#Age Appropriate #Design Code or the #Children's Code #webinar on Monday 17 #May 2021 6pm (UK): Are you ready for the Children Code?

Welcome to browse on the BCS website for further details and also you can download the presentation slides (pdf).

My PhD #Thesis. pic.twitter.com/B8MsesgU0O

— cher devey (@datachainrisk) June 18, 2019

My written prepared talk is shared below.

Privacy and the Individual – What difference will GDPR Make?

Thanks John for the introduction. A warm welcome to all.

Any talk on privacy and the GDPR invariably uses terms or phrases that may be blurry or obscure. So just to set the scene, when I say the ICO I’m referring to the UK’s data protection watchdog – The Information Commissioner’s Office. When I say ‘data’ I’m referring to personal data as described in the GDPR.

Although the GDPR did not reference privacy – itself a complex term, privacy is embedded as information or data privacy and expressed in phrases such as:
‘respect for human rights and fundamental freedoms (Art. 12 – exercise of the rights of the data subject); ‘High risk to the rights and freedoms of natural persons’ (Art. 35 -Data protection impact assessment), and ‘Risks to the rights and freedoms of natural persons (individuals)’ (Recital 75).

It is no longer just about protecting personal data or processing of personal data but data privacy.

With this comes obscure or unclear terms.

What is ‘high risk’? How do you express ‘rights and freedoms’ of natural persons (individuals) especially in the context of privacy impact assessment (PIA) or data protection impact assessment (DPIA)?

We know that the GDPR describes DPIA (Art. 35) and also breach notification (Art. 33 – notify the ICO, and Art. 34 – communicate to the data subjects).

I know fresh in our minds is the recent Facebook-Cambridge Analytica scandal. Flashback to October 2015, anyone here still remembers the TalkTalk data breach incident?

Would you all agree that both Facebook & TalkTalk responded or handled the data breach announcement or notification to affected individuals rather badly or failed to do so in the eyes of the public and the affected individuals?

Certainly, under the GDPR both would be required to notify the ICO within 72 hours and to affected UK individuals without undue delay or ‘as soon as possible’ (Guidelines on Personal data breach notification under Regulation 2016/679)

As we know the GDPR requires organisations to notify the ICO where there is a risk to the rights and freedoms of individuals, and only notify the individuals where there is high risk.

My research examines data incidents response, in particular, the privacy harm to individuals as a consequence of the data incident. I have designed a prototype dashboard and have conducted user evaluation study with industry practitioners. The dashboard is for assessing privacy data harm by addressing the initial breach notification question to notify or not affected individuals and to the ICO during initial data incident response.

There is still fear in organisations when it comes to disclosure of data incidents. However, the GDPR will held organisations accountable e.g. with the fines and penalties, and to be transparent to report data incidents. Affected individuals have the right to know.

The outcome of my study also revealed that it is possible to do an initial data breach assessment even with the unclear terms: ‘high risk’ and the ‘rights and freedoms’ of individuals. The prototype dashboard also shows notification alerts with the countdown to 72 hrs from the point of being aware of the incident. One participant remarked: ‘It (the dashboard) provides a calm objectivity in time of panic & stress. Because you’re going to be stressed, you immediately think your personal reputation and your organisation’s reputation. Would we be fined? And all these things come in rather than actual thinking of the consequences to individuals’.

When the data incident happened, the genie was out of the bottle, out in the wild – the harm was already done.

The GDPR would not bring the genie back into the bottle or stop the harm. So as a matter of good business practice and in the spirit of the law, organisations should notify their customers.

Thank you.
Cher
p.s.
May post a photo taken by John Stevenson (City’s Senior Communications Officer)

The ICO’s investigation on the DeepMind-NHS saga (not a scandal?) revealed this:

However, an investigation by the ICO discovered several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test. (Extracted from ‘review-agrees-that-deepmind-nhs-deal-lacked-clarity’)

Based on the reported news the Facebook-Cambridge Analytica (CA) scandal (Top EU privacy watchdog calls Facebook data allegations the ‘scandal of the century) and the DeepMind-NHS saga did not involve a breach of technical security and/or organisational security measures (excluding privacy policies and app/SLA-type driven contractual agreements).

What data protection and privacy principles have been violated/breached?

Would ethics be a yardstick in the final determination of the Facebook-CA scandal?

Hard to imagine that I got interested in data protection and privacy way back in 2000. Back then I was a consultant (Business Architect role) working on an internet banking project. The governance/compliance & team communications aspects of the project drove me to do a law course at Queen Mary College. I did the Data Protection, IP and advanced IP modules. I subsequently completed the Post-Graduate Diploma in Internation Commercial Arbitration.

When the GDPR was drafted in 2012, I gave a talk at the BCS which I’ve posted here.

Also, during my time at the City, University of London I’ve initiated Privacy Day events.

This year, to mark the GDPR coming into effect on 25th May 2018, together with my colleagues at City, we will be hosting a GDPR press media event on the 17th April.

More to follow…

It’s going to take more of my free Sunday afternoons to plough through the Bill, the Explanatory Notes and also this Keeling Schedule (GDPR effected by the Bill!).

This interesting post: “Data protection in the Court of Appeal & the right to be forgotten” – not #GDPR-related – but will be significant post-GDPR era (from 25th May 2018 onwards).
The appeal cases extracted from the post are:

- DB v General Medical Council (application of mixed data provisions in s. 7 DPA) – due to be heard in March 2018,
- TLT v Home Office (accidental online disclosure of information relating to asylum seekers) – due to be heard in April 2018 – (note, the appeal does not address the quantum of the awards made in that case but instead focuses on the question of whether compensation ought in principle to have been awarded to individuals who were not referred to by name in the disclosed spreadsheet but who were nonetheless affected by the disclosure);
- Stunt v Associated Newspapers (challenge to the stay mechanism under s. 32 DPA) – due to be heard in June 2018 and, last but most certainly not least,
- Various Claimants v WM Morrison Supermarket PLC (group litigation data breach case) – due to be heard by the Court of Appeal before the end of 2018.

Will review the Bill soon…

Shattering the myths about #GDPR – Read the first in a new series of ICO blogs, this one about fines scaremongering https://t.co/gpJV8P0Zcn pic.twitter.com/oxLZcMkktB

— ICO (@ICOnews) August 9, 2017