Six key themes from PrivSec Global Day Three

March 25, 2021

1. Four regulators in four different continents give their view

PrivSec Global, as its name suggests, is truly a worldwide event and this was demonstrated by major session this morning that featured regulators from four different continents.

Representatives of commissioners from Australia, Ireland, Morocco and Dubai took part in a wide-ranging and informative discussion about the current state of data privacy globally and future trends.

Inevitably part of the discussion focused on ensuring flows of personal data cross-border, in the wake of Schrems II and concerns around data localisation around the world. “We’ve already worked on two adequacy recognitions of our own and we are working on more, we are really quite interested in reaching in all other directions with other regulators and other jurisdictions” said Lori Baker, Vice President, Legal & Director of Data Protection, at the Dubai International Financial Centre.

“Sharing data is necessary and it is not possible in our world to have another view” said Omar Seghrouchni, President of Morocco’s National Privacy Commission for the Control of Personal Data Protection (CNDP). Seghrouchni said protections therefore need to be on the flow of data rather than preventing it moving,

Joanne Neary, Assistant Commissioner of Ireland’s Data Protection Commission, outlined some initiatives in Europe to keep data flowing and to find a “constructive way out” to the Schrems II issue.

Baker stressed however that a “one-size fit all” solution is unlikely to work however and said we need to look at how data flows can work for the jurisdiction the data is entering.

The conversation moved on to the use of technology, with Samantha Gavel, Privacy Commissioner of New South Wales, in Australia, saying her commission has finalised guidance on the use of third-party cloud services.

She also said: “Privacy enhancing technology is an important development and we are hoping that as it continues to develop it will help us build privacy protections into the work we are doing and to keep personal information secure”.

Gavel also said she was doing work in the artificial intelligence (AI) space, and things are “moving in a positive direction” win New South Wales, with the government there adopting policies for AI strategy and ethics.

Neary said transparent processing is an absolute must for AI use. She said: “People need to know what you are doing with the data; you need to communicate with them regularly and look at things like data subject rights”.

Seghrouchni added: “”It is not possible to have only a local politics on [AI]” and called for a global standardised approach.”

On the use of tech more broadly Baker said she wanted to see more education about technology among data privacy professionals and said regulators should help with this.

The conversation later turned to Covid-19 and the potential impacts of immunisation passports for data privacy.

“People are going to want to travel, and if it means that because they’ve shared data that might restrict them…these are some of the issues we are grappling with” Lori Baker said.

2. Tackling the cyber skills “gap”

Is there really a lack of suitable qualified candidates for cyber security jobs across the world? Or are employers’ expectations too high?

“Cybersecurity is a blend of many fields, we need the right skills for the right job” Jawad Khalid Mirza of Aksari Bank, said kicking a debate about the facts and fiction around the often reported ‘cyber skills gap’.

Panellists were critical of employers and of too much focus on degrees and formal routes into the cyber security sector.

“I see a lot of job applications out there where they ask for high-end classifications but aren’t willing to pay more than $40,000”, said Gary Fildes, Chief Security and Information Security Principal Instructor at the Office for Nuclear Regulation.

Confidence Staveley, Founder and Executive Director of the CyberSafe Foundation, agreed, saying the barrier for entry is too high in cyber and “entry certifications are very expensive.”

Staveley, who is working on a fellowship aimed at getting more young women into cyber security, said there is a real need to find “creative ways” to get people skilled.

For Fildes, the challenge is to widen interest in working in cyber security and that we need to “de-nerd” the term “cyber” and appeal to “people from diverse backgrounds who may not understand the technology but are able to articulate the risk to businesses”. He said coding is just a “small part of what cyber professionals do”.

Fildes added that degrees and expensive certifications are not necessary to move into Cyber.

“You need a sweep of skills” including cloud computing” he said, adding that you always do a degree at a later stage.

Which is more important, experience or qualifications? Mirza stressed that “experience in the relevant industry is preferred,”

However Staveley said experience “trumps qualifications” and this should include personal projects, she said. “It could be a volunteering project for instance, that would count for me as experience.”

For Fildes, what would make him want to recruit?

“I want to see some personality…it’s going back to the soft skills, team player, can they articulate their intention, where they want to go?” he said.

3. The threat of deepfakes and revenge porn

One of the most horrifying debates of the whole PrivSec Global event took place this afternoon and focused on the risks deepfake technologies pose to women, political discourse and society generally.

The panel discussed all of this, including the barriers to tackling the problem.

Olu Odeniyi, Cyber Security and Digital Transformation Adviser, said there are deepfake apps easily accessible on our devices.

Adam Dodge, Founder of EndTab said that when it comes to deepfake porn, the deepfakes do not even need to be believed to be harmful as deepfake pornography sites actually advertise themselves as deepfakes.

Ksenia Bakina, Legal Officer at Privacy International said a lot of image based sexual abuse “does occur on the virtual world online.. but of course the harms that they cause are very much experienced in the real world” She also pointed out that when it comes to revenge porn, 70% of victims full names are released online,

4. Succeeding as a CISO in the modern era

With increasing numbers of cyber incidents and data breaches across the globe, the role of Chief Information Security Officer (CISO) has arguably never been more important.

