My written prepared talk is shared below.

Privacy and the Individual – What difference will GDPR Make?

Thanks John for the introduction. A warm welcome to all.

Any talk on privacy and the GDPR invariably uses terms or phrases that may be blurry or obscure. So just to set the scene, when I say the ICO I’m referring to the UK’s data protection watchdog – The Information Commissioner’s Office. When I say ‘data’ I’m referring to personal data as described in the GDPR.

Although the GDPR did not reference privacy – itself a complex term, privacy is embedded as information or data privacy and expressed in phrases such as:
‘respect for human rights and fundamental freedoms (Art. 12 – exercise of the rights of the data subject); ‘High risk to the rights and freedoms of natural persons’ (Art. 35 -Data protection impact assessment), and ‘Risks to the rights and freedoms of natural persons (individuals)’ (Recital 75).

It is no longer just about protecting personal data or processing of personal data but data privacy.

With this comes obscure or unclear terms.

What is ‘high risk’? How do you express ‘rights and freedoms’ of natural persons (individuals) especially in the context of privacy impact assessment (PIA) or data protection impact assessment (DPIA)?

We know that the GDPR describes DPIA (Art. 35) and also breach notification (Art. 33 – notify the ICO, and Art. 34 – communicate to the data subjects).

I know fresh in our minds is the recent Facebook-Cambridge Analytica scandal. Flashback to October 2015, anyone here still remembers the TalkTalk data breach incident?

Would you all agree that both Facebook & TalkTalk responded or handled the data breach announcement or notification to affected individuals rather badly or failed to do so in the eyes of the public and the affected individuals?

Certainly, under the GDPR both would be required to notify the ICO within 72 hours and to affected UK individuals without undue delay or ‘as soon as possible’ (Guidelines on Personal data breach notification under Regulation 2016/679)

As we know the GDPR requires organisations to notify the ICO where there is a risk to the rights and freedoms of individuals, and only notify the individuals where there is high risk.

My research examines data incidents response, in particular, the privacy harm to individuals as a consequence of the data incident. I have designed a prototype dashboard and have conducted user evaluation study with industry practitioners. The dashboard is for assessing privacy data harm by addressing the initial breach notification question to notify or not affected individuals and to the ICO during initial data incident response.

There is still fear in organisations when it comes to disclosure of data incidents. However, the GDPR will held organisations accountable e.g. with the fines and penalties, and to be transparent to report data incidents. Affected individuals have the right to know.

The outcome of my study also revealed that it is possible to do an initial data breach assessment even with the unclear terms: ‘high risk’ and the ‘rights and freedoms’ of individuals. The prototype dashboard also shows notification alerts with the countdown to 72 hrs from the point of being aware of the incident. One participant remarked: ‘It (the dashboard) provides a calm objectivity in time of panic & stress. Because you’re going to be stressed, you immediately think your personal reputation and your organisation’s reputation. Would we be fined? And all these things come in rather than actual thinking of the consequences to individuals’.

When the data incident happened, the genie was out of the bottle, out in the wild – the harm was already done.

The GDPR would not bring the genie back into the bottle or stop the harm. So as a matter of good business practice and in the spirit of the law, organisations should notify their customers.

Thank you.
Cher
p.s.
May post a photo taken by John Stevenson (City’s Senior Communications Officer)

Even after I reassure folks that my research does not require disclosing any personal or commercially sensitive information, folks (esp. senior managers) still won’t allow their employees (those that have the relevant knowledge/experience) to share and participate in my research.This is a pity as they will certainly learn something in sharing and participating in my user evaluation. According to this news, the #FCA is to require UK banks to make details of cyber security #incidents public from August 2018. Under the GDPR, organisations processing personal data of EU residents/citizens will need to report certain breaches to the ICO and also to affected individuals. My prototype dashboard will help organisations to conduct an initial personal data harm assessment.

So far, practitioners who took my user evaluation study involving a questionnaire and the prototype dashboard have expressed positive remarks and provided suggestions for further improvement or commercialisation of the prototype concepts.

On my ToDo lists is an item to ‘somehow create/use visualisation tools’ to extract and represent the data breaches in the UK that have been reported in the press or elsewhere.

