Let’s talk about digital identity with Julian Hayes, CEO of Veneto Privacy.

In episode 7, Oscar talks to Julian Hayes about data privacy in the days of Brexit chaos and why a penalty fine shouldn’t be your biggest concern when it comes to GDPR.

[Scroll down for transcript]

GDPR is 40% security and 60% privacy”

Julian Hayes headshotJulian is a highly experienced Data Privacy and Security consultant with more than 18 years working in the telecommunications and IT industry. As Managing Director of Veneto Privacy Services, Julian and his team provide in-depth data protection consultancy services to clients in diverse industries, from telecommunications, consumer goods and educational providers throughout Europe and the United States. Find Julian on LinkedIn or email [email protected].

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

[Podcast transcript]

Let’s talk about digital identity. The podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining. Today we will hear about a very important aspect of our digital lives, which is privacy, and for that we have an expert in the topic. So let me introduce you Julian Hayes. He’s an expert in data privacy with more than 20 years of experience, which includes working for telecommunications big players, such as Vodafone and Nokia.

Today he’s the Managing Director of Veneto Privacy Services, a consulting company based in Dublin, Ireland. Hello, Julian.

Julian Hayes: Hello Oscar, thank you for having me.

Oscar: Yeah, it’s a pleasure having you and talking with you Julian and yeah, please tell us a bit more what is – has been your journey until today. You have your own consulting company Veneto.

Julian: Great. It’s a pleasure to talk to you and I know that today’s subject on Brexit, GDPR and digital privacy generally should be an interesting discussion and listening material for your subscribers.

So Veneto Privacy is in business now three years. So prior to its establishment, I was a Data Protection Officer for Vodafone in the UK and in Ireland predominantly. So really I guess I was working in data privacy before it became such an issue of concern in terms of how personal information is obtained and processed. So it’s kind of – it grew – from my own kind of professional experience, it grew from about 2004 and then in 2010 it reached off as a major issue.

So data protection laws have been in place for decades, so it’s not that there was any type of new realisation. But there has been an increased focus I think from 2010 on data privacy and the importance of respecting personal information from a customer perspective.

So yeah, so we’re based in Dublin and we service companies in Europe and the US and we work basically a 24/7 type of operation, working in multiple time zones. Still a small consultancy business and we’re very much specialised in commerce-related personal data processing and GDPR obligations. As we’ve seen, there are many regions within the world that are implementing similar types of data protection law in the style of GDPR which is seen as kind of the best in practice operation.

Oscar: Yeah, very interesting. You have a 24/7 operation it sounds like. Pretty challenging. And tell us a bit the experience you have today with working in Veneto, your own company. What are the main challenges customers you have today have?

Julian: With the anticipation of the 25th of May 2018, there was a huge focus from companies to get compliant with GDPR and I remember often there were customers who would say, “Well, you know, is it just another Y2K? Is it just another type of hype situation?”

But the difference between Y2K and GDPR is that GDPR is actually law – and Y2K was a theory in the world. So I think that’s the major kind of challenge is, you know, preparations for establishing the basics of good e-processing operations, whether you’re a data controller or a data processor.

So that’s really important to be able to nail that down and we spent a lot of time actually clearing up a lot of bad advice. So there were a lot of newcomers to the market from a consultancy perspective that maybe didn’t have the kind of experience or skills to be able to really effectively operate in a concise way to be able to deliver on proper advice for companies as to what the basic steps were to implement the necessary changes to meet the regulation.

So yeah, so I think there was a lot of kind of handholding and reassurance especially when it comes to the establishment of your risk strategy. So if you’re a pharmaceutical business processing medical data or pension business, processing more sensitive data, then the risks are probably different to you than they would for – say if you’re a retainer with CCTV or other kind of not-so-invasive data processing operations.

So there’s kind of a recalibration exercise that you need to go through with customers to say these are the risks you face. Sure, you know, the fines are very punitive and eye-wateringly high. But at the same time, you need to be able to realise what the best necessary steps are for you to kind of meet those basic requirements from a compliance perspective.

Oscar: And have you worked with customers who already got fines or it’s too early for that?

Julian: Well, I’ve worked professionally. So I’ve obviously been working as a data privacy professional internally in organisations and sure, you’re faced with fines. But I think predominantly the biggest risk from a GDPR perspective is the pending investigation or interference from a regulator into your data processing activities which they’re fully entitled to do and people often talk about the two and four percent of your turnover as being the big kind of scare factors in terms of what could go wrong.

But at the same time, if you think about it, there are other powers under data protection law in terms of cease processing order, which basically is a bar on data processing if a regulator thinks that the processing is illegal. So there’s a major case ongoing in Ireland at the moment in relation to the public services card. So that will be similar to the Kela type of operation in Finland.

