20140317eyinformationsupp

KEEPOUTReality, regulation and response:
a practical guide to information privacy
In association with
Simon Hughes, Nick Pickles, Steve Wright,
Nicola Hermansson, Sagi Leizerov, Ken Allan,
Christopher Graham, Eduardo Ustaran
Cover concept 1.indd 1 11/03/2014 11:05:41

2 | NEW STATESMAN | 14–20 MARCH 2014
FACTS & FIGURES
View from the citizen*
Data good. Data bad.*
Global citizen*
The company view**
(% worried about privacy, by country)
42%
90%
94%
84%
90%
Under cyber attack
2/3
believe regulator should
do more to force
to comply with existing
privacy rules
41%
29%
say gathering
large amounts of
personal data
causes harm
say gathering large
amounts of personal data
enhances experience
are concerned about
their privacy online
59%
say number of
external threats up
in past 12 months
2/3 have security
professionals at
board level
UK
Germany
Spain
India
Japan
Brazil
70%
say security policy
is owned at the
highest level
say mobile has
changed exposure
to risk
79%
45%
0
10
20
30
40
68%
GRAPHICS:SAMINAALI
02 facts & figures.indd 4 11/03/2014 11:15:36

COVERGRAPHIC:SHUTTERSTOCK/DESIGNBYLEONPARKS
New Statesman
7th Floor
John Carpenter House
John Carpenter Street
London EC4Y 0AN
Tel 020 7936 6400
Fax 020 7305 7304
info@
newstatesman.co.uk
Subscription inquiries,
reprints and
syndication rights:
Stephen Brasher
sbrasher@
newstatesman.co.uk
0800 731 8496
Supplement Editor
Jon Bernstein
Design & Production
Leon Parks
Graphics
Samina Ali
Commercial Director
Peter Coombs
020 3096 2268
Account Director
Jugal Lalsodagar
020 3096 2271
CONTENTS
Privacyunbound
“I don’t agree with those who say
we must choose between being
safe and being free,” writes the
justice and civil liberties minister
Simon Hughes on page seven. “If
we get it right, we can do both.”
To understand the dichotomy
between the opportunities
handling and processing data
present and the threat to
individual privacy they pose, the
delayed NHS data-sharing scheme
for England is difficult to beat.
Proponents of care.data,
many of them in the health
profession, say the database of
medical records will lead to new
treatments and make the health
service more responsive to patient
needs. Opponents insist that the
promised anonymity remains
unproven. For now, the politicians
have sided with the second group
and – to borrow the popular
political vernacular – have kicked
the scheme into the long grass.
Fear of unprotected privacy
has been fuelled by high-profile
commercial data breaches and the
mass state surveillance exposed
by Edward Snowden. Yet, for
most organisations, the day-to-
day challenge is more routine
than the headlines would suggest.
Information privacy involves
good practice, risk management,
paperwork and assessments.
This supplement, in association
with EY, explores the emerging
regulatory framework that
firms around the world need
to understand. Overleaf, seven
4 Need to know
The seven-step privacy plan
Jon Bernstein examines the new EU data laws
7 View from Westminster
Protect and thrive
Simon Hughes on false choices
8 Feature
Regulating the new alchemy
Eduardo Ustaran rethinks privacy
11 View from the regulator
Catch them while you can
Christopher Graham on the power of education
11 NS Interview
“These laws go back to 1890”
In conversation with Unilever’s Steve Wright
13 Citizen’s view
The real price of privacy
By Big Brother Watch’s director, Nick Pickles
14 Definitions
Jargon-buster
Technologies and terms explained
15 View from EY
Opportunities, yes – but handle with care
Sagi Leizerov and Ken Allan on the spirit of the law
tenets of the forthcoming EU
data protection regulations are
explained, and on page eight the
privacy lawyer Eduardo Ustaran
spells out why the existing
approach to privacy is not fit for
purpose. The UK’s Information
Commissioner, Christopher
Graham, argues that education
is vital to create “informed,
confident digital citizens”
(page 11), while Nick Pickles,
director of the campaign group
Big Brother Watch, warns that
“mass surveillance has become a
business model” (page 13).
Finally, for those new to
a subject that combines the
complexities of technology with
those of the legal profession, there
is a jargon-buster on page 14. l
14-20 MARCH 2014 | NEW STATESMAN | 3
The paper in this
magazine originates from
timber that is sourced
from sustainable forests,
responsibly managed
to strict environmental,
social and economic
standards. The
manufacturing mills
have both FSC and PEFC
certification and also
ISO9001 and ISO14001
accreditation.
First published as
a supplement to
the New Statesman,
14-20 March 2014.
© New Statesman Ltd.
All rights reserved.
Registered as a
newspaper in the
UK and USA.
This supplement, and other policy reports, can be downloaded from the NS website at
newstatesman.com/page/supplements
11 134
03 contents+leader.indd 2 11/03/2014 11:09:52

4 | NEW STATESMAN | 14-20 MARCH 2014
NEED TO KNOW
D
raft EU data protection regulation.
