Ireland’s Cautious Cybersecurity Outlook

Ireland should be a cybersecurity powerhouse. However, the nation takes a cautious approach. The country is a preferred destination for California’s Silicon Valley technology giants and other foreign technology investments. The island is home to around 30% of Europe’s data centres. It has artfully managed its strategic relationships with the European Union and the United States of America. Technology and cybersecurity clusters in Dublin, Cork, Galway and Shannon continue to grow and attract investment. Cyber Ireland, the national cybersecurity cluster, is seeking to join up and mature the local ecosystems.  Headline-grabbing cyberattacks such WannaCry (2017), NotPetya (2017) and the Health Service Executive (HSE) ransomware attack in May 2021 were significant warnings to Ireland to significantly upgrade its national information security resilience. In 2021, it was estimated that cybercrime cost Ireland €9.6 billion a year. Ireland public sector remains stoic, pragmatic and relatively low spending. In contrast, the private sector is developing a growing appetite for cybersecurity services and solutions.

Ireland’s National Cyber Security Strategy 2019-2024

Ireland’s current National Cyber Security Strategy was published in 2019 and covers the five years from 2019 – 2024. Ireland’s National Cyber Security Centre (NCSC) is the main body responsible for the Strategy and many of the measures set out in the document. The NCSC is also accountable for Ireland’ Critical National Infrastructure information security and enforcing the EU’s Networks and Information Systems Directive (NIS Directive). NCSC has been designated as Ireland’s Cyber Security Incident Response Team (CSIRT-IE). See PrivacySolved Insights Briefing Cybersecurity: Focus on Ireland’s National Cyber Strategy for more details on the Strategy.   

Cautious New Funding for the National Cyber Security Centre (NCSC)

Ireland’s digital economy has been valued at USD $14 billion and is increasingly facing cybersecurity threats that have led to increases in cybersecurity spending in the private and public sectors. In July 2021, two months after the HSE ransomware attack, the Irish Government announced a doubling of staff numbers at the NCSC over the following 18 months. This was estimated to cost €2.5m in the first year. Twenty (20) new roles would be added to the existing 25 already working at the NCSC. The longer-term plan is to reach 70 employees within five years (by 2026). A new headquarters building, new graduate training programme and a new head of the NCSC have also been added.

There are growing calls for the NCSC to receive more funding as a good investment and to reflect the spending priorities of Ireland’s European neighbours like the UK, France, Netherlands, Belgium and Germany. Evidence given to the Irish Parliament’s Joint Oireachtas Committee on Transport and Communications in May 2021 suggested that the NCSC should receive a ten times budget uplift from £5 million a year to £50 million a year. Ireland is informally called “data island” because of its considerable market share of European data centres, yet the NCSC’s £5 million budget is relatively low. For context, the NCSC’s budget is said to be a third of the spending by the public relations (PR) team in the Department of the Taoiseach (the Irish Prime Minister’s Department) which was about 16.9 million in 2020. A former Chief Executive of the HSE suggested in 2021 that the HSE’s expenditure on IT security was about a quarter of what would be expected when compared with other health systems. On closer analysis, there is evidence of underinvestment in government and public sector information security. By contrast, the $300 million Irish market for cybersecurity solutions and services (mainly private sector) is growing.

Cyber Security Baseline Standards (Public Sector)

In January 2022, the NCSC and the Office of the Government Chief Information Officer (OGCIO) published their jointly developed Cyber Security Baseline Standards for Irish Public Sector bodies. The Standards are intended to create an acceptable security standard, build a more resilient security environment and form a broad framework for measures which can be revised over time. The standards will help organisations improve the management of cybersecurity risks, allowing Public Service bodies to better identify, protect, detect, respond to, and recover from cybersecurity attacks. This will minimise damage and adverse impacts. 

The Standard includes a Cyber Incident Response Plan (CIRP) checklist and checklists for a range of other activities such as Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. It is a minimum set of standards and requires organisations to expand upon these depending on their activities and risk profiles.

