All I wanted for Christmas was a new Data Protection Regulation, and boy did I get one!

Twas the night (or 2) before Christmas, 

when all through IRM land, 

Information professionals were stirring,

There’s a new law at hand!

But is this law a present for those that have been good or more a present for those on Santa’s naughty list?

So as you’ve no doubt seen by now in a whirlwind turn of events the European Parliament & LIBE Committee have voted on and approved the European Data Protection Regulation text. This will now be the future of Data Protection throughout the EU from the beginning of 2018 onwards (2 years from now pretty much).

Well most of the big talking points over the last few years have been survived in one form or another but with some surprises. In this blog post I’ll give you and overview of some of these then over the next few months we’ll start looking at individual areas in subsequent posts and see what this means for us here in the UK.


The Regulation does indeed apply to any entity offering goods or services (regardless of payment being taken) and entity monitoring the behaviours of citizens residing within the EU. There is still the requirement to establish a representative within the EU but it means that entities are now directly responsible for compliance with this regulation (and not just their EU based entity) if they are processing in any way EU citizen personal data.


Pseudonymisation, Profiling, Genetic Data, Biometric Data are all specifically defined in the regulation and very much as you would expect. There is however a new definition for health data that now outlines not only that health data is anything relating to the mental or physical health of a person but also any information that can reveal information about their health status. This means that it is very clear that, for example, if a list of email addresses on a mailing list for people who receive HIV treatment is disclosed that is a definite and clear disclosure of health data and not just personal data.


The principles remain but with some changes. Firstly we only have 6 principles now as UK principle 8 is implied under “fair and lawful” and in principle 6 is now also covered under fair lawful and transparent principle. The principles now state that personal data must be;

1, Processed fairly, lawfully and in a transparent manner. Now as previous discussed this transparent manner now requires controllers to provide more information to the data subject at point of collection but also when any changes to that processing occurs as well. For example, if the information is used for a purpose other than that for which it was originally collected (which doesn’t go against other rules of the regulation of course)?

2, Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose. Which some exceptions for further processing for archiving, public interest or research purposes.

3, Adequate, relevant and limited to what is necessary in relation to the purposes. This now brings in the talked about “data minimisation” principle which we have already but not quite as explicit as this new regulation lays out.

4, Accurate & kept up to date. No real changes there this remains the same.

5, Kept in a form that permits identification no longer than is necessary. Again with exceptions for archiving and research purposes.

6, Processed in a way that ensure appropriate security of the personal data. So no major change here except an explicit reference to “integrity and confidentiality” of the personal data.


Where consent is required in order to legitimise the processing (which is limited under the regulation) then the controller must be able to demonstrate clearly that he has clear & unambiguous consent for each purpose that consent is required. 

The regulation now also states that for “Information Services” if information is to be processed on a child of under 16 years of age then consent must be obtained from the parent. The regulation does however allow member state laws to lower this threshold where appropriate but not below the age of 13 years.

Special Categories of Personal Data:

So the “Sensitive Personal Data” as known under the Data Protection Act as a term has now gone and instead been replaced with the term that a few EU countries use which is “special categories”. These are broadly similar to the current list however the definition is now any data “revealing” racial or ethnic origin, political opinions, religions or philosophical beliefs, trade-union membership, genetic or biometric data (processed for the purpose of identifying someone), data concerning health or sex life and sexual orientation.

Data Subjects Rights:

The list of rights that a Data Subject can exercise has been widened (sort of). There are some new things in here but most of this is a reshuffling of existing rights. It’s also worth noting that controller must also provide clear, transparent and electronic methods of the data subject exercising said rights. The list now includes; 

  • Access,
  • Rectification,
  • Erasure,
  • Restriction of processing,
  • Data Portability
  • Right to object (to marketing, profiling, research)
  • Right to object to automated individual decision marking (including profiling).
  • Right to lodge a complaint with a supervisory authority

Data Protection by design & Data Protection Impact Assessments:

Data Controllers are expected to include data protection controls at the design stage and can certify that they have such controls via approved certification schemes.

Where a new technology etc is looking to collect personal data that poses potentially high risks to personal data the controller shall, prior to the processing, carry out a Data Protection Impact Assessment. Supervisory Authorities can then also produce lists as to what sort of processing would warrant such an assessment and what ones would not. These assessments, where appropriate, may also need the input from Data Subjects and indeed the supervisory authority.


While notification to a regulator has gone Article 28 now requires controllers to keep a similar record of all purposes, joint controllers, data categories, recipients (can be categories), transfers to third countries, time limits for erasure and a general description of the technical & organisational measures in place protecting this data.