It’s a formulation of words more
likely to induce ennui than spark
enthusiasm. But before these regulations
go from draft to law, it is worth taking
a moment to understand how they will
affect you and your business. Did you
know, for example, that the proposed
maximum fine for data breaches in future
is likely to be 5 per cent of global annual
turnover, or €100m, whichever is larger?
Or that your organisation may need to
employ a highly skilled – and highly sala-
ried – data protection officer?
Thesenewlaws–likelytobeintroduced
later this year – mark a significant moment
for Europe. They are the first upgrade in
the laws governing information privacy
since the EU data protection directive of
the mid-1990s and, unlike the existing
directive, these new regulations will be
binding, and not merely guidance for local
legislators. Indeed, local laws, such as the
UK’s Data Protection Act 1998, will be no
more. The EU data protection regulation
is a deliberate attempt to harmonise laws
across all 28 member states.
So what do organisations and individu-
als need to know about the forthcoming
laws? Here are seven key tenets.
1. Fines up to 5 per cent of global
annual turnover
. . . or up to €100m, whichever is greater.
Of all the proposals in the regulation,
this is the one likely to alarm business
leaders the most – and perhaps convince
them that the new laws will have teeth.
The original draft, drawn up in 2012,
recommended a maximum fine of 2 per
cent of global turnover in the event of a
data breach. This figure was raised to 5
per cent in 2013 and while the numbers
could change again before implementa-
tion, there is no doubt that for the first
time the sums being discussed will have
a substantive impact on all organisations,
large as well as small. To date, the highest
sanction available to the UK’s Informa-
tion Commissioner is a £500,000 fine, a
penalty that has never been applied.
“A lot of the organisations that we talk
to think [the current penalties are] not
that much,” notes Nicola Hermansson,
data protection lead at EY. “It’s not going
to have a material impact on their organi-
sation – so, as a result, they haven’t put the
effort or the money into understanding
and addressing their privacy risk.”
Soon every company will need to put
in the effort. Unless, of course, these large
fines remain an empty threat. After all,
local bodies such as the ICO have been
reluctant to impose heavy penalties. Her-
mansson believes, however, that Europe-
an regulators will be keen to see sanctions
imposed, certainly in the early stages, to
demonstrate intent.
2. Mandatory data protection officers
Any organisation that processes more than
5,000 data subjects during a consecutive
12-month period will be obliged to ap-
point a data protection officer (DPO).
For “5,000 data subjects”, read custom-
ers. The appointed data protection officer
doesn’t need to be full-time. He or she
could be an existing employee who takes
on additional responsibility. Equally, it
could be someone brought in on a con-
sultancy basis, provided they can demon-
strate independence.
Nonetheless, the appointment of a
DPO is likely to add significant cost. This
is especially true for small businesses and
start-ups with ambitions to attract at least
5,000 customers. “[The DPO] is some-
one who needs to report to the board lev-
el of an organisation,” says Hermansson.
“And they obviously need to have a salary
that reflects that seniority.”
The nature of the role as defined by the
regulation is going to make it difficult to
find someone with the right mix of skills,
Hermansson says.
“There’s quite a lot of debate about
what a data protection officer should look
like, what skill-set they should have,”
she says. “In a lot of organisations data
protection tends to live in the legal func-
tion. But if you look at the actual role of
the data protection officer, it’s far more
than just understanding the law – it’s the
implementation of those laws. It means
impact assessments, operational changes,
training, understanding technology and
linkage with information security. And
dealing with third parties.”
From larger fines to more paperwork and the recruitment of a data protection
officer, new European data protection laws will soon be making extra demands
By Jon Bernstein
The seven-step
privacy plan
t
04-06 Need to know feature.indd 4 11/03/2014 11:11:45

SHUTTERSTOCK/TWOBEE
Finger on the pulse: organisations will have two years after the introduction of the new laws to put them into practice

NEED TO KNOW
Steve Wright, Unilever’s global pri-
vacy officer, is perhaps one of the emerg-
ingbreed,onewithoutalegalbackground.
“You can’t just think granularly or legally
within a specific company. You’ve got to
have that common framework,” Wright
says (see page 11 for the full interview).
3. Mandatory breach notification
When the regulations were first drawn up
in 2012, they required that any data breach
involving the loss of personal data must
be reported to a supervisory body (such
as the UK’s Information Commissioner’s
Office) within 24 hours. That language
was softened last October and the con-
crete deadline replaced with the following
words: “without undue delay”.
Why the apparent fudge? Perhaps as
a result of effective lobbying or perhaps
because imposing a specific deadline can
prove counterproductive, leading to con-
fusion when most of the facts remain un-
clear. “One of the risks of early notifica-
tion is that if you don’t fully understand
what’s happened, you could end up no-
tifying incorrectly,” says Hermansson.