Data Protection Commission Ireland’s data breach enforcement efforts

Data Protection Commission Ireland (DPC Ireland) is Ireland’s data protection and GDPR regulator. Since May 2018 it has not developed a significant and high- profile case work on major cyberattack response and data breaches. So far, DPC Ireland’s position on major data breaches remains underdeveloped. However, in October 2021, DPC Ireland fined Twitter €450,000 for reporting a data breach late, which breached GDPR. DPC Ireland’s Annual Reports 2021 suggests a high level of engagement and high rates for resolving personal data breach notifications and referrals.  In 2021, the Commission it received 6,549 personal data breach notifications and concluded its work on 95% (6.274) in the same year.  In October 2021, DPC Ireland received a budget increase of 22% (€4.1 million), from the year before, to €23.2 million for the next year. At present, DPC Ireland, receives nearly five times the annual budget of the NCSC. DPC Ireland has 190 staff, four times more than the recently enlarged NCSC.

Future Developments

The key future developments to look for are more public sector cybersecurity funding and specific new investment and resources for the NCSC. The growth and maturity of the NCSC will be demonstrated by a larger staff pool, more IT and technical specialists and more involvement in critical national infrastructure initiatives. The NCSC is beginning to work more fully with the EU’s Agency for Cybersecurity (ENISA), the UK’s National Cybersecurity Centre (UK NCSC), the US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA). Together they respond to coordinated threat alerts and cyberattack responses. Future high impact cross-border activities will also imply maturity, growth and development. DPC Ireland’s increased enforcement activities, especially in the area of large data breaches, sophisticated cyberattacks and GDPR non-compliance in large systems will signal a more confident future for Ireland’s cybersecurity, data protection, trust and national security resilience efforts.

Resources

Ireland National Cyber Security Strategy 2019-2024

Ireland Cyber Security Baseline Standards 2022

For help, advice, consulting and strategy for Irish Data Protection compliance, GDPR gap analysis, Cybersecurity policies and procedures and access to our data breach response services, contact PrivacySolved:

Dublin +353 1 960 9370

London +44 207 175 9771

Email: contact@privacysolved.com

PS042022

Sanctions, International Data Flows and ESG Compliance

Briefing

Globally, at any given time, there are international, economic or trade sanctions in place that directly affect countries, sectors, businesses, organisations and individuals. The world is interconnected in terms of trade, investment, financial flows, debt repayments and just-in-time supply chains. Sanctions are often underpinned by laws with criminal and civil penalties. Russia’s annexation of Crimea in 2014 and its subsequent invasion and war in Ukraine in 2022, has led to an unprecedented level of international, coordinated and punishing sanctions against Russia. Its political system, leaders, parliament, central bank, key sectors, businesses, influential individuals and its uber-rich citizens called oligarchs have all been targeted. Currently, significant sanctions are in place against Russia, Belarus, Iran, North Korea, Syria, Myanmar, Venezuela and Cuba. The European Union, China and the United States have imposed a range of unilateral trade sanctions between themselves, in recent years, to protect several of their strategic sectors. Sanctions directly affect confidence, investment, trade and international data flows. After sanctions are imposed, the data flows to and from sanctioned parties must be scrutinised for lawfulness, human rights compliance and for fit with an organisation’s Environmental, Social and Governance (ESG) position.

Types of Sanctions

International sanctions are political and economic decisions, made through diplomatic efforts by countries, multilateral or regional entities against states and organisations to protect international law, national security and to defend against threats to international peace and security. These sanctions are normally put in place by the United Nations (UN), or by countries working in consultation with the UN. These decisions include temporary restrictions or blocks on economic, trade, diplomatic, cultural, environmental and other restrictions. Sanction measures are lifted when the issues that led to the restrictions ends or the situation changes. Often, sanctions are given their primary functional title, such as diplomatic sanctions or economic sanctions. Sanctions remain the international community’s most powerful peaceful actions to prevent or respond to threats to international peace and security. Increasingly, unilateral sanctions can be imposed by a country on another nation to further its strategic interests via strong economic pressure through economic, trade or diplomatic activities.  Breaching sanctions deliberately or inadvertently can lead to criminal or civil penalties. Assisting a sanctioned entity or an individual to evade sanctions can also lead to severe consequences for all involved.

Lawfulness and Fairness in Data Flows

A key principle in international data governance, data protection laws and in modern data privacy analysis is that the processing of personal data, personal information and personally identifiable information must always be done lawfully and fairly. Lawful means that the activity should not breach civil or criminal laws, directly or indirectly. Fairness is a wide concept and includes, equity between the parties, respect for natural law, upholding fundamental rights, human rights protection, substantive fairness and fairness in processes. The principle of fairness discourages the sharing of personal data and personal information for covert purposes, or by tricks, deception, obfuscation, online dark patterns or via the misuse of language. Fairness considerations can also protect individuals with special or protected characteristics such as age (young and old), disability, ethnic origins or nationality.