That highly discussed breach notification point has finally come down to 72 hours. So the regulation now outlines that controllers have 72 hours from being made aware of the breach to notify the supervisory authority. You can however notify later providing you have a “reasoned justification”. 

And now the really juicy stuff. Fine amounts. As predicted these are “staggered” so that not all breaches will result in a 20 million Euros.

For breaches / non-compliance of the following you can receive a fine of up to 2% of global annual turnover (for undertakings) or 10 million euros. The regulation doesn’t outline automatic fines for single breaches but instead allows supervisory authorities (through their cooperation mechanism) to agree a framework for ‘qualification’ for fine amounts based on the extent of the non-compliance. 

➢ Consent for children’s data (article 8),

➢ Processing not requiring identification (article 10),

➢ Data Protection by Design (article 23),

➢ Joint Controllers (article 24),

➢ Representatives of the controller within the EU (article 25),

➢ Processors (article 26),

➢ Processing under the authority of the controller and processor (article 27),

➢ Records of processing activities (article 28),

➢ Co-operation with the supervisory authority (article 29),

➢ Security of processing (article 30),

➢ Notification of the breach (article 31),

➢ Communication to data subject of the breach (article 32),

➢ Data Protection Impact Assessment (article 33),

➢ Prior consultation (article 34),

➢ Designation of the Data Protection Officer (article 35),

➢ Position of the Data Protection Officer (article 36),

➢ Tasks of the Data Protection Officer (article 37)

➢ Certification (article 39)

For breaches of the following (as well as the above) you can receive a fine of up to 4% of global annual turnover (for undertakings or 20 million euros.

➢ Principles of Data Protection (article 5),

➢ Lawfulness of processing (article 6),

➢ Conditions for Consent (article 7),

➢ Processing special categories of personal data (article 9),

➢ Rights of the Data Subject (articles 12-20),

➢ Transfer of personal data to third countries (article 40-44),

➢ Powers of the Supervisory Authority (article 53),

Data Protection Officer:

Good news DPOs we have a future! Our future isn’t as “all powerful” as the first text but it does pretty much cement the Data Protection Officer as a key role within a public body and medium to large private enterprises. Key points are;

• Controllers can have 1 appointed to multiple entities taking into account their structure and size.

• Officer shall have expert knowledge in Data Protection law & practices.

• Can be a staff member or contractor.

• Their contact details must be published to data subjects and the supervisory authority.

• Should be involved in all matters affecting personal data.

• Shall be protected from being dismissed / coerced while performing their duties under the regulation.

• DPOs are to inform staff of the controller of their responsibilities under the regulation & monitor the controller’s compliance with its responsibilities.

International Data Transfers:

So, no major changes here but some key emphasis that is worthy of being aware of. The Commission retains the right to decide on the “adequacy” of third countries and will continue to publish and control the safe list. Standard Model Contract Clauses are also a viable method for transfer and now Binding Corporate Rules are explicitly outlined as a method of transfer too.

Supervisory Authority:

The bulk of the wording here is nothing new. They need to be independent, monitor compliance, and be proactive in producing guidance and standards etc. but there are some subtle changes. The authority has the powers to;

• Order the controller, processor or representatives of either to provide information in relation to its objective.

• Carry out investigations in the form of audits.

• Review certifications.

• Notify of infringements.

• Obtain from the controller / processor access to any personal data in relation to its objective.

• Obtain access to premises including access to equipment (in line with local law).

• Issue warnings, reprimands, orders to comply, order controller to inform a subject of a breach, impose a ban on processing, order a rectification, issue a fine and order a suspension of international data flows.

That’s it for this post but there is a lot more content in the DP regulation and I should imagine a few more discussions and blogs to come looking at specific areas and what this means for the future. As always it will be a practical discussion on what this means in real terms.

All that’s left is to wish you a peaceful and restful festive period and a very much look forward to discussions and working with you as we go into 2016 and ever closer to the regulation being here!




The story of Data Protection & the emperor’s new cloak.

After a twitter talk with the one and only Tim Turner he gave me some inspiration to turn fairy tales into information related tales. Up first, and not quite true to the original but allow some poetic licence, is the story of the emperor’s new cloak.

There was a kingdom, not that so far away, where there lived a king who ruled over local 28 villages. This king often traded with passing traders from other villages and encouraged them to visit his villages as he was a wise king that saw the wealth and opportunity that trade could bring. However he was cautious king and while interested in trade, he still wanted to protect himself and his kingdom.