“And that could end up having a much
more detrimental effect on the individu-
als because you end up giving them the
wrong information.”
However, without a specific deadline,
surely the regulations will end up being
interpreted in a number of different ways
across the continent, exactly what the EU
was trying to avoid.
“It’s one part of the regulations we cer-
tainly expect a bit more clarity on,” says
EY’s data protection manager Natasha
Warner, formerly a data protection officer
at the energy supplier Centrica and the
drinks firm Diageo. “Regardless how this
piece of the regulation comes into place,”
Hermansson adds, “organisations should
make sure that if there is a breach, they
have the appropriate policies, procedures
and training in place so they know what
their responsibilities are – and that they
can react to it accordingly.
“A lot of this stuff isn’t new and should
be in place already. But the key change is
in the specifics. This regulation is pre-
scriptive where it hasn’t been before.” Just
how prescriptive will become clear only
once the rules are formally introduced.
4. Data protection impact assessment
Another area where best practice will
become mandatory is in data protection
impact assessments – which cover both
prevention and cure. These will be ob-
ligatory for companies that process data
relating to more than 5,000 subjects in a
consecutive 12-month period.
These assessments mean paperwork
and lots of it. “It’s looking at what data
is being processed,” Warner explains.
“Does it cover personal data? Is the data
being transferred to anywhere it wasn’t
being previously? The kind of questions
to assess whether the personal data is go-
ing to be impacted and to make sure the
appropriate controls are in place.” Assess-
ments must be carried out every year.
5. Right to erasure
In the original draft, this part of the law
was referred to as the “right to be forgot-
ten” until it became apparent how diffi-
cult that would prove in reality. “Erasure”
might prove equally tricky.
“The idea behind it,” Hermansson says,
“is to give more rights to individuals to
go to an organisation and say: ‘You don’t
need this data on me any more so I’d like
you to erase it.’”
There remains an important exception,
however. It states that data restriction,
not removal, should be the goal where
“the particular type of storage technology
does not allow for erasure and has been
installed before the entry into force of this
Regulation”. This, Hermansson says, is a
pragmatic solution to a complicated prob-
lem. “Think of Facebook. Pretty much
anyone can access your data on Facebook.
If I go to Facebook and say, ‘Can you erase
all the data you’ve got on me?’ how on a
practical level can that happen?”
6. Privacy by design
The objective is to ensure privacy is a key
consideration in the early stages of any
new project. “The idea here is that when-
ever you are building a new system or de-
veloping a new process, privacy should
be built into it from the outset,” says Her-
mansson, who suggests that is not how
organisations operate today. “We see this
all the time. Someone develops a system,
it goes off to the data officer and it turns
out nobody has even thought about infor-
mation privacy up to this point.”
This sounds like a sensible goal but how
will it play out in terms of a regulation?
It seems an aspiration, rather than some-
thing concrete you can put down in law.
Natasha Warner says that it is targeted at
apps. “The standard when you are creat-
ing an app (or a website) should be that
the highest security settings must be de-
fault, no longer an optional extra.”
7. Obligation on processes
For the first time, those handling data,
not just those controlling the data, will be
liable in the event of a data breach or loss.
In other words, a third-party company
employed by an organisation to process
its data may be held responsible and fined.
There are other aspects to the regulations,
too, including the introduction of a data
protection seal to indicate the application
of good data protection practices. Once
these are placed into law, companies will
have two years to implement them. Of all
the proposals, Warner says the require-
ments around documentation, and espe-
cially the impact assessments, will prove
the most onerous for large organisations.
For others, especially those in smaller or-
ganisations that nonetheless process large
volumes of customer data, the introduc-
tion of a data protection officer is likely to
prove the most challenging.
The regulations are yet to be finalised
but, Hermansson says, the substance will
remain much the same between now and
implementation. “There will be a few
tweaks before the regulations come into
force but the essence is unlikely to change,
so a valuable exercise [as an organisation]
is to ask where you are today in relation to
the regulations and what you need to do
to meet them. Identify what are the key
risks and what you need to do to address
them, and prioritise those actions.”
In order to do that, she says, you “really
need to understand what personal data
you have in your organisation. Typically,
personal data can come from lots of dif-
ferent parts of an organisation. It’s in lots
of different systems: it’s probably on peo-
ple’s laptops, it’s sent all over the world,
it’s sent to third parties as well. Most or-
ganisations don’t know what information
they have and where it is. Until they know
this, how can they even start to think
about protecting it?” l
Most organisations don’t
know what information
they have, or where it is
t

VIEW FROM WESTMINSTER
T
hereisabigdebategoingoninEurope
at the moment about data protection
and the safeguards we need to pro-
tect personal data. The government agrees
with many of our European partners that
the current legislative framework, which
dates back to the 1990s, needs to be updat-
ed. We want to see data protection legisla-
tion that protects the civil liberties of indi-
viduals while also allowing for economic
growth and innovation.