The EU’s General Data Protection Regulation (GDPR) requires transparency and accountability in data flows. China’s Personal Information Protection Law (PIPL) and Brazil’s Data Protection Law (LGPD) contains a fundamental principle that all parties should act in “good faith” when they collect, use, share or store personal information. The flow of personal data to sanctioned countries, sectors, businesses, organisations, groups or individuals can conflict with lawfulness, fairness, transparency, accountability and good faith requirements. Companies and organisations should ensure that they do not breach these principles when dealing with sanctioned entities and individuals. These breaches of data protection and data privacy rules could lead to investigations, reprimands, administrative fines, third-party actions, other enforcement action or legal (court) action.

International Personal Data Transfer Risk Assessments

Aware that the transfer and sharing of personal data to some foreign countries can put individuals at risk, breach national laws and cause other harms, European regulators such as the European Data Protection Board (EDPB) and the European Commission have led the way in developing data Transfer Impact Assessments (TIAs). In the UK, these are often called Transfer Risk Assessments (TRAs). These assessments seek to evaluate a wide range of information to assess the risks to individuals and personal data flows. These also assess the level of compliance with the GDPR and other laws, in recipient countries or organisations. Considerations includes the types of data, types of data subjects (individuals), the sectors, the purpose of the data transfer and the transfer methods proposed. The technical and organisational systems in place to secure the data transfers, the list of countries the personal data will pass through and the possibility of onward transfers to third or fourth countries are also crucial considerations.  In this process, identifying sanctioned countries, organisations and individuals could be crucial to the sender’s corporate risk, insurance cover, legal compliance and liability.

Crucially, these data transfer assessments also aim to evaluate the receiving country’s human rights record, its legal system, its courts and how foreign judgments are recognised. The laws relating to third-party access to data, including by government bodies and the security and intelligence services are also reviewed.  

For a sanctioned country, organisation, sector or individual, these assessed factors will be influenced by the existence of sanctions. A country’s human rights record that led to international sanctions could make in-coming international data transfers high risk, unlawful or unfair. Both the human rights record and the specific sanctions restrictions could prove to be problematic or prohibitive. If a country’s political system requires that all data centres and internet traffic are scanned for political purposes, this could make the data transfer high-risk, needing additional technological safeguards such as data minimisation, pseudonymisation or anonymisation to reduce the data protection risks. Sanctions may also prohibit certain economic activities or sector-specific trading, and so the sharing of personal data to facilitate these activities, directly or indirectly could breach the sanction measures. Sanctions could target government or military organisations. This is the case in the sanction measures against Myanmar. Identifying true beneficial ownership is crucial. However, it is often difficult to clearly identify all government-directed, military-supported, government owned and backed organisations. The work of transferring personal data to sanctioned countries, entities or individuals is difficult and it can be a dynamic fast-moving environment.

Steps to Better Environmental, Social, Governance (ESG) and Compliance

The following steps will help businesses, organisations, governments and public sector bodies to better navigate the international personal data flows affected by sanctions regimes.

(A) Monitoring Sanctions Lists, in all relevant territories, should be a high priority. This should be done regularly, part of business as usual processes. These lists should also be consulted during supplier and partner due diligence and when a key organisation, in the existing supply chain, changes its ownership, size or composition. Experts that understand the full intent, meaning and implications of sanctions on data and personal data flows should be consulted.

(B) Registers of Processing Activities (ROPAs) should be properly maintained, reviewed and updated by companies and organisationsthat fall within the scope of the EU’s GDPR or similar laws in the UK, Brazil, China and the UAE. A ROPA can help to answer important preliminary questions such as the level of exposure to a sanctioned country, company, organisation, sector or individual. It can also be used to highlight, at least broadly, which countries sends and receives which types of personal data and the intended purposes.

(C) Contractual agreements are important governance tools when dealing with sanctions. Contracts are widely used to facilitate trade and transfer personal data around the world. These include international data transfer agreements, data protection Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and various types of data processing agreements. Sanctions could make these agreements voidable, void or otherwise untenable. Parties could be forced to trigger the frustration or force majeure clauses, which could lead to contract termination and remove existing duties to perform the contract. Signing agreements that undermine or conflict with sanctions, after sanctions have been imposed, could breach criminal and civil laws. Detailed legal advice and care should be taken when parties seek to deliberately contract in ways that aim to stay within the legal limits of transferring personal data to sanctioned countries, businesses, entities and individuals.