Here’re more links on data breaches (in no particular ordering) in the UK, including other notable data incidents (some requiring registration/account login):

All of UK’s major banks and lenders have reported data breaches in the past two years – FOI request finds that 791 incidents reported to the ICO by financial services firms since 2013

Ecuadorian bank cyber thieves used HSBC accounts in Hong Kong

London NHS trust fined for HIV newsletter data breach

UK charity CALM hacked in ‘senseless’ attack

UK charity gets hacked twice in ‘motiveless’ attack

Scottish charity reports data loss due to unencrypted USB sticks

Data losses on USB sticks – it’s raining again

Third ICO fine in a week after sensitive information widely distributed by webmail

ICO fines Scottish council

Nationwide fined £1m over laptop theft security breach

More than 170 law firms investigated by ICO over data breaches in 2014

The UK’s 11 most infamous data breaches 2015:

Nationwide Building Society (2006) -
Nationwide fine for stolen laptop

HM Revenue & Customs (2007) –
Another bad day for the database guys

HM Revenue & Customs Child Benefit Office (2008) -

Child benefit data loss: timeline of scandal

IPCC publishes report into missing HMRC data CDs (full version)

Sony PlayStation Network (2011) -
Sony admits huge PlayStation Network data breach

NHS Trust in Brighton (2012) –
NHS Trust receives largest ever data breach fine

Morrison’s supermarket (2014) -
Morrisons supermarket suffers major pay-roll data breach after insider attack

Staffordshire University (2014) -
Staffordshire University stolen laptop had student contacts details

Mumsnet (2014) -
Mumsnet falls to Heartbleed hackers as 1.5 million users reset passwords

Think W3 Limited (2014) -
Online travel services company exposes more than a million customer records to malicious hacker

Moonpig (2015) -
Moonpig Android app flaw puts THREE MILLION accounts at risk

TalkTalk (2014/2015) – various news:
TalkTalk hack: What to do if hackers have your data

TalkTalk: Hacked telecoms giant refusing to let customers leave without paying fees

TalkTalk profits halve after cyber attack

TalkTalk lost more than 100,000 customers after cyber attack

TalkTalk chief signals change after cyber attack

Extracted information from the site;
Overview

The OASIS Cyber Threat Intelligence (CTI) TC was chartered to define a set of information representations and protocols to address the need to model, analyze, and share cyber threat intelligence. In the initial phase of TC work, three specifications will be transitioned from the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).

The OASIS CTI Technical Committee will:

define composable information sharing services for peer-to-peer, hub-and-spoke, and source subscriber threat intelligence sharing models
develop standardized representations for campaigns, threat actors, incidents, tactics techniques and procedures (TTPs), indicators, exploit targets, observables, and courses of action
develop formal models that allow organizations to develop their own standards-based sharing architectures to meet specific needs

I will certainly be interested in the ‘incidents, indicators, observables and courses of action’. Anything shareable is worth researching.

The news release at FFIEC Releases Cybersecurity Assessment Tool

Here’s the extracted news;

FFIEC Releases Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today released a Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and assess their cybersecurity preparedness.
Financial institutions of all sizes may use the Assessment and other methodologies to perform a self-assessment and inform their risk management strategies. The release of the Cybsercurity Assessment Tool follows last year’s pilot assessment of cybersecurity preparedness at more than 500 institutions. The FFIEC members plan to update the Assessment as threats, vulnerabilities, and operational environments evolve.
In addition to the Assessment, the FFIEC has also made available resources institutions may find useful, including an executive overview, a user’s guide, an online presentation explaining the Assessment, and appendices mapping the Assessment’s baseline maturity statements to the FFIEC Information Technology Examination Handbook, mapping all maturity statements to the National Institute of Standards and Technology’s Cybersecurity Framework, and providing a glossary of terms.
The FFIEC members are also encouraging institutions to comment on the Assessment through an upcoming Paperwork Reduction Act notice in the Federal Register.
The FFIEC provides several resources to further awareness of cyber threats and help financial institutions improve their cybersecurity. These resources are available on the FFIEC website at http://www.ffiec.gov/cybersecurity.htm.