I am confident that we already have
strong safeguards in place to protect peo-
ple in the UK. The Data Protection Act
safeguards the privacy of UK citizens and
gives them rights of access to their person-
al data. I am committed to make sure that
the Information Commissioner has the
necessary powers and resources to regu-
late this area and to make sure sensitive
and personal data is handled properly and
within the law. The right to protect data
and seek redress if breached or neglected
remains as important today as ever. This
challenge only increases in the digital age.
But we cannot simply pull up the draw-
bridge and forget about the rest of the
world. Data crosses borders billions of
times a day. We need to have international
agreements that protect the privacy of our
people while also allowing them to use
services and grow businesses which often
rely on personal data exchange between
countries. As a result, our personal data
is used in ways we could barely imagine a
decade ago.
AspartofthisprocesstheUKiscurrent-
ly leading the way in negotiating a mean-
ingful and workable deal for a new Euro-
pean Union data protection framework.
We want to bring EU rules in line with the
realities of 21st-century commerce.
When the European Commission
brought forward proposals for new data
protection regulation, British members
of the European Parliament, notably Sa-
rah Ludford, the Liberal Democrat MEP,
worked hard to improve this legislation.
However, the coalition government still
thinks more can be done to get the right
balance between individual privacy and
the free flow of data. The current propos-
als could end up costing UK business hun-
dreds of millions of pounds and leave it
struggling under additional red tape. We
must resist overly prescriptive regulation,
which increases unnecessary bureaucracy
for businesses, the public sector, consum-
ers and data regulators.
The UK is rightly seen as a leader in
technology. A great enterprise culture has
emerged in places such as Tech City and
the Silicon Fen, where firms, large and
small, are developing new products that
make creative and innovative use of data.
Our tech sector should be given every op-
portunity to thrive. We must not risk the
growth of the digital economy by impos-
ing costly rules that would give a competi-
tive advantage to other nations.
Innovative use of data drives economic
and social development. For instance,
millions of us rely on the ease of con-
necting and sharing information through
social media and online retail in order to
trade goods and services. The proposed
use of “explicit consent” could frustrate
this experience or lead to its trivialisation
through routine use – consumers who
give consent by default could end up doing
so when it really matters. There are also
concerns about how the regulation would
impact on services in areas such as the
insurance industry, where use of accurate
personal data leads to fair process. New
rules could lead to higher premiums.
The UK information economy con-
tributed £105bn in gross value in 2011,
supporting almost 1.3 millions jobs. Data
analytics and processing are significant
growth areas, too. The prescriptive ap-
proach set out by the Commission would
hit UK business with annual costs of up to
£360m. Small and medium-sized enter-
prises would bear the bulk of these costs.
It is not only UK businesses that are
concerned by this. The proposals would
also place costly obligations on data con-
trollers. The UK Information Commis-
sioner has called the proposals “a regime
that no one will pay for”, with the ex-
panded regulation requirements reaching
an additional £28m per year. The govern-
ment’s concerns are shared by the House
of Commons justice select committee.
It is better we take the time to get this
right rather than rush into something that
proves unworkable and costly. Some have
tried to present the UK as simply obstruct-
ing negotiations but this is far from the
truth. We are working constructively with
other EU member states: many share our
concerns and determination to make sure
this legislation is workable. Throughout
2014 we will be pressing for regulations
that are flexible and help business growth
and jobs. The new laws must focus on the
principle of accountability and encourage
a risk-based approach to data protection,
one that does not rely on complex rules
imposed from the top.
I do not agree with those who say we
mustchoosebetweenbeingsafeandbeing
free. This has always proved to be a false
choice. If we get this regulation right, we
can do both. l
Simon Hughes is the minister of state for
justice and civil liberties
The trade-off between safety and freedom offers a false choice.
If we get new data protection regulations right we can deliver both
By Simon Hughes
Protect and thrive
Prescriptive regulations
could cost UK business
£360m a year
07 View from Westminster.indd 4 11/03/2014 11:13:00

OBSERVATIONS
T
he current legal framework dealing
with privacy and data protection
is no longer fit for purpose. Policy-
makers and regulators struggle to achieve
their aims, while both the private and
public sectors are increasingly puzzled
by unsuitable and often nonsensical law.
This would be tolerable if it was not for
the fact that the implications of devising
an effective legal framework to regulate
the use of personal information are cru-
cial for humanity, our freedoms and our
economic well-being. Ignore privacy as
a human value and we risk losing a large
part of our ability to make choices. Restrict
the opportunities presented by what our
data says about us and we will seriously
threaten our future prosperity. The stakes
are that high.
The reason why our present laws are
ineffective is that they fail to address the
evolution of technology, the realisation of
the strategic and commercial value of per-
sonaldataandtheglobalisationofdata-re-
liant activities. Until now, there has been
a nearly parallel journey with legislators
doing their best to catch up with technol-
ogy. But as technology progresses and the
Internet of Things, cloud computing and
social media become more pervasive and
embedded in our lives, it is increasingly
apparent that engineers think and act
much faster than lawyers and legislators.