(D) Systematic Supply Chain Reviews are important, especially detailed periodic reviews. Companies and organisations could be subject to criminal and civil liability if they take steps to evade or help other parties to avoid sanctions. Work should be done to ensure that substitute suppliers and third parties are not simply re-routing goods, services and data to sanctioned countries, businesses, organisations and individuals.Mergers and acquisition activity should be monitored as well as the unusual creation of offshore companies, holding companies, subsidiaries, branches and other formalised attempts to disguise the true beneficial owners of legal entities and assets.

(E) Anti-Money Laundering (AML) and Know Your Customer (KYC) Procedures should be upgraded. This is crucial in order to respond to the personal data risks associated with sanctioned countries, businesses, organisations and individuals. The use of cryptocurrencies, speciality blockchains, non-fungible tokens (NFTs), unexplained venture capital funds, aggressive modern art market investments, cybercrime and any involvement in the ransomware ecosystem, should be fully investigated.

PrivacySolved has many years of expertise in global data protection, data privacy, international data transfers and Environmental, Social and Governance (ESG) activities, including work with key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS032022

International Data Transfers: New UK Standard Contractual Clauses

On 21 March 2022, the UK formally adopted a new UK General Data Protection Regulation (UK GDPR) Standard Contractual Clauses (SCCs) regime.  After the UK’s exit from the European Union (Brexit), this represents a necessary divergence from the EU approach, because the UK became a “third country.” The UK has now declared data protection adequacy for most of the countries that shared data protection adequacy before Brexit. However, as a third country, with GDPR imbedded into its laws, it needed to put in place appropriate safeguards for personal data transfers to the rest of the world. This is the main purpose of the UK’s new data protection SCCs.

Countries that have UK Data Protection Adequacy

The UK Government has granted data protection adequacy status to the twenty-seven (27) member states of the European Union (EU) and member countries of the European Economic Area (EEA), plus Gibraltar. The EU’s and EEA’s institutions, bodies, offices and agencies also have UK adequacy. The UK has also approved the countries the EU has declared adequate. These are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate data protection.

The UK has published plans to actively pursue data protection adequacy agreements with key foreign countries. These high priority countries are Australia, Brazil, Colombia, the Dubai International Financial Centre Free Zone in the United Arab Emirates, India, Indonesia, Kenya, the Republic of Korea (South Korea); Singapore and the United States of America.

All the countries that have been declared adequate by the UK, escape the complexities of putting in place wide-ranging appropriate safeguards, including the UK’s new SCCs, to facilitate international personal data transfers. The UK GDPR SCCs will govern international personal data transfers to non-EU, non-EEA and non-adequate countries, in the rest of the world.

Understanding the new UK Standard Contractual Clauses Documents

Important Dates: The clauses become effective on 21 March 2022. By 21 September 2022, companies and organisations must start to use the new IDTA or UK Addendum for all new international personal data transfer arrangements governed by UK GDPR.  Contracts signed before this date using the old EU SCCs will continue to be valid until 21 March 2024, if the data transfers remain unchanged during this period.  By 21 March 2024, all data transfers under UK GDPR must use the new clauses. All historical UK GDPR international personal data transfers based on the old EU SCCs must be updated by that date.

The International Data Transfer Agreement (IDTA) is the UK’s new standaloneSCC document. The main users will be UK-only based companies and organisations seeking to sign a stand-alone document to facilitate the data transfer. The IDTA could also be added as a self-contained schedule to another contract. It cannot be used by organisations that are seeking to cover personal data leaving both the EU and the UK. The IDTA is an alternative to the UK Addendum. The IDTA reflects the EU’s new SCCs, but not the modular approach seen in it. A wider range of parties such as Data Controllers, Data Processors and Sub-Processors can use the agreement and can list any supplementary measures that apply to the data transfer.

The UK Addendum is the UK Addendum to the EU’s SCCs for international personal data transfers. It is an alternative to the IDTA.  The main users will be companies and organisations that carry out EU to non-EU/EEA international personal data transfers and who also seek to add similar provisions for UK personal data that will be transferred outside the UK, EEA and the list of countries declared adequate both by the EU and the UK.