One of the biggest traders came to him one day and offered him a very special trade. In return for gold and the opportunity to sell more of his wares to the kings villages he would give the king an amazing cloak that would offer him protection, wonder and be a good omen for all of his people.

So the deal was done and the king proclaimed the trader as a new shop owner and the kings preferred trader. And in return the trader presented to the king his brand new cloak. But when the king came to look upon the cloak he saw nothing but an empty hanger. The trader assured the king and said it could only be seen by the wisest and noblest of people. And so, in order to not embarrass himself, the king marvelled at the coat and thanked the trader for his efforts.

However when the king greeted his subjects and councilmen with this coat (and not much underneath it) he was laughed at and ridiculed as no one could see his coat. But no matter, he thought, as surely there were not noble or wise therefore they were not important.

But as time went on more and more people commented on the king’s lack of coat and general under dress. Until one day the king spoke with one of his oldest and wisest councilmen, the main keeper of the coin, and he said quite plainly to the king “there is no such coat your majesty”. The king immediately challenged the trader who, said there must be a problem with the coat’s magic therefore he would take it away and fix it and the king will see what a marvellous splendour it is.

Now if you imagine that the king in that story is the EU, his subjects are EU citizens and his councilmen from the villages are the member states of the EU (including their judiciaries) this rings a bell a little bit with the situation we find ourselves in with Safe Harbour.

If you have ever worked with European Data Protection (for example German or Spanish) you’ll know that there has been for some time a growing level of scepticism with the US Safe Harbour framework. This has been for a number of reasons (not just the obvious mass surveillance point).

One of the leading arguments has always been that because Safe Harbour is a certification there is a risk, however unlikely, that the certification can become invalid. Therefore what happens to the processing of that personal data once that certification is removed? (Assuming that is a main reason for legitimate ground of the transfer). Which is a fair point. An essential part of any resilient system is that you always have a contingency plan so why not with a legal system? That’s why many (not all) transfers of German Personal Data (excluding sensitive) would have signed SMCCs as a backup just in case.

Then when you add in all the recent revelations around spying, ineffective monitoring of compliance with Safe Harbour etc the German (and others) argument against the scheme becomes even stronger. Therefore when I heard the Max Schrems case I predicted that he would succeed and indeed while working with the German DPO a few years ago we predicted (over a beer or 2) that Safe Harbour would also fall one day. If I could see it (someone that always thinks less of what he knows) and so could my German DPO friend while sitting in a beer hall in cologne then why couldn’t the rest of the world? Or did they?

Is this a case, as the above fairy tale would suggest, that taking on Safe Harbour would actually expose an error on the EU’s part and cause embarrassment? So rather than admit there is some trickery here let’s pretend that the cloak is still there and everyone simply just isn’t worthy enough to see it.

But putting all that to one side for a moment. Do we run a danger of throwing stones in our glass house? Safe Harbour has been “debunked” (to use a better word) because of the level of spying that the US government undertakes and therefore appropriate protections cannot be guaranteed for European Personal Data that the European Directive and subsequent legislation provides. But aren’t member states not currently introducing various “privacy risky” pieces of legislation based on the EU’s own Data Retention Directive (as well as their own purposes). In the UK today there is an announcement about a so-called “watered down” snooper’s charter.

Similar laws are now throughout the EU member states each of them offering varying levels of protection with regards to Data Protection. So are we being a little “do as we say not as we do” here on this issue? Don’t get me wrong, as outlined above, I tend to agree with the conclusions reached in the Schrems case. Mass surveillance and legal powers that overwrite European legal protections is a dodgy place to be storing personal data. But this isn’t shocking news? The Patriot Act alone has been around since 2001 with the “moral justification” that gives for intercepting any suspected terrorist activity. So did we really believe that the US would use such powers on everything else but EU data?

Some of the reactions by certain DP authorities (mainly Germany) have been less than constructive. Yes Safe Harbour is offline right now but that does not mean that each and every Data Controller that was relying on Safe Harbour, and now can’t, is an evil entity that should be pursued for breaking the law. That’s many things but above all impractical. None of the DP authorities have the resources to do that and it sends the completely wrong message to the world about getting them to engage with this proactively, not doing it because they’ve been “told off”.

And on the opposite end of the scale the ICO has said “don’t panic” but as Jon Baines pointed out in his recent blog the ICO has got a Safe Harbour compliance issue of its own and has been less than helpful until now on how he will be resolving it.