Our daily interaction with technology
makes data self-generating and increas-
ingly valuable. When people’s data is
properly and systematically gathered and
studied, it can make a difference between
failure and success. It is no coincidence
that public authorities and commercial
organisations are constantly hunting for
data about their citizens and customers.
The biggest success stories of the internet
age are directly linked to the collection
and exploitation of data about users, and
the level of success is only growing in di-
rect proportion to the amount of data pro-
duced by users. Harvesting and handling
data is the new alchemy.
In the face of data globalisation, the
regulatory answer is not to retreat to our
national trenches and build even more re-
strictive legal frameworks. The future of
privacy will be only as good as our ability
to accept the constant evolution of tech-
nology, to recognise that personal infor-
mation is an asset, and to see data globali-
sation as an unavoidable fact.
Regulating technology
It is beyond doubt that regulating the de-
velopment and use of technology is like
chasing a moving target. It is therefore
no surprise that no matter how effective,
powerful and sophisticated our policy-
makersandregulatorsmaybe,theyfacean
insurmountable challenge when attempt-
ing to apply existing privacy rules to this
ever-changing technological revolution,
or indeed, to devise new rules. The chal-
lenge is for that to take place without sti-
fling the thinking and creativity of those
at the forefront of innovation. In fact, the
real trick is to do it by encouraging the de-
velopment of equally ambitious technol-
ogy that, at the same time, protects infor-
mation and people’s privacy.
The starting point is to recognise the
limitations and possible drawbacks of
regulating technology. We need to steer
away as much as possible from trying to
protect our privacy by regulating technol-
ogy. Instead, we must direct our atten-
tion to behaviour that should either be
encouraged or prevented – irrespective of
the technology in place. In other words,
laws should be geared towards achieving
certain outcomes, such as incentivising
compliance, empowering individuals or
preventing harm whilst facilitating pro-
gress and technological innovation.
Power to the people
The most effective way of regulating
the exploitation of data as an asset is to
prove that responsible exploitation brings
benefits to which organisations can re-
late. Policymaking in the privacy sphere
should emphasise the business and social
By Eduardo Ustaran
Regulating the
new alchemy
As the pace of technology change leaves lawyers
and legislators playing catch-up, it is clear the current
rules governing information privacy won’t do
08-13 Observations style feature run.indd 8 11/03/2014 11:16:33

0
10
20
30
40
50
60
70
10 20 30 40 50 60 70
Familiarity with technologies and trends (% of respondents)
Confidenceincapabilities(%ofrespondents)
Current
technologies
On the
horizon
Digital
money
Cloud service
brokerage
Social
Media
Around
the corner
Web-based
applications
dd
ns
Smartphones and
tablets
SS
t
Software
applications
Emerging technologies and trends
In-memory
computing
-memIn
Internet
of thingsof thing
Cyber
havens
CyberCyber
Big dataBigBig
Supply chain
management
n
t
Enterprise
application
store
En
app
BYO cloudBY
benefits – for the private and public sec-
tors, respectively – of achieving the right
level of legal compliance. The rest is likely
to follow much more easily and all types
of organisations – commercial or other-
wise – will endeavour to make the right
decisions about the data they collect, use
and share. The message for policymakers
is simple: bring compliance with the law
closer to the tangible benefits that moti-
vate decision-makers.
A complementary approach to incen-
tivising compliance would be to require
that all users of personal information
give back a demonstrable benefit to the
individuals to whom the information re-
lates, unless there is a higher interest that
should prevail, such as law enforcement
or public safety. Compliance with this ob-
ligation would involve being able to show
that when a commercial entity or public
authority collects data from someone,
those individuals are getting something
back, such as a service of some kind that is
of value to them. The law does not need to
be prescriptive but simply create an expec-
tation that value derived from personal
information will be shared by default and
it will be up to those who seek to exploit it
to figure out how.
Mutual recognition
Finally, despite the absence of a global pri-
vacy legal framework, there is an urgent
need to deal with the privacy issues raised
by data globalisation. As always, the an-
swer is dialogue – dialogue and a sense of
common purpose. Representatives of the
Obama administration and the European
Commission have already recognised that
stronger transatlantic co-operation in the
field of data protection would enhance
consumer trust and promote the contin-
ued growth of the global internet econo-
my and the digital transatlantic common
market. In terms of regulating privacy,
the two camps could not be further apart
style-wise – one stiff and prescriptive, the
other distinctively industry-led. Howev-
er, consensus can and should be reached
by creating mutual recognition frame-
works that protect privacy.
