opposition is well known; especially given the likely public reaction and HMRCs not-all-to-great record on data protection. But is it that insane?

Setting aside the plans to sell the data, and the slightly more nuanced debate that the sale of public data brings (and of course the OpenData / Data.gov movement) I’d like to concentrate on the anonymisation of the data which HMRC might be proposing to use, and just how flawed that can be in the age of Big Data and Cloud Computing.

It is likely the proponents of the HMRC plan will assure the general public that their data won’t be identifiable and the principle of tax-payer confidentiality will be upheld… Well, it turns out that’s really hard to do!

Re-Identification

Anonymous MaleRe-identification is the process of taking a dataset which is believed to have been anonymised of any personally identifiable information and by means of processing or data-matching re-establishing the personally identifiable information (PII) with some level of confidence.

In practice this generally means combining other publicly available information with the ‘anonymised’ information in a data-matching / ‘jigsawing’ exercise.  Historically this was hard, processor intensive work which could take days or weeks and thus was usually cost or time prohibitive – even with just one data set to combine.

However, the advances in ‘Big Data’ over recent years, combined with the scalable power of cloud computing, mean that multiple data sets could be combined in a matter of moments – making the re-identification of data not only possible but also practicable.

An often-quoted example of this process is when Netflix first released some anonymised usage data as part of the Netflix Prize was combined with IMDB reviews (and thus IMDB user names). It was possible to identify the user who had watched the Netflix movie, then link that to their IMDB review based on the time – a seemingly innocuous data point in the Netflix set. By then reversing this process it was possible to take the IMDB reviews and user names and come up with a complete listing of films watched by each user. More information on that here.

This was with two data sources – IMDB and Netflix Anonymised Data. Imagine if the researchers here had then added in social media data, perhaps by looking for similar user names, or perhaps looking for posts containing the films name around the correct time – something not that complicated to do with Big Data and Cloud tech. It would have been comparatively easy to go from anonymised film usage data to a picture, name and social media details of the person watching it, along with their recent film history.

Just think of the consequences if the same happened with your tax data!

What Do We Do?

Of course, we all want open data, don’t we? But if we get scared by the possibilities like those above, we’d never release any data. A similar recent debate in the UK formed around government plans to allow research based on NHS medical records – Care.data. Fundamentally few people would disagree with using existing medical knowledge to try and improve care for the future, but medicine is complicated and you need a lot of data about an individual person to do that reliably. So, anonymised data would help, and surely we all want better health for our future generations (and maybe even us!).

Obviously we have to be careful HOW we anonymise data. The devil is in the detail. As data professionals we can take obvious steps to anonymise data effectively against the threats we know about at the time we anonymise it. We also look to anonymise data down to the lowest level needed to provide meaningful data for research & development, social good etc – perhaps by aggregating data into groups (for example postcode area SW1A rather than SW1A 2, or even SW1A 2AA – Downing Street).

The problem comes, as with most information security, that there will always be someone with more knowledge, more skills or a stronger, often nefarious, desire to break the defences put in place to protect that information. This is the “motivated intruder” attack. It is our job to protect against this as best we can when we anonymise data – it’s a higher standard than “can a reasonable person link data.”

Motivated Intruder Test

So, when anonymising our tax data, HMRC must think of the motivated intruder. In fact, The Information Comissioner’s Office details this exceptionally well in the Code Of Conduct for Anonymisation. HMRC will have to think about some, all, and hopefully more than the following:

  • What other information is out there?
  • What other information could be “jigsawed” with the tax information?
  • What information they release:
    • Can they aggregate without losing utility of the data?
    • What data points are in it which may help to identify a person?
    • What could the data be used for?
  • How difficult (and therefore likely) is it to use this data?

Some of these will be very hard to answer, or even unknown to HMRC. They are the realm of specialists who devote their whole professional life to this sort of question. It’s just like any other form of Information Security – you don’t know what you don’t yet… so best ask someone who does nothing else.  Actually, ask two people – or better still 20.

When we launch a new website, or service, or even maintain an existing one, the prudent amongst us employ the services of at least one (sometimes many) security consultancies to “penetration test” them. They use all the techniques they know how to try and break in / break the service. Anonymised data should be no different – HMRC must test their data sets with as many 3rd parties as possible and they should make those results public to instill confidence.