So there was basically an introduction of an identification card but the Data Protection Commission found that there was no real legal basis on the nature of the data processing and there was in fact kind of scope creep across what the card could be used for from its initial conception.

So they’re the kind of challenges that are faced but I think businesses, big and small, need to take reasonable measures. In Veneto, we’re kind of in the solutions mode. So we have statutory obligations where we provide data protection or services for businesses, which we must meet. But at the same time, if you’re providing then advice to other businesses, you’d need to give real practical solutions as to what basic measures are needed.

I think that’s one of the challenges of GDPR, that it’s not necessarily specified. It talks about security measures, organisational and technical measures. But it doesn’t tell you what kind of grade of security organisational measures are required. So again, there’s a degree of kind of determination from a controller or a processor as to what would be adequate to be able to meet that requirement of GDPR.

Oscar: Yeah, something that I want to ask you because you are very into privacy. You know very well this topic. Something I heard and I read a few times is that people say that privacy is dead. Particularly it makes me cringe. What is your take on this?

Julian: Yeah. So it’s the old “I have nothing to hide” here. I think it’s all the more clear that people don’t necessarily – they might be happy to be signed up for social media services and understand that there’s a degree of sharing between their personal information and the free service. I think that’s OK but you might have nothing to hide but you have everything to lose.

So like if we saw just the other day, so Jack Dorsey in Twitter, he got his Twitter account hacked and that was via his phone number. So everything is fine and hunky-dory as long as nothing is going wrong. But as soon as something happens, then people go, “Well, that’s my private information. That shouldn’t be requested of me and it should be kept safe”.

Even just today, I saw another Facebook incident. One of a multitude where the telephone numbers are freely available on the server that could be accessed via the web. So these are really kind of terrifying scenarios and I’ve worked in data breaches where it might be some information is compromised but it leads to – you might think it’s kind of not too important if your Twitter password is compromised. But there’s a lead-in then and it’s a bridge to other information that can be gleaned from that account, which will then lead to a subsequent major data breach. So it might be a banking fraud. It might be downloading of your passport to make it an illegal passport copy of your information.

So there are serious consequences. So people kind of see privacy as – you know, well, it’s one matter. But privacy and security go hand in hand and they’re self-supporting with each other. So they reinforce each other and I think that if you look at ‘privacy by design’, even just when you’re designing products, is the server secure? Is it safe? So there’s a marriage between privacy and security, which is really important.

Just because data is kept secure, it doesn’t mean that the processing is legal. So if a school asks for a child’s blood type in addition to their registration details for the school year, that data might be stored securely in a military grade type of environment, but its processing in itself may be illegal. So there are serious implications for that.

I think that’s why identity management, especially now in the era of phishing and SIM swap frauds and other type of exploits involving personally identifiable data are really key to managing the customer experiences from a security perspective and that assurance that there is proper validation and verification as to who the user is regardless of the services that they’re using.

Oscar: Yeah. So digital identity and privacy also go hand in hand.

Julian: I think GDPR is probably 40 percent security and 60 percent privacy. So I think if I’m offering any services that are offered throughout the European Union, there needs to be a degree of validation that I can identify myself as a user.

So I’m sure you’ve kind of had it before. So what do you know? I’ve travelled quite a lot for work. I see the kind of grade of customer validation within Germany and Hungary and other countries around there is probably at a higher standard than it would be in some of the more poor nations. Like that enables fraud and it enables customer exploit information to be had.

The problem is, right, so these guys, this is their job. Like they’re pros. If you’re a hacker or an information exploiter, they treat it as a fulltime job and it pays well. So you’re not necessarily dealing with opportunistic types of individuals. They are dedicated professionals who know how to scam and that’s really important.

So I think identity management enables a single type of authentication that this is the user that I’m dealing with. I think it actually goes hand in hand with like some of the ecommerce-driven benefits of GDPR. So as I said, I’m in Germany quite a lot at the moment traveling and the data portability requirement of GDPR to be able to transfer your data from one provider to another.

So you might be moving from bank A to bank B and you can simply download your data and then provide that to the new banks. So you’re not actually providing new information. There’s a transit of information between the two data controllers, which enables your identification and your account creation. So that’s really kind of a beneficial thing as well. It’s an ecommerce-driven requirement of GDPR but it’s also like highly beneficial for customers.

Oscar: You’ve been already discussing several aspects of GDPR and what are the challenges and what are the advantages of that already in practice. GDPR is this general data protection regulation that it’s for the European Union. It affects the European Union and you are based in Ireland and we’ve been talking about contrasting continental Europe. But in the middle is the United Kingdom that’s still in the European Union.

But we have this new phenomenon that we don’t know what’s going to happen but it’s called Brexit. How has all this landscape of privacy been affected by Brexit?