Much work remains to be done but
with the right frame of mind, everything
is possible. We must start with the recog-
nition that, despite different approaches,
principles-based frameworks can deliver
a universal baseline of protection. And it
will require perseverance as well as a will-
ingnesstocreateanenvironmentallowing
for the mutual recognition of approaches
and, ultimately, a global mechanism for
protecting personal information. l
Eduardo Ustaran is a lawyer based in
London and the author of “The Future of
Privacy” (DataGuidance, 2013)
GRAPHICS:SAMINAALI
Source: Insights on governance, risk and compliance. EY’s Global Information Security Survey 2013: Under cyber attack

OBSERVATIONS
Two large data security breaches either
side of the New Year and thousands of
miles apart – one involving a large re-
tailer, the other a large financial services
company – are illustrative of the privacy
concerns the general public shares and the
challenges organisations face.
In the run-up to Christmas, Target,
the second-largest discount store in the
United States, fell victim to a huge credit
and debit card theft. It affected up to 40
million customers, the retailer admitted,
while a larger group of 70 million custom-
ers also had personal data compromised.
The data had been stolen from shoppers
between the end of November and mid-
December, a particularly busy time in the
retail calendar.
According to Avivah Litan, a security
analyst with Gartner, the Target data
breach provides an excellent example of
how identity theft might occur. “Let’s say
[the criminals have some details on] Mary
Jane,” Litan told the Washington Post.
“Now they’ve got her email, her name
and her address, and now they have her
credit card. So now she’s easier to target.”
A few weeks later, news emerged from
Seoul that details from over 100 million
South Korean credit cards and bank ac-
counts had been stolen, in the country’s
biggest ever breach. A private financial
services company that managed the credit
cards placed details of 106 million ac-
counts on a portable hard drive. Legal ac-
tion followed, with 130 victims claiming
$100,000 each in compensation.
Stories of human error and poor prac-
tice in handling sensitive data are recur-
ring themes when recounting some of
the most significant data breaches of the
past few years. Error and poor practice are
things one might not expect of a technol-
ogy company, which ought to be more
aware than most of the potential risks to
digital assets. Yet it turns out that techno-
logy companies are far from immune.
Take Sony, or more specifically Sony
Computer Entertainment Europe, which
was found to be in breach of the UK Data
Protection Act and fined £250,000 in Jan-
uary 2013. Its offence? A “serious breach”
of its customers’ confidentiality back in
2011 when hackers stole names, email ad-
dresses, dates of birth and account pass-
words from members of the PlayStation
Network. Sony, which took issue with the
ruling, was also accused of putting cus-
tomer payment cards at risk. David Smith,
a deputy to Christopher Graham at the
Information Commissioner’s Office
(ICO), told the Daily Telegraph: “If you
are responsible for so many payment card
details and log-in details then keeping
that personal data secure has to be your
priority. In this case that just didn’t hap-
pen, and when the database was targeted,
albeit in a determined criminal attack, the
security measures in place were simply
not good enough.”
Perhaps the biggest breach of all to af-
fect customers of a technology company
hit Adobe, the makers of Photoshop and
Acrobat Reader, last October. According
to the software company, hackers carried
out a “sophisticated attack” that com-
promised customer IDs and encrypted
passwords. The company’s security chief
went on to tell the press: “We also believe
the attackers removed from our systems
certain information relating to 2.9 million
Adobe customers, including customer
names, encrypted credit or debit card
numbers, expiration dates and other in-
formation relating to customer orders.”
Target practice: data theft hit 40 million clients
Those who make our
laws are not immune
from breaking them
By Jon Bernstein
CASE STUDIES
Don’t become
a Target
In the event, 2.9 million was a vast un-
derestimation. By the end of the month,
news outlets were reporting that nearer
to 40 million users could have been af-
fected. An Adobe spokesperson told the
website Naked Security: “So far, our in-
vestigation has confirmed that the attack-
ers obtained access to Adobe IDs and . . .
encrypted passwords for approximately
38 million active users.” In an effort to
mitigate the impact of the hack, Adobe
automatically reset customer passwords
and set up a help page on its website.
Those who make our laws are not im-
mune, either. One of the more embar-
rassing episodes for the last Labour gov-
ernment came when Gordon Brown was
forced to apologise after two disks with
details of 25 million taxpayers went miss-
ing. “I profoundly regret and apologise for
the inconvenience and worries that have
been caused to millions of families who
receive child benefits,” the then prime
minister told MPs in November 2007.
The data included names, dates of birth,
National Insurance numbers and bank
and address details. The disks were couri-
ered by a junior Revenue and Customs of-
ficial to the National Audit Office in Lon-
don but failed to arrive. The opposition
put the potential value of the data – were
it to fall into criminal hands – at £1.5bn.
More recently, local and central govern-
ment has been guilty of similar breaches,
even if these cases have not proved quite
as high profile. Last year, North-East Lin-
colnshire Council received a penalty no-
tice from the ICO for losing an encrypted
memory stick carrying personal, sensi-
tive data of 286 children. Islington Bor-
ough Council in London received a simi-
lar notice when private details of 2,000
residents were released online. And Glas-
gow City Council was fined when two
unencrypted laptops went missing; one
of them contained the personal informa-
tion of 20,143 people.