Permission Impossible?

I recently took part in a training event for local council whereby for the last 2 years they have put on an ‘Information Awareness’ week for their staff that involves various training sessions all week revolving around a certain theme. Last year the sessions revolved around the theme of game shows and this year the theme is films.

I was lucky enough to draw ‘Per-mission Impossible’ which would be looking at the subject of consent & permissions in their various forms. I make a point of not naming organisations I work with, credit for the title of this blog must go to them.

We had some really interesting discussions around what people believe are the current pitfalls and benefits with consent and what people think to the proposed new world of consent as proposed by the European Union (EU).

We started with the current world and looked at the guidance from the ICO. Currently, in the ICO’s Guide to Data Protection it states;

“Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as: …any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

This is primarily aimed at controllers that are looking to use consent as a justification for processing of personal data, especially and more explicitly where that data is sensitive in nature.

Bearing this in mind there is then a conversation to be had around what that actually means in the real world. You know, that world where you have a data subject on the phone or sat in front of you more interested in resolving their query or issue than understanding what is happening with their personal data. Personally for me, I’ve always seen the matter of consents and permissions as a Customer Service area. Yes, there are things that we must do as part of compliance and demonstrate as part of out compliance however the method and delivery should very much be aligned with the customer service standards and processes of the organisation. As the phrase goes “tax doesn’t have to be taxing” well “permissions don’t have to be a mission”. (I know, it was the best I could come up with on short notice).

If you treat the gaining and subsequent management of permissions as a “compliance task” then that mind-set will always see it as a nightmare and a hurdle to overcome. However if you approach it as you would any other aspect of customer service and apply good customer service principles you will get much closer to a compliant permissions model. It also puts you in something of a good position for the future.

Another aspect of the discussion around permissions and consent management also invoice the question of how to effectively manage a consent or permission regardless of the channel in which it is being obtained.

Regardless of the channel in which you communicate with the data subject the only effective method for tracking consents / permissions is an electronic database that either forms part of or interacts with your main customer database. But with that comes a series of concerns around ensuring that this system is kept relevant and up to date. For example, in a large organisation where a customer speaks to some random part of the organisation and expresses a preference how do you ensure that the preference is captured and updated accordingly?

These are valuable discussions to be had now because, as I run through below, the requirement to effectively and clearly demonstrate that you are doing the above becomes more important when the EU Data Protection Regulation comes in.

Permissions of the Future: All roads lead to explicit…?

So in my last blog post I gave an update on the General Data Protection Regulation and said that I’d start to focus on individual parts. Well this is the first one and apologies it’s taken me a while.

In the Commission’s proposal for a new General Data Protection Regulation, it proposed that whenever a business relies on consent as a valid ground for processing personal data, that consent should be ‘explicitly’ given. This changes the current position where consent only needs to be ‘explicit’ where a business wants to rely on it as a basis for processing sensitive personal data. Put simply, for processing for marketing purposes for example (which is almost always on the basis of consent) everyone will be required to “opt in” rather than opt out under the current regime (for phone and post at least).

European Commission Regulation Text
CH I ART 4: General Provisions – definitions (8),
CH II ART 6: Principles – lawfulness of processing (a),
CH II ART 7: Principles – Conditions for consent (1-4)

When the draft text made it through the European Parliament the Parliament gave its backing to the new definition of ‘consent’ suggested by the Commission. It too believed that consent needs to be “freely given specific, informed and explicit” and provided “either by a statement or by a clear affirmative action”. And, in contrast to today’s requirements, the burden of demonstrating that the legal standard of ‘consent’ has been achieved would lie with organisations.

European Parliament Regulation Text
CH I ART 4: General Provisions – definitions (8),
CH II ART 6: Principles – lawfulness of processing (a),
CH II ART 7: Principles – Conditions for consent (2)

In contrast, the Council said there was broad support for rules which would require organisations seeking to rely on consent to process personal data to ensure that the consent is “unambiguous”. This seems to back the broad legal standard for consent that exists under current EU data protection laws and not a radical change to explicit consent regardless of context.

European Council Regulation Text Comparison (so far)
CH I ART 4: General Provisions – definitions,
CH II ART 6: Principles – lawfulness of processing (a),
CH II ART 7: Principles – Conditions for consent (1)

This post doesn’t explore the requirements around children’s data however the principle of “informed and explicit” consent is replicated there. That will be the subject of a different post so watch this space.