The publification of anonymised tax records could be very useful for so many aspects of life, some commercial, some social – but the potential harm of doing it incorrectly is huge and the risk of doing so is high. HMRC would be wise to tread very carefully and walk very slowly into this one.

7-5, Taken Alive??

Please don’t misuse it…

When learning to fly I was taught a mnemonic (one of many learnt during training), which helps me to remember the three very important transponder squawks which are used in varying emergencies:

75 – taken alive, 76 – in a fix, 77 – going to heaven.

This is to describe the following squawks and their uses.

  • 7500 – Unlawful Interference – Hijacking normally.
  • 7600 – Communication Failure – Radio Inoperative.
  • 7700 – Other Emergency – Normally a May Day, where an aircraft or person aboard is in grave or imminent danger.

Emergency Squawks

The main thing they do is alert any radar operator to your peril – and they generally do this by highlighting the aircraft in a very prominent colour on the display of the radar operator.  The operator can then use this information to assist the flight much better, and if you have a Mode S transponder they will also have other information about the flight as well.

Of course we all hope we never have to use any of the emergency squawks, but we all use routine codes every day and will often have to change between them in flight, as we are assigned new codes by new ATC units.

Be Careful!

A post in this months GASIL reminds us that as pilots we have to be careful how we set these squawks… particularly near or around 7500.  Older transponders (in much of the GA fleet) are set by rotating a series of dials, whereas newer transponders are set with buttons and the code typed in.

Old Transponder
Old Transponder
New Transponder
New Transponder

The danger is that when changing squawk on an old style transponder you may scroll the dials through one of the emergency combinations.  7600 and 7700 can be resolved quite quickly by confirming with Air Traffic Control that no emergency exists…  however they are unlikely to believe that having squawked 7500 (even fleetingly) no hijack situation exists, no matter how much you plead.

Fighter Jet Anyone?

The point made in this months GASIL, which I am emphasising is that you must select standby when changing transponder codes on older style units.

Change the unit to standby, change the code, then put turn transponder back to On (Or Alt if available).

If you do not then in the current climate, and especially in 2012 with the Olympics in town, you can fully expect to be intercepted by an RAF Typhoon from the Quick Reaction Force.  This may take some explaining away…

… but if you do get it wrong you can find the Interception Procedures here!

2012 Olympics… the end of Aviation?

The proposed airspace restrictions which will come into force for the 2012 Olympic games in London have been announced…  but I am not quite sure who dreamt them up!

When London won the 2012 Olympic games it was widely celebrated as being good for business and the economy as a result of all the extra people and spending it would bring it.  It seems that if you are in the business of aviation and you’re in the South East of England, it won’t be good for your business!

Restricted or Prohibited.

Olympic Airspace Restrictions
Olympic Airspace Restrictions

As you can see from the graphic the plan is to establish two temporary control zones.  The central one will be prohibited for all flight apart from IFR traffic for London Heathrow and London City (and RAF Northolt & Biggin Hill).  This include the heli-lanes across London, and London Battersea heliport.

There will then be a much larger Restricted zone which more or less covers all of south eastern England.  Flight by powered aircraft will be permitted in the restricted zone, so long as:

  • A flight plan is filed using AFPEx between 2 and 24 hours prior to flight.
  • An acceptance / approval number is granted in receipt of the above.
  • 2 way RT is established with controlling authority and acceptance number is quoted.
  • Aircraft is squawking the unique assigned transponder code.
  • RT with ATC at all times.

These restrictions will be in full force for 2 months (13 July to 12 Sept 2012).

Why?

Clearly the authorities (in this case The CAA, NATS, MoD, and HM Governments security services) have an obligation to deliver a safe games; and these restrictions are obviously designed to reduce the threat of terrorist attacks using aviation.  But I just don’t see how they can work….

Inside the Restricted zone are a number of general aviation airports, from where a light aircraft can take off and be over the Olympic games sites in under 10 minutes.  All of the measures above will only assist in identifying that an unauthorised flight is taking place.  But can the military really get a fighter jet “on task” that quickly, and if they can – what are they going to do about a light aircraft only a few hundred feet above a packed venue?   Whatever they do there is certain to be a lot of “collateral” damage.

Destructive Effect.

It’s probably fair to assume though that the security services have some form of plan for this eventuality and clearly they aren’t going to share that with the masses.  However, it’s the destructive effect of such a massive restriction zone which concerns me.