Transfer Risk Assessments (TRAs) must be completed when the IDTA or the UK Addendum are used, in order to assess the transfer risks and levels of compliance for the international personal data transfer. TRAs must be reviewed regularly. If the TRA indicates that the destination of the personal data transfer is not adequate, the company or organisation sending the personal data must put in place supplementary measures. It is likely that the UK Information Commissioner’s Office (ICO) will published a UK GDPR TRA template or model for companies and organisations to use.

PrivacySolved has years of expertise in UK and EU data protection, including with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

Unlocking the GDPR Data Protection Officer

Briefing

The EU’s General Data Protection Regulation Data Protection Officer (GDPR DPO) role has been specifically crafted. Before the GDPR, Data Protection Officers (DPOs) existed because of a range of national laws, guidance and best practice. Globally, related roles such as Chief Privacy Officers, Privacy Officers, Heads of Data Protection, Data Protection Lead Counsels, Data Guardians and Data Governance Leads have also developed. However, GDPR DPOs have a clearer legal mandate, function and licence to operate. For the largest companies and organisations, subject to several data protection laws, they must decide how much the GDPR DPO role will influence the overall structure and substance of their global data privacy programmes. The danger is that the fundamental and unique elements of the GDPR DPO role can become trapped in governance systems that prioritise uniformity, efficiency, base-level interoperability and the lowest common denominator. It is important that the GDPR DPO role remains distinct, effective, influential and accountable.

Benefits and Risks: Appointing and Not Appointing a GDPR DPO

Not all businesses and organisations are legally required to appoint GDPR DPOs. Before GDPR, most DPOs were regarded as good practice appointments, where there was no clear legal duty to do so. This practice has continued through GDPR implementation. The GDPR is clear that both Data Controllers and Data Processors should appoint GDPR DPOs, in line with the law. Broadly, all public authorities and non-judicial public bodies must appoint GDPR DPOs. They are also legally required where any organisation regularly and systematically monitors individuals on a large scale or carries out large-scale processing of special categories of personal data or criminal offences data. Most organisations, especially larger ones, fall within these two latter categories. Where the law requires a GDPR DPO, one must be appointed, or risk breaching the GDPR. DPO appointments also encourage data governance accountability.

Questions arise for small Data Processors or the Data Controllers that do not meet the GDPR DPO threshold tests. Should they appoint a GDPR-type DPO? If they do so, should the DPO be fully GDPR-compliant, or can the organisation create its own unique DPO role?  European Data Protection Board (EDPB) Guidance states that if organisations adopt a GDPR DPO, even where they are not legally obliged to do so, that DPO will be judged against the full legal requirements of GDPR. Choosing not to have an identifiable GDPR DPO is also risky. The organisation will lack capacity to build and mature data protection programmes. Working with larger data-intensive organisations, liaising with GDPR regulators, responding to data breaches and keeping up to date with data protection, cybersecurity and good practice changes, will also be more difficult.  

Managing Great Expectations

The GDPR DPO can be an internal employed member of staff or an external appointment. The office holder must be well qualified, well resourced, independent and act independently. They may fulfil another role in their organisation but must avoid conflicts of interest. For example, they must not make specific data processing decisions and then provide assurance or GDPR compliance sign-off for that data processing activity. They must act autonomously and cooperate with the GDPR regulator.  They must have tangible influence by reporting to the highest level of management. Conversely, they must also be accessible and contactable by staff inside the organisation, external individuals, external stakeholders and GDPR regulators. They must also not be disciplined, removed or suffer other detriment because of performing their role and duties.

The GDPR DPO’s baseline outputs are to inform and advise. They must monitor compliance, which includes involvement in promoting awareness training, assigning responsibilities and audits. The GDPR DPO should provide advice for Data Protection Impact Assessments (DPIAs). They must cooperate with and act as the point of contact for the GDPR regulator. Although not an explicit legal requirement, GDPR regulators expect DPOs to be involved in offering information and advice on decisions to report data breaches to the regulators and to individuals affected. GDPR DPOs are not responsible for GDPR compliance; this always remains the legal responsibility of the Data Controller or Data Processor.  