Finally, file this one under “I” for ironic.
The Ministry of Justice – with a remit to
safeguard human rights and civil liber-
ties – fell foul of the ICO last October. Its
offence? Failing to keep personal data se-
cure after spreadsheets containing details
of 1,182 prisoners in Cardiff were emailed
to three families of inmates. The error oc-
curred in August 2011. An ICO investiga-
tion found that two instances of the same
error had occurred within the previous
month. A fine of £140,000 followed. l
GETTYIMAGES

By Christopher Graham
VIEW FROM THE REGULATOR
Catch them
while you can
We live in an age of information where
data, and especially our personal data, is
a highly prized commodity. Whether it’s
via search engines, social media, loyalty
cards, apps, surveys or shopping, we are
constantly divulging our private informa-
tion. Many of us input it without think-
ing, unaware why, or for what reasons,
our details are being taken.
A 2012 study by the Boston Consulting
GroupprojectedthatthevalueofEurope’s
personaldatacouldgrowto€1trnby2020,
8 per cent of the GDP of the continent’s
economy. With such large sums involved
it’sobviouswhycompaniessuchasGoog-
le and Facebook are so keen to get access
to individuals’ personal data. But this ex-
changemustbesecureandtrusted,andfor
that consumers need to be confident and
informed. The same study showed that
individuals who knew how to protect and
manage their privacy were up to 52 per
cent more willing to share information
than those who aren’t, presumably be-
cause they feel in control of the exchange.
That is why the Information Commis-
sioner’s Office (ICO) supports initia-
tives such as midata, which aims to give
consumers new powers to ask companies
to hand over their personal data so they
can make more informed choices on how
they spend their money.
When it comes to young people it can
be tempting to think they are digitally
savvy. While many are technically com-
petent, there are still alarming gaps when
it comes to data privacy. Children start
using the internet from a very young age
but most aren’t aware of how the personal
information they upload gets used, or
how to make informed decisions about
what they share online. They may not, for
example, think through the consequences
of sharing photographs on social media or
whathappenswhentheyagreetoamobile
app accessing their personal information.
Our rapidly changing digital world offers
many benefits, but many pitfalls as well,
and they have to be navigated carefully.
A 2011 survey by the Office for National
Wright: “Privacy is a subject I feel strongly about”
By Jon Bernstein
NS INTERVIEW
“These laws go
back to 1890”
As LinkedIn profiles go, Steve Wright’s is
rather unusual. Where most of us would
use that opening gambit (aka, the Sum-
mary) on the ubiquitous professional so-
cial network for a hyped-up sales pitch,
Wright’s reads more like a manifesto for
information privacy.
The global privacy officer for the An-
glo-Dutch consumer goods company
Unilever, writes: “Privacy is a fundamen-
tal human right and essential for making
sound legal, risk and policy-based deci-
sions. Many recognise the importance of
privacy for freedom, democracy, social
welfare, individual well-being and of
course – a key ingredient for success in to-
day’s digital political, social and economic
world. Many also assert that it is worth
protecting at significant cost. Yet, scarcely
a day passes without reports of yet anoth-
er onslaught on our privacy.”
When we meet at Unilever’s imposing
London headquarters – built in neoclas-
sical art-deco style in 1929 just before the
Wall Street crash – I ask Wright about that
entry. “It’s a subject I feel strongly about,”
he says. “It’s a passion.
“Anything to do with your job or your
role, you’ve got to believe in what you
are doing. That, for me, is absolutely im-
perative, otherwise how can you get other
people to buy in to it?”
t
Statistics found one in five internet users
did not believe their skills were sufficient
to protect their personal data. This shows
how much more work there is to be done.
As such, educating young people about
their digital rights, especially around pri-
vacy, is critical. It is important that as digi-
tal natives, who have grown up using tab-
lets as naturally as magazines, they know
how to guard their digital footprint. One
way we’re trying to do this is through a se-
ries of lesson plans to be taught in schools.
Designed for both primary and sec-
ondary education, the lesson plans cover
a wide variety of issues. The primary
school plans explore what we mean by
personal information, and give children
the opportunity to discuss and share
their own understanding of the subject;
they also encourage them to think about
what information should be shared and
what should be kept private. At secondary
school level, the plans familiarise students
with their rights and responsibilities re-
lating to data protection and freedom of
information, giving them the knowledge
and tools to make informed decisions
when interacting with companies and
organisations from day to day. They also
provide guidance to young people about
their rights to access personal information
from organisations that hold their details,
and the right, as citizens, to request infor-
mation from public authorities.
So far the lesson plans have been down-
loaded over 4,000 times and there are
moves to expand them to cover areas
including the commercial and entrepre-
neurial use of open data – a mandatory re-
quirement of the computing curriculum
in England from September 2014. We are
also exploring a template project for older
students that will help them learn about
their information rights while at the same
time helping schools to improve on their
data protection compliance.
