British Airways

BA Faces £500M Fine: Shut Up and Get Your FACTS Straight!

Just about every major news outlet in the UK has the same headline for the BA data breach: “BA faces record £500M fine for data breach!“. Some are not content with even this degree of utter nonsense and are actually making things worse by saying that affected passengers are now “threatening boycott“.

I can only assume these morons are short-selling BA stock in order to cash in on their otherwise total journalistic ignorance and complete lack of integrity.

I was personally affected by the breach, and I can assure you I will not be giving my business to Easy Jet as a result.

Yes, I am pissed off. Here’s why:  Continue reading

Lawful Basis for Processing

GDPR: Getting to the Lawful Basis for Processing

I have made no secret of my distain for organisations and individuals who consider themselves qualified to determine their client’s lawful basis for processing without having the necessary education or experience to do so. Just reading the GDPR a few times and doing some homework (like me), or taking the “Certified” GDPR Practitioner course (or equivalent), does NOT qualify you to talk legal matters with anyone. Don’t try.

On the other hand, a privacy lawyer (or equivalent subject matter expert) is just as likely to be spectacularly unqualified to get the information required to make the legal determinations in the first place. It is even more unlikely that they can manage the project from start to finish. Even if they could, there’s no way they’d be available, or affordable.

So what you end up with is either someone(s) who can only get you most of the way, or someone(s) only able to take you over the finish line.

Continue reading

DPO

Should a CSO/CISO Ever Be a DPO?

I finally figured out why this blog was so damned difficult [for me] to write; I’ve been thinking all wrong about what exactly a DPO actually is. Which is odd, because I had the exact same challenge when writing about CSO/CISOs, and I really should have learned from my mistake.

When you think about a CISO (assume this also means CSO), or a DPO, you instantly picture a person. Maybe your organisation already has one so their face springs to mind, or if not, you have a indistinct and faceless image of someone in a suit. The fact is, neither the CISO nor the DPO are people, they are functions. Multiple functions in fact.

And not only that, they involve multiple disciplines, skill-sets, even personal preferences. Most importantly, neither the CISO nor the DPO functions [performed correctly] are ever a single person. A DPO would, quite literally, have to be an expert in privacy law (both EU and national), contracts, risk management, policy development, distribution and audit, and understand all personal data flows throughout the business.

You therefore need to break the function down before you can move forward. For example; I broke the CISO function down into 3 distinct skill-sets/phases: Continue reading

Information Security vs Privacy

Information Security vs Privacy, are the Lines Blurring?

My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.

As for Data Protection, it’s not, in and of itself Privacy, and so on…

But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…

For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’: Continue reading

Privacy

The Right to Privacy: Don’t Tell Me I Have to Care!

I’ve already written on the subject of privacy several times, and will likely be regurgitating a lot of what I’ve said previously, but an article I read last week really pissed me off; Three Reasons Why the “Nothing to Hide” Argument is Flawed. It’s exactly this kind of absolutist nonsense [from both sides of the privacy ‘debate’] that makes true progress so bloody difficult.

Their first point:1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.” is backed up by several metaphors, one of which is “Do you close the door when you go to the bathroom?” Seriously? Even the Universal Declaration of Human Rights qualifies the right to privacy with the word ‘arbitrary’:

“Article 12 – No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Every other treatise [that I’ve read] on privacy has a similar qualifier, which clearly infers that there can be very good reasons for ‘interference’. This is further supported by the fact that privacy is only a fundamental right, not an absolute right. Continue reading