DPOs in Reality: Details Matter

Despite the clear legal requirements, regulatory guidance and established best practice, some businesses and organisations have kept legacy data governance structures and pre-GDPR DPO reporting lines. Much of this may be a result of corporate or organisational inertia. For other organisations, whose business models prefer low or no regulation, the GDPR DPO role can often be minimised or an external law firm is used to provide legal advice from time to time. No organisational or culture change in data governance is anticipated. The GDPR DPO requirement challenges organisation power-centres and leadership cliques. It requires boards to work closely with a board outsider, who is legally obliged to act independently and respond to an external regulator, if and as required. It also challenges business cultures that regard regulatory compliance as interfering, anti-innovation and bureaucratic, because the GDPR DPO must monitor compliance and report to the highest level of management.  Often, in these organisations, the selected DPO is a middle-manager with limited influence, little direct budget and few resources. The DPO is not seen as a coveted role for inward or outward career progression. The DPO is located far from senior leadership and the centres of power. The GDPR DPO role is also a challenge to organisations that are opaque, siloed and do not actively promote transparency and accountability.

In some organisations, the DPO is seen as an arms-length advisor, a person to go to for an opinion. DPOs are only permitted to become involved in a matter after business and data-use decisions have been finalised and their role is to offer a view, for the record, which may not influence on the decisions already made. The aim, in these organisations, is to evidence that they have an established process for DPO involvement. Data Protection by Design and Default as well as high quality iterative Data Protection Impact Assessments (DPIAs) are rare and the ones completed are often superficial. In some organisations, a very senior person with an existing substantial role is appointed as the DPO. The real work is done by a far more junior Data Protection Manager and a small team. This senior person does not have the expertise, proximity to the data processing or the ability to spot data protection issues and so other senior employees see data protection as a non-demanding adjunct activity. For other businesses, using external or outsourced DPOs can be an effective way of freeing data governance from corporate apathy, internal factions and to ensure a level of detached independent expert analysis. The challenge for these organisations is to agree enough funding for these services and to provide effective internal support systems for the external or outsourced DPO. High quality internal access by the DPO to fully understand the organisation and to ensure that the DPO’s outputs are respected and actioned, are vital for this approach to be effective.

What the GDPR Regulators say about DPOs

The EU’s data protection regulators have started to investigate and enforce the GDPR DPO requirements. They have restated and emphasised the legal duties and issued fines to businesses and organisations that have not met the legal requirements of the role. Most of the enforcement decisions have been in Belgium, Germany, Spain, Greece, Luxembourg and Austria and were about the failure to appoint DPOs.  In 2020, the Belgian Data Protection Authority, Autorité de protection des données Gegevensbeschermingsautoriteit (APD-GBA), fined a company for its DPO’s lack of independence because the DPO had other roles in the organisation. There was no system to prevent conflicts of interest and the DPO was not sufficiently involved in the processing of personal data breaches.

In a series of cases in 2021, the Luxembourg Data Protection Authority, Commission Nationale pour la Protection des Données (CNPD), issued fines against five companies for DPOs not reporting to the highest level of the organisation (two levels of hierarchy were in between), insufficient resources to fulfil the role and not including the DPO in all data processing matters. CNPD also fined an organisation for not properly training the DPO so that they could independently and properly advise and inform the organisation. They also found that a DPO lacked enough autonomy. CNPD found common themes, such as Data Controllers not having control plans to ensure that the DPO’s duties were being properly performed. 

The legal position on the role of the GDPR DPO is clear. Data Controllers and Data Processors cannot argue lack of knowledge, unclear legal interpretation or uncertainty, when their DPOs and other GDPR accountability and transparency efforts are judged and put to the test.

PrivacySolved offers External and Special Projects Data Protection Officers, as well as Data Protection Officer as a Service (DPOaaS). We also offer international businesses and organisations EU and UK Data Protection Representative Services. Contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS022022

High Impact Future Technologies, Data Trends and Innovations

New technologies, emerging digital innovations and trends in data, data analytics and cybersecurity are developing at a rapid pace. These will shape the future of business, trade, politics, the economy and society. Chief Executive Officers (CEOs), Data Protection Officers (DPOs), Chief Data Officers (CDOs), Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Boards  and Senior Leaders must understand these developments, assess their competitive advantages, manage  inherent risks and track the evolving governance and security implications. Automation, Artificial Intelligence (AI) Ethics, Blockchain, Data Bias, Differential Privacy, Digital Twins, Edge Computing, the Metaverse, Ransomware and Zero Trust Architecture and Security will increasingly lead the conversations in technology. These are set to grow exponentially, diversify and create lasting impacts. Here are the definitions of these key technologies, innovations and digital trends:  

Automation describes the increased use of sophisticated technologies that minimise or eliminate human input. This includes business process automation (BPA), IT automation, robotics and personal applications such as the automation of private homes and self-driving cars. Automation is driven by a range of technological features and applications of data science, engineering, algorithms, blockchain, machine learning, deep learning, industrialised robotics and artificial intelligence.