Julian: Yeah, it’s especially an important issue for Ireland. So, you know, having – I’ve worked in the UK and obviously lived at the UK. So very sorry to see our neighbours on the trajectory that they’re on. At the same time, I think it’s kind of ironic. You know, I think that probably one of the best, if not the best supervisory authorities in the EU is the ICO, the Information Commission based in the UK, who are extremely diligent in enforcement and also in consultation with data controllers and data processers as to what their obligations are and like this is dating back I think probably 15, 20 years. This is all prior to GDPR. So I think it’s sorry to see one of our leading European regulators not being a member of the EU any further potentially if and when – or when and if Brexit happens. So that’s a real sad story.

But I think for – front of mind for UK businesses, they’re obviously concerned that essentially UK is going to become a third party country. So a third party country means that you’re not on the list of obviously being a European member. So you’re kind of starting from scratch from – in the context of how adequate your controls are. So that’s a real challenge. Whether you’re a controller or a processor based in the UK, you’re not meeting the same kind of standard or you will need to prove that you will meet the same sort of standard either via an adequacy decision from the European Commission which is difficult to come by and takes many years of negotiation often.

So Japan is the latest country to be recognised but that took years of negotiation that they would meet the same kind of standards. Farther than the Privacy Shield, so it has its challenges in itself in terms of its effectiveness but it is something that was negotiated between the United States and the European Commission of Switzerland to say that these US businesses will meet European standard type of data privacy regime and now the UK is no longer a member of those new member states potentially in the coming months.

So it won’t be able to benefit from having – if there is data processing and transfers happening to the US, then it won’t be able to hold that] as a party of the EU to say that it’s a Privacy Shield member. So that’s the key issues.

So there’s probably a flurry of contract lawyers who are rolling out new controls. So there are solutions in place. So whether it’s standard contractual clauses and to be deployed into data processing agreements or binding corporate rules which would be legally binding and then would at least afford some protection.

So you will find that many EU controllers already established these types of agreements with – you know, if they’re trading in China or in Russia or somewhere else. That they would implement these types of contractual controls to be able to meet GDPR requirements for processing in that region.

Oscar: So for businesses that are let’s say in the European Union, in the case that the United Kingdom leaves the European Union, the businesses that do business with the UK, how they will be affected in this case. Just European Union and the UK in the case that they’re out.

Julian: So if controllers – if you’re a business that has let’s say outsourced business processing operations that are supported from the UK and you don’t have the proper contractual controls in place, then basically that processing would become illegal under GDPR. So it’s also important to remember the ICO and the UK government have been steadfast in saying that it will implement GDPR style controls in any case whether they’re in the European Union or not.

The Data Protection Act 2018 is already in place and protects the rights of UK individuals in terms of how their data is processed. So that’s really key. So I think there’s so much kind of cloud movement I guess predominantly, AWS, Amazon and Microsoft pretty much have the cloud business sewn up. So a lot of it is kind of EU, US-based data processing in any case.

But I think from a UK business perspective, if you’re a processor that is based in the UK that is providing services for an EU company, then you need to be able to make sure that the controller has the appropriate contractual clauses in place with you and like it’s kind of a mutual responsibility.

So the controller is in charge of how the data is processed but the processor is still – needs to be able to make sure that they inform the controller that there are adequate protections in place.

So I think that’s really important. So any processing that’s happening in the UK, whether you’re a controller or processor, if you’re offering services in the EU, then you must meet the EU obligations in terms of GDPR.

Again so if you’re looking at big UK-based businesses, so let’s take for example – if you’re a bank, HSBC for example offering services in the EU, you’re a UK-based controller and you will have EU customers across your base. You will need to have a Data Protection Officer and appointed representative for those operations in addition to your UK registration. So that’s really, really, really key.

Oscar: Sounds a bit complicated, yes. Well, let’s move now to the opportunities. What are the opportunities that organisations have today by taking privacy and digital identity seriously?

Julian: Yeah, that’s a good question. So I recently worked on projects outside the EU. Where it is often the case, there’s no data protection law at all. So there’s no kind of a floor in terms of compliance that needs to be dealt with, right?

So what kind of protections and measures need to be implemented if you have no legal obligation to do so? If you think about it from a business processing perspective, right, so it’s a bit like the cease processing order where you’re told to stop processing.

So if you have a service which suffers a major outage from a security- so say you lose it, you lose your entire CRM database, your customer relationship management database, and you can’t market anymore and you can’t build customers. That has much probably larger implications than any type of potential fine.

So if you look at it through the lens of business integrity and resilience in terms of being able to provide services, that’s probably more of a concern than any compliance cycle.