But what characteristics do CISOs need in the modern world? How is success measured? and how can CISOs help ensure security is seen as a priority in their organisation?

In terms of what success for a CISO looks like, it may be tempting to suggest that having zero incidents or events is one aim, but panellists suggested this is not possible,

“There is no point spending any time worrying about things that are outside of my control. I am happy if I put the people, processes and technology in place within the budget I have been provided, and that I’ve been ensuring they are operating effectively” says Vicki Gavin, Head of Information Security and Risk Management at Kaplan International, Victoria van Roosmalen agreed with this, saying it’s important “never to let perfection get in the way of progress”,

The discussion shifted on to the characteristics of good leadership from a CISO. “A good leader is a good leader of what discipline they are leading there are certain characteristics that you have to have, no matter what.

“The absolute most important characteristic is that you care, you care about the people on your team and the organisation you work for and the quality of the work you produce” says Vicki Gavin, who went on to cite confidence, influencing skills and a nosiness about what’s happening on the ground as other key attributes.

Ardie Kleijn, CISO at Transavia, suggested there has been a change or expansion in the role of CISO, from “classical CISOs” responsible for technical IT security towards cultural management and “coaching”.

Gavin said: “You need to be sufficient technical [to be a CISO], you need to understand what people are saying to you and how the IT world hangs together, but if you are spending your day writing code and defining firewall protocols, you are not doing your job properly” says Vicki Gavin.

Kleijn added that you do need to have some understanding of privacy and the ethical issues surrounding it.

The panellists went on to talk about ways in which CISOs can talk to senior management to ensure security is taken seriously and funded adequately. Gavin explained how she provides her board with an easy set of numbers to show how her team has reduced the number of incidents by installing new tools, and how the skill of her team has eliminated crises.

The conversation finally went on to how to mebed security awareness throughout an organisation, with Gavin suggesting little and often is the way to go.

“I have seen too many security [awareness]campaigns that are a broadcast of everything all at once” she said.

5. Tracking the shifting attitudes and sentiments of UK DPOs

Ever wondered how the attitudes and sentiments of Data Protection Officers in the UK are shifting from quarter to quarter?

The UK Data Protection Index, brought to you by the Data Protection World Forum and the DPO Centre, is based on a quarterly repeated survey which allows opinuions and trends to be monitored.

Rob Masson, chief executive of the DPO Centre, gave a sneak preview of some of findings from the latest index round and discussed what it all meant with a panel of experts this afternoon at PrivSec Global.

Masson revealed 21% of panel members now consider international data transfers to be their biggest data protection challenge, up from 4% in July and 14% in November.

Panellists suggested that uncertainty over additional safeguards post Schrems II, and the time-limited and conditional nature of the European Union-UK adequacy decision may have been a factor in the concern.

“One of the things that we are really trying to wrestle with is the number of products within our organisations…often these companies have subsidiaries in the US” said Ben Pumphrey, Data Protection Officer at Birmingham Community Heathcare, on the difficulties posed by Schrems II to healthcare providers, who are having to monitor data flows.

The survey also revealed DPOs are now less in agreement that surveillance laws outweigh data subject rights than they were in November.

“Most people expect the government to be doing a level of surveillance…the challenge is proportionality” said Laurence Kivlin, UK Data Protection Officer, at Aregon

The research also found that 84% of respondents think DPO should be a protected title with minimum qualification requirements.

The PrivSec Global panel debated the issues around this.

“It’s a very easy to see this through the prism of wanting the benefits of being a regulated profession but the purpose of regulation is for the protection of the public…There is a whole host of architecture that sits behind being a regulated person” said Pumphrey. He argued that it comes down to whether the regulatory package outweighs the burden of being regulated.

“Working out what combination of legal expertise, tech expertise, organizational expertise to have in the qualification while keeping everyone happy is not a question we are mature enough to answer yet” David Smith, DPO at the DPO Centre.

The final finding shared by Masson was that DPOs broadly agree that the UK will strike its own data sharing agreement with the United States,

“The fear is that in our keenness to do something with the US we jeopardize the decision we are likely to get from the EU” Ann Bevitt, Data Protection Lawyer at Cooley

6. The future for international data transfers

Will the Schrems II ruling and other pressures over international data-sharing lead to localisation and data “protectionism”?

One of the last sessions at PrivSec Global discussed the future of international data-sharing.

“We’re all struggling to make the protection of personal information much better and create an ecosystem of trust” admitted Commissioner Michael McEvoy, Office of the Information and Privacy Commissioner in Canada.

Paul Breitbarth, Director, EU Policy & Strategy at TrustArc, argued that data localisation shouldn’t be the consequence of Schrems II.

Marty Abrams, Chief Strategist & Executive Director at the Information Accountability Foundation agreed. “Data localisation goes against this concept of data serving people, that doesn’t mean there shouldn’t be safeguards,” he said.

Breitbarth added “to a large extent, accountability and interoperability in legal systems will help find a way out but we also need better commitment from all governments”.

Watch sessions from PrivSec Global on demand