Which of these texts is likely to survive I hear you ask? Well like most things in the world of politics that is unclear. However if you look at it from a numbers point of view then 2 of the 3 approving bodies favor explicit consent and a requirement to demonstrate when and where that consent was collected. If I was a betting man I’d say that some shift towards explicit consent is going to happen, but how far is anybody’s guess.

More importantly we should be looking at how we currently manage and capture consents today. If this is something that we don’t do (for whatever reason) then its start looking at how this can be factored into your processes and staff trained so it gets woven into your customer service standards.

And so, the end is near, and now we face, the final curtain… or do we?

In case you missed it over the last week or so it has been confirmed that the European Council have agreed a text of the Draft EU Data Protection Regulation. You would think that would be the final stage but alas no. Instead we now present this version back to the Commission & Parliament for tri-partide discussion and agreement. This really is the final stage of the legal process in which the Council, the EU Parliament and the EU Commission will now negotiate on this document to agree a final text that can become law (promise… it really is the last stage).

However, in typical governmental fashion of not being able to do anything smoothly 2 versions were ‘released’. One is the text of the Council of Minister’s final text agreed on June 15th: Council of Ministers text minus objections from Member States.

The other was a copy of the text of the Council of Minister’s final text agreed on June 15th including the 649 paragraphs of ‘disagreements’ from the member states (oops). Council of Ministers text plus objections from Member States

There is still some discussion to be had however and in the comments version the Council acknowledges this. First up, with regards to police processing of personal data the regulation now includes as a purpose for processing “safeguarding against and the prevention of threats to public security”. Which, at face value, seems rather wide and “loose” in its wording. We all know that defining a “threat to public security” can be open to various interpretations therefore this may meet with some stiff opposition.

The Council has also said that there needs to be some discussion around the “lawfulness of processing” under Article 6 recital (40 and Article 19 (1). The Council is looking to approve final wording on legitimacy of processing data that is incompatible with the original purpose for which it was collected. The current proposal looks to allow such processing but as a condition allows the data subject a means to legitimately object. Again, how this will work in the real world is open to interpretation but given that this is a move away from the current Directive’s standards then it will be interesting to see if the Council and Parliament accept that.

The Council also appears to be looking for further discuss on the right to compensation and liability outlined in Article 77 and recitals (112), (113a), (118), (118b). The current proposal clarifies the roles and liabilities for processing that is not compatible with the regulation. Namely it is looking to narrow the extent of liability for a processor or controller where it can be demonstrated that the controller or processor concerned is not fully liable (IE, it can be clearly demonstrated that it wasn’t their fault). It makes sense but again, how that will go down with the Parliament and Commission will be interesting.

I’ve now had the chance to read through this updated text and in short it smells an awful lot like a beefed up Directive. A lot of the stricter wording that was in the initial draft proposed by the Commission & indeed the Parliament draft have been replaced with general expectations, the finer details of which member state law or local codes of practice are encouraged to work out. Some of the aspects of the regulation even invite member states to write complimentary laws so that those sections can be properly enacted within that member state. (I’m sure that’s the purpose of a Directive you know…).

Here’s a quick summary for you;