So – and then it’s win-win. So if you’ve got good, secure and data minimisation strategy, then if there is an outage or if there is an issue, at least you know, it has been contained within – the best it can be. So again like security and privacy go hand in hand and sometimes the stick is not always the law. The stick is actually – well, you know, we need to be able to maintain and keep these services operational or else we don’t have a business.

So privacy can just be a spin-off from that. Privacy and security can be a spin-off from that. So I think that’s the major upshot because if you’re a company even heavily dependent on an investment or on some type of funding and you have a major accident. So if you look at British Airways, public knowledge, major issue with their website which was outsourced to a development agency which then brought along the challenges and problems from the information compromise of its customers, one of whom- I was affected.

So that in itself, regardless of any kind of GDPR or other type of data protection regime, the maintenance, security and resilience of the service is kind of key to kind of building customer trust, maintaining your shareholder value, maintaining your integrity as a responsible business when it comes to security and privacy.

Oscar: So the fact that you have to take care of the key business. You mentioned one CRM, customer relationship database in one company and in the second case, you mentioned that the user data was compromised in this case, which is the key business beyond the GDPR fine, etc. So that’s already an incentive for companies to take privacy very seriously.

Julian: Absolutely. If you think of like British Airways, so they’re a multichannel business. So you can – British Airways, they’re not the only airline that obviously suffers from challenges. But they offer services via an app, via a website, via broker agencies, via codeshare agreements with other airlines so they’re multifaceted in terms of their channel and their vector opportunity of attack from a malicious standpoint.

But if you’re say an app provider, so you provide the latest app which is popular. You’ve got the best security, you’ve got the best privacy notice. You’ve got data minimisation. You’ve got the whole thing locked down. You’ve got paying users. Things are looking good.

But then you – as part of your cost strategy, you decide to outsource the app development to a third party development agency in some in the far corner of the world.

You don’t have a data protection agreement with them and they implement a change in the app. So while it might be secure, perhaps they change one of the permissions linked to access camera or GPS information on the device and that’s not reflective of the privacy notice. That’s a privacy failure.

So dealing with it – one customer recently, I said, look, if I was a European-based regulator, I could operate and conduct my investigation from my desktop and I could get a slam dunk fine in terms of an infringement of GDPR without even having to do an investigation or go and visit the premises to do a raid or anything like that.

So especially having the front face of your services, they need to be crystal clear in terms of privacy and security and then you need to maintain your supply chain to make sure that they are providing quality services for you in terms of your expectations of them as a controller and what they deliver as a processor.

So that’s – I think app development is a key feature of that from a risk perspective that when things go wrong and you’re not really in charge of the controls or you’re not doing your privacy and security assurance of the controls from that app developer or that CRM database administrator, then it can land you on the hook for an infringement of privacy regulation.

Oscar: Yeah, agree. That’s another great example. Julian, now we’re towards the end of this conversation with you, could you leave us with a practical tip, some actionable advice that we – anybody can use – not only experts in privacy and identity. Anybody can use to protect their privacy.

Julian: Sure. Like I think from a user perspective, I think I’ve got two points. Like basically from a user perspective, always be careful of what you share. You know, good password management is really key. There’s a lot of data breaches that happen because of poor user password management.

So you might be compromised from one app or one service but you’ve used that password on another service. So – and they will have a go. So they will shop around. They go, “I will try Microsoft or I will try Facebook or I will try Google and see if that’s the same password.”

The other one – I think your primary email. So like I use – obviously mail clients as well. But if I have access to your primary email, it’s the gateway to all your services, right?

So – and this goes back to the identity management piece that if I’m in your Gmail, then I can reset your password for any of the other services that I can search for. I think that’s really, really key.

Then from a controller perspective, so as a business, I think being able to build and record a proper data management register as to what data do we process? Where do we process it? Is there a duplication? Is it costing us extra money to store it further? What savings can we make? That’s kind of the number one. It’s a key requirement to GDPR from personally identifiable data. But it’s also kind of a good insight into your business operations and reduction in duplication or wasted effort in data processing. So I think that’s – again privacy might be the compliance floor. The actual initiative in itself will have beneficial spin-offs in terms of getting a greater understanding of your business.

Oscar: Yeah. Thanks a lot Julian for this very insightful conversation about privacy. Please let us know how we can find you on the internet. What are the best ways to get in touch with you?

Julian: Our website is Veneto Privacy Services. So you can Google it, it will come up straight away. And my email address is [email protected]

Oscar: OK, excellent. Well, thanks a lot Julian and all the best.

Julian: Thank you Oscar.

Thanks for listening. Let’s Talk About Digital Identity is produced by Ubisecure. Be sure to subscribe and visit ubisecure.com/podcast to join the conversation and access the show notes. You can also follow us on Twitter @ubisecure or find us on LinkedIn. Until next time.

[End of transcript]