Obviously all current commercial traffic into and out of London Battersea will be done for; and there are a further 14 airfields within the zones who have to date not been consulted at all.  There is a suggestion that exemptions may be granted on a case by case basis, but unless these exemptions are pretty generous then general aviation is pretty much ruled out during the Olympics.

So, if you’re a helicopter charter operator who though the Olympics would bring plenty of work in…. you might want to think again.  Or at the very least email Olympics.Airspace@dft.gsi.gov.uk with your concerns!

Wonga. Wronga?

Today I had the television on in the background while I did some chores around the house and an advert for Wonga caught my eye.  Wonga is a loan company who specialise in relatively low value, very short term loans.  It wasn’t the product which caught my eye – but the eye-watering APR of their products: typically 2689%.  Yep, 2689%.  Wow!

I tweeted about how this was nearly 100x more than my (fairly high APR) credit card.  It turns out that Wonga have a rep on Twitter – WongaWoman.  She replied and explained that their loans are v short term, so I thought I would do a bit of research.

They have a page on their website which is dedicated to explaining why their APR looks so ridiculously high. It goes in to detail about how APR is an annual indication, and that they feel it is unfair to use an annual indication as a comparison, when essentially the products (theirs & a standard loan) aren’t the same.  I sort of agree, but they are obliged to state their APR because of the law, and it does show that if you borrowed this money over a year it would be incredibly expensive.

Credit where it’s due.

To their credit they are very upfront about how much it costs to borrow their money (they give a total repayment figure before you take out loan), and they seem a robust responsible lending policy which sees the amount available to you rise as you use the service.  They are also filling in a gap in the banking sector where the big retail banks don’t operator.  In addition they make a donation to a poverty fighting organisation (Kiva) for every loan they process.  They have one numerous industry awards too by the looks of it; and given their response it’s not like they are trying to hide.

Extortion or Bad APR?

In the wake of the credit crisis many questions were asked about the lending practices of the banks, and more about “payday” loan companies and similar.  There was even moves by several members of parliament to put an absolute maximum APR into law, they cited sample APRs which were not dissimilar to the rate which Wonga charges; and they called it extortion.

Is it really Extortion, or is APR just not a good comparator for these type of loans which do have a different feature set and audience to traditional bank loans?  If we did have a law to stop extortionists and it were to be based on APR how could we still allow legitimate and upfront businesses like Wonga to operate?  Or should we allow lending with such high APRs…

Interesting Links for October 6th.

These are my interesting links for October 6th:

Interesting Links for September 27th.

These are my interesting links for September 27th:

Interesting Links for August 12th.

These are my interesting links for August 12th:

Interesting Links for June 29th.

These are my interesting links for June 29th:

Identity & eBills

A slightly pertinent topic in the light of the new UK government’s scrapping of the Identity Card scheme, but I had a bizarre experience yesterday trying to prove who I was in order to hire a Rug Doctor machine to clean my hallway carpet with.

I presented myself at the Focus (1 of 2 local DIY stores) with the following documents:

  • Full UK Driving Licence (Both Parts)
  • Passport
  • Vehicle Registration Certificate (dated April 2010).
  • 2 Credit Cards
  • JAA Private Pilots Licence (in same folder as driving licence, not being poncy!)

All of which was not sufficient to prove my identity to rent what is in all likelihood about £300 worth of hoover.  This because I did not have a recent utility bill or bank statement with my address on.  I pointed out to the assistant that I get all of my credit card and utility bills electronically now, and thus didn’t have any; but that I had brought a ‘log book’ for my motorbike which was issued by DVLA on 23rd April 2010.

Rug Doctor
Not Available without 'ID'.

I then remembered that I had hired a machine off them in January too, but that wouldn’t help them.  The manager point blank refused to believe I was me and lived at the address identified on no less than 4 pieces of Government issued documentation.  Instead they needed a print out of a utility bill and insisted upon it, there was no question of using discretion or common sense – the addage “Rules are for the guidance of wise men and the obedience of fools.” seemed to apply.

I duly went home and printed out a PDF of my last credit card statement, however I went to Homebase instead to hire the machine in order to make my point about the stupidity of the manager’s decision in Focus.  I hired the machine on the basis of a passport and a printed out credit card statement.

It does seem though that in order to prove your identity (or more accurately your address) in the UK then a home printed PDF (please don’t edit it yourself) is more admissible than a government printed official document (or 4) on watermarked paper with holograms.  Rug Doctor are asking for it in my opinion!