As more and more of our lives move on-
line, confidence in data security becomes
not only personally, but economically
critical. Privacy and trust are increasingly
becoming an area of competition for com-
panies, which can differentiate them-
selves from their rivals by adopting the
right controls and processes. By helping
to create informed, confident digital citi-
zens, we can help not only the individuals
but the economy as well. l
Christopher Graham is the Information
Commissioner for the UK

OBSERVATIONS
Privacy, he repeats, is a human right
and, for an organisation with over 400
brands that reach two billion people eve-
ry day (that’s nearly a third of the world’s
population), it remains a particular chal-
lenge.“We’retalkingaboutlawsthatwere
first tested back in 1890 so it’s not some-
thing that’s just come along. This is part
of the Geneva Convention. You are enti-
tled to your privacy and no one can take it
away from you unless you break the laws
of the land in which you live.”
Wright, 43, is Unilever’s first global
privacy officer. He took on the role in Oc-
tober 2012 after a decade consulting on
privacy and security for Siemens, PWC
and Deloitte. It’s a complicated role, so
I ask him how he explains it to his fam-
ily and friends. “What I try to say is that
I look after data and we try to respect the
rights of people.” And the longer defini-
tion? First, he says, you need to under-
stand the context. “We are now in a do-
main globally where everything is on the
ether – everything is out there any time,
any place, anywhere. That means you’ve
got to address privacy in a more holistic
way. You can’t just think granularly or
legally within a specific company. You’ve
got to have that common framework. So
the role of a privacy officer is to try to har-
monise and standardise on the approach-
es that we take, irrespective of country.”
One of the first things he did at Unile-
ver was set up a common privacy stand-
ard across operating companies in differ-
ent parts of the world. “I aligned it with
120 different laws, made sure I wasn’t too
onerous, that it wasn’t over the top, that it
was relevant to the size of our company,
the complexity and risks that we face.”
If that sounds like a job for a lawyer, that
is because most privacy officers are law-
yers. Wright is the exception.
“I think the reason they selected me
was twofold. They wanted someone who
would be pragmatic in their approach.
They didn’t want it just to be some kind of
legal, tick-box compliance exercise – they
wanted actual change. And second, with
my vast experience working with infor-
mation security and data, they wanted
someone who could talk and then under-
stand some of the [information technol-
ogy] constraints that we have.”
In his answers, Wright hints at some
of the well-worn conundrums with
which privacy professionals continually
have to wrestle. Take a universally agreed
definition of information privacy – in
Wright’s words, “protecting the privacy
that relates to an individual. If I can iden-
tify a person from some information then
that is regarded as private information.”
Evenhereproblemsarise.Whenprivacy
crosses geographical boundaries as well as
intersects the interests of competing com-
panies and organisations, there needs to
be something that binds all these compet-
ing concerns. More regulation and legisla-
tion, perhaps? “We are not short of legis-
lation in this space,” Wright notes.
So, is that the wrong way to approach
things?“No,no.That’snotmypointofview.
There are over 120 different laws and vari-
ous regulations around the world on data
protection and they all vary. But essential-
ly they have the same principles, which
are around protecting information.”
Wright says earlier approaches to pri-
vacy and data security were too regulato-
ry-driven – “a bit of a tick-box exercise”
– but things began to change with the
introduction in 2002 of the Sarbanes-
Oxley Act following the Enron security
scandal. “We had to pull our socks up,”
he says. “The sharing of information is
so complex between different countries,
we do now need a common platform or
framework that we’re all adhering to,
rather than these differing strengths.”
One emerging approach to information
privacy is known as binding corporate
rules (BCR), which are designed to allow
multinational companies to transfer data
from the European Economic Area to af-
filiates around the world. It sounds like a
perfect fit for Unilever.
However,Wrighttellsmethatthecom-
pany has yet to sign up because BCR has
proven too “compliance-driven”. Instead,
“we have got the intergroup transfer ar-
rangement, which is essentially a legally
binding agreement that stipulates the pri-
vacy and security requirements across all
of our operating companies. It’s like bind-
ing corporate rules but not as legalistic.”
Wright began his career working in-
house as the IT security officer at Capita,
reporting into the chief information offi-
cer. He moved into consulting, he says,
because he wanted the breadth of expe-
rience he couldn’t get from a single com-
pany with a single set of products and ser-
vices. “I plunged myself into the world of
pain that my customers were experienc-
ing,” he recalls.
“The jump back into industry is great
because I’ve got ten years of experience
and loads of battle scars I wouldn’t have
picked up just in-house. So when I speak
to my colleagues about some of the chal-
lenges they are having, I think, ‘I did that
at a bank and we got round it like this.’”
Today, he manages a team of 12 people
dotted around the world. His approach
has been to divide Unilever into functions
(such as human resources and market-
ing) and categories (such as personal care
products and foods). He says the business
functions will share similar issues regard-
less of location and