Seven key themes from PrivSec Global Day One

March 23, 2021

1. Breaches and managing crises

As one would imagine from debate among a privacy and cyber security audience, the cause of data breaches and how to respond in a crisis formed a key theme of PrivSec Global Day One.

Fahim Afghan, Senior Product Marketing Manager at Egress Software Technologies said misdirected emails were the number one breach reported to the Information Commissioner’s Office since the outbreak of the Covid-19 pandemic.

Afghan said: “Email DLP solutions are not intelligent enough to prevent any accident or malicious threats that we see today”, calling for an end for the static policy-based approach. Fahim suggested human layer security, which works in real-time as users are composing their emails could “fix a costly security breach before it can happen”.

Fahim “As we’ve blurred the lines between home and working life, we are often rushing to send emails on our mobile device…it just dials up the risk of an incident happening. Employees through no fault of their own are becoming more careless in this environment”.”

But what do you challenges do you face once a breach has actually happened? Rebecca Parry, Director of Strategic Partnerships at Exterro, outlined three challenges organisations face in this situation;

  1. The plan- is it out od date or not tested
  2. The people- were the right people involved inside and outside organisation?
  3. The process- is there a need to evaluate how well the incident response plan was executed?

PrivSec Global also heard from surely the highest-profile crisis communications specialist, in the Untied Kingdom at least, Alistair Campbell.

The former New Labour spin doctor said something is only a “crisis if you decide it is”. He revealed that the fuel protests of 2000 were his worst crisis while in number 10 and said that feared that crises in privacy and security will ultimately reach a “tipping point”

2. The international data-sharing headache

How do organisations ensure they are compliant with data-sharing regulations across jurisdictions?

As the fallout from the Schrems II decision continues, and we wait to see to what extent the United Kingdom’s adequacy decision from the European Union holds in the face of possible divergence, international data-sharing is becoming a major talking point among privacy and security professionals.

“There is no easy answer or silver bullet, the measures could be technical, structural, or organisational” said Helen Woollett, Privacy Counsel, Data Protection Officer, Natura & Co Group

Christopher Schmidt, Magister of Law, Attorney and Data Privacy Specialist said it is important to “identify the data flows that are business critical.”

He said: “When referring to the Standard Contractual Clauses you need to have your impact assessment ready,” he said.

The conversation moved on to talking about data stored in the cloud, and Woolett said: “Nobody is stuck these days with limited choice on providers, and you must ask your providers more questions about their service provision and if they can’t answer or satisfy you, then that speaks for yourself.”

Another regulatory headache was discussed in a morning session by Paul Seelig of UserCentrics who gave some advice on preparing for the European Union’s ePrivacy regulation.

“What kind of electronic communications services do your company have? what kind of data are you processing? This is super important to know because you have to regulate all this” he said.

3. Covid-19 has increased data protection and cyber security risks….

This talking point is relatively uncontroversial.

Many of the speakers talked about the rise in data protection challenges due to the Covid-10 pandemic. Eric Bedell, Chief Privacy Officer, of Franklin Tempton Investments said: “Remote working itself presents lots of data protection challenges”.

Neil Smith, Privacy and Data Management Consultant at Yorkshire Building Society, said:

” VPN and how you access network is one thing, no network is perfect… you need to be able you’ve got the infrastructure in place to be able to do your job and make sure that data can flow but without going outside of the environment where it needs to be.”

There has also been significant behavioural change among employees.

“We are using more devices so there are more vectors for attack…new platforms, new software, and we don’t really know what the expectations are”.

Dr Vasileios Karagiannopoulos

4. But have we seen more job opportunities as a result?

Panellists on an HR and recruitment stream session this afternoon suggested that the pandemic has actually resulted in more job opportunities in privacy and security as business leaders take the risks more seriously.

“We see a lot more opportunities out in the market, but we also have a lot more work to do on the inside because we are professionalising the privacy teams” said Bedell, on the ways the pandemic is changing the nature of employment.

Bedell also suggested there is a “brain drain” out of Europe to the US caused by concern and new regulations in the US “We can see a lot of new job posts happening the US now, the US is pushing a lot of new privacy regulations”, he said.

5. AI and surveillance of employees

“Surveillance is the most critical area of data protection,” said Stewart Room of DWF as he opened a session this afternoon on the topic, arguing that it goes to the core of what data protection is often about.

Aida Ponce Del Castillo, Senior Researcher at the European Trade Union Institute, described some of the harmful effects of surveillance of employees by employers.

“There’s a risk of a chilling effect on the right to organise, the right to ask questions of your manager” she said.

The panel went on to discuss ways of mitigating the negative impact and regulatory concerns of surveillance in instances where it does have to be used.

”What I’ve seen as a massive shift is that people have been allowed to have different devices for different types of work…. which gives employees a level of comfort that they are not being trapped all the time” said Yasmin Hinds, Global Privacy Lead, Pontoon Solutions.

Matt Creagh, Policy Officer for Employment Rights at the Trades Union Congress outlined a proposal for a Right to Disconnect for employees.

“This would be a duty on an employer to talk to their staff about the technologies that are in place in the workplace and to agree a policy about when its practical for that business or that sector to disconnect and to have a break from work” he said.

A later session saw a panel talk about the use of Artificial Intelligence and how it can be used in a fair way in HR processes.

Dom Holmes, Partner and Head of Employment Law at Taylor Vinters, said: “The principal aim is remove unconscious bias from decision-making so we make better quality decisions….

“But it can only work with what it’s got, so if you’re putting in data that is inherently biased you are just going to perpetuate the problem” he said.

Amy Lui Abel, Vice President, Human Capital at The Conference Board added that you need to have a diverse group of people teaching the AI system to prevent bias from creeping in.

“At the end of the day these are human beings, human processes, we are biased, we are flawed and so can we ever be that perfect? or make a machine that perfect? I don’t know. But it doesn’t mean we shouldn’t try” said Abel.

6. The data responsibility of cloud vendors

The issue of migration of data to the cloud was discussed in a number of sessions on day one, and a talking point was the extent to which cloud vendors are responsible for the data.

Anhad Singh, of PKWARE, said: “The cloud vendors are not responsible for that data, you are”.

However, Tanya Forsheit, Chair of the Privacy & Data Security Group. Frankfurt Kurnit Klein & Selz, said: “From a legal point of view, we can see volumes of data expanding into the cloud… what that is running up against is the greatly expanded universe of regulation”.

“They do have to take some responsibility for working with the data controller under CCPA or GDPR to honour consumer rights” Tanya on the responsibility of cloud vendors.

7. Attitudes to privacy throughout the Americas

Late afternoon saw a special stream of sessions focused on the Americas and the different attitudes towards data privacy and varying frameworks across South and North America.

Camilia Tobon, Attorney at law firm Davis Graham & Stubbs, told PrivSec Global that across Latin America a rights-based approach has been taken towards privacy with consent forming the predominant legal basis, which differs from the US which relies on a harms-based approach based on legitimate interest,

However she said: “”The US is slowly shifting… the rights framework is starting to appear in the US but only in certain states” such as California and Virginia, as US consumers become more aware of privacy rights.

Juan Luis Huesca Rocchi, Data Protection Officer at Audi Mexico, said the culture in Brazil is “not built for data protection but for free speech” leading to complications arising in the formation of the countries data protection law.

PrivSec Global continues tomorrow and Thursday.