  • Member states can create their own laws on conditions for processing certain types of data (national ID numbers for example). (Article 9 (5)). This also extends to the conditions for processing HR data which can be defined by local member state work agreements.
  • Member states can decide if fines are to be used on public sector bodies.
  • Article 79a – Fines of up to 250,000 euros or 0.5% of previous year global annual turnover for deliberate or negligent breaches & not responding to SARs.
  • Article 79a – Fines of up to 500,000 euros or 1.0% of  previous year global annual turnover for any of the above or;
    • Does not provide information in a timely manner to a data subject
    • Does not provide access or rectify data belonging to the data subject
    • Does not erase personal data belonging to the data subject
    • Processing data in violation of an restrictions on processing outlined in article 17 (Notification obligation regarding rectification, erasure or restriction).
    • Does not communicate any rectification, erasure or restriction requests to 3rd parties
    • Does not provide the data subject with their personal data.
    • Processing of data of objection to processing received and no viable reason for legitimate processing.
    • Does not provide data subject with information about the right to object to processing of information for marketing purposes.
    • Does not sufficiently determine responsibilities of joint controllers.
    • Does not maintain sufficient documentation pursuant to Articles 28 (Records of categories of personal data processing activities) & 34 (Prior consultation).
  • Article 79a – Fines of up to 1,000,000 euros or 2.0% of  previous year global annual turnover for any of the above or;
    • Processes information without a legal basis for doing so or does not obtain appropriate consent.
    • Does not comply with conditions for automated decision making & profiling.
    • Does not implement measure to demonstrate compliance with articles 22 (Obligations of the controller) and 30 (Security of processing).
    • Does not designate a representative in violation of Article 25 (Representatives of controllers not established in the Union).
    • processes or instructs the processing of personal data in violation of Articles 26 (Processor).
    • does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 (Notification of a personal data breach to the supervisory authority) and 32 (Communication of a personal data breach to the data subject).
    • does not carry out a data protection impact assessment in violation of Article 33 (Data protection impact assessment) or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2) (Prior  consultation).
    • misuses a data protection seal or mark in the meaning of Article 39 (Certification) or does not comply with the conditions and procedures laid down in Articles 38a (Monitoring of approved codes of conduct) and 39a (Certification body and procedure).
    • carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44 (Transfer of Personal Data to third countries or international organisations).
    • does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1) (Powers).
  • Article 38 – Member states can create their own codes of practice and standards for data protection for specific sectors. This need approval by the EU Data Protection Board but can be developed per member per sector.
  • Article 54a – One stop shop concept for regulatory action and complaint handling amongst supervisory authorities remains.
  • Article 12 – Removal of charging for SARs remains.
  • Article 70 – Removal of need to register all processing of personal data remains but instead only high risk processing must be registered (at no charge) and will be published by the supervising authority.
  • Data portability now does not apply to the public sector or any processing for the enactment of a contract. (General  Text, paragraph 55)
  • Article 31 – Breach notification to a supervisory authority is now 72 hours or “without undue delay” if longer than that period.

This Regulation is as close to a final version as we are going to get for the moment. As we’ve seen in recent weeks and months the majority of Data Protection regulators and even the EU Commission are saying that elements of the Regulation should start to be implemented from this point onwards (e.g. Netherlands are implementing a general DP breach notification law from next year). Some are even using the principle of the Regulation in the interpretation of current law (the ‘right to be forgotten’ for example).

I intend to do a few more articles over the coming weeks to look in more detail at some of the wording and what this could mean if the Parliament and Commission accept the current draft (which is a realistic possibility).

(Image from

Not quite privacy; but instead lets talk about Cyber Security.

hackSo it’s been a while since I’ve posted anything (again) as the day job (and indeed one of the ‘other’ job’s) has been taking up a large chunk of my time. As the DP regulation seems to be on a low heat with nothing really new coming out (other than what we are already aware of) I’ve decided to take a look at the wider world.

Come with me boys and girls as we explore the news stories this week of everything Information / Cyber Security that has occurred in the last week or so. (Privacy will come shortly as they are separate, but that’s a discussion for another day, ideally over a new cold beer).

Cyber Security Regulation:

In the world of Information Security, or what is more commonly referred to as Cyber Security these days the main area of focus (apart from the usual security mis-haps) concern the EU’s proposed Cyber Security Directive. What was tipped to be the easier piece of legislation between this and the Data Protection Regulation has quickly become just as fraught with political disagreement as the regulation.

EU_-_Commission_building_gallery_displayAfter a series of stalls and slow progress the Latvian presidency had committed to starting negotiations on the Directive by the 30th April 2015. But it hasn’t secured a mandate from the respective member states so the talks are currently stalled. The main sticking point (well the biggest at least) comes from Ireland, Sweden and the UK. All of whom just so happen to have large US firms residing in them. They are keen for such firms & internet providers to be scoped out or their requirements scaled back. However countries like France, Germany and Spain disagree (the usual suspects). Given the issues we are having with the DP regulation I strongly suspect that this will remain stalled until the other discussions have made progress. DP, Security & Privacy are big topics for the EU at the moment and as we all know, nothing is ever simple.

Hacks & General:

And now for the juicy stuff. We all have a morbid obsession with other people’s hacking stories partly in a vein hope that it will never happen to the organisations we work for. Below is a list of the most recent ones and some plans to test for hacking vulnerabilities.

Ryanair falls victim to 4.6m Euro hacking scam via Chinese Bank. (an important lesson in not responding to that spam email).

Train control centre passwords revealed on BBC TV (all publicity is good publicity right?)

Researchers plan to demonstrate a wireless car hack this Summer (I bet that Morris Minor is looking appealing now right?

Cyber Security is ever becoming an important area of focus. Not only for businesses / entities in general but also for those looking at Privacy and Information Security. Although Privacy is not just about its technical protection, Cyber is quickly becoming just an important (although personally, it’s always been just as important in my eyes). watch this space for more information in this area and lets see what issues we can explore together.