Artificial Intelligence (AI) Ethics are a group of values, principles, and techniques that apply widely accepted standards to guide ethical and moral conduct in the development, use and outcomes of AI systems. These disciplines seek to address the individual and societal harms AI systems might cause. AI ethics mitigates these harms by offering leaders, developers, engineers and project teams the values, principles, and techniques needed to produce more ethical, fairer, and safer AI applications.

Blockchain is a decentralised, distributed, and often public, digital ledger made up of records called blocks that are used to record transactions across many computers so that each block cannot be later altered, without changing all other blocks. This allows the participants to verify and audit transactions independently and relatively cheaply. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. Blocks contain information about the blocks preceding it, forming a chain, each additional block reinforces the ones before it. A blockchain database is managed autonomously using a peer-to-peer network and a distributed timestamping server. They are authenticated by mass collaboration, powered by collective self-interests. Blockchains are growing in popularity through cryptocurrencies, especially using the Ethereum blockchain, and via the creation, sale, collection and distribution of Non-Fungible Tokens (NFTs).

Data Bias is any trend or deviation from the truth in data collection, data analysis, interpretation and publication which can cause false conclusions. Bias can occur intentionally or unintentionally. A biased dataset, for example in machine learning, does not accurately represent a model’s use case, resulting in skewed outcomes, low accuracy levels, and analytical errors. Types of bias include association bias, exclusion bias, measurement bias, observer (confirmation) bias, recall bias, racial bias, sample bias and sexual (gender) bias.

Differential Privacy is a mathematical technique of adding a degree of controlled randomness to a dataset to prevent the release or extraction of information about individuals in the dataset. This allows researchers and analysts to extract useful insights from datasets containing personal information while also offering stronger data privacy protections.

Digital Twins are digital replicas or representations of physical objects, such as a machine or person, or an intangible system, like a business process, that can be examined, altered and tested without interacting with it in the real world and avoiding negative consequences. The Digital Twin often spans the lifecycle of the object, person or system, is updated from real-time data, and uses simulation, machine learning and reasoning to aid decision-making.

Edge Computing is a distributed computing architecture framework where an organisation’s applications are closer to data sources such as Internet of Things (IoT) devices or local edge servers. The closeness to data at its source can deliver strong business benefits, faster insights, improved response times and better use of bandwidth.

The Metaverse is a unified way for people, data and things to interact in the virtual, physical and spacial environments. It is a collection of systems and interfaces combining computer screens, avatars, virtual reality, augmented reality, internet of things, robotics, artificial intelligence and automation. The term originates from science fiction, specifically from Neal Stephenson in Snow Crash in 1992 and the work of William Gibson.

Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems or networks. This is accompanied by a demand for financial ransom payments to restore access to systems, unencrypt databases or return data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening email attachments, clicking on advertisements, clicking on hyperlinks or visiting a website that has been deliberately infected with malware. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware attacks can be initiated by state actors and by opportunistic hacktivism. In most cases, ransomware is part of international cybercrime and organised crime.

Zero Trust Architecture and Security uses zero trust principles to plan business, industrial and enterprise infrastructure and workflows. Zero trust architecture is created on the premise “never trust, always verify.” Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical attributes, presence on the network or asset type. Authentication and authorisation of individuals and devices are discrete functions performed continuously before access to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), working from home, and cloud-based assets that are not located within an enterprise-owned network boundary. Zero Trust Security is a cybersecurity strategy in which information security policy is applied based on context established through least-privileged access controls and strict user authentication. Trust is not assumed.  A mature best-of-breed zero trust architecture can create a simpler network infrastructure, better user experience, and improved cyber defence.

PrivacySolved has a well-established track record of advising and leading projects for Consumer Relationship Management (CRM) systems, ecommerce, e-government, CCTV systems, cloud computing, fintech, artificial intelligence data, big data and data analytics. Contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS012022

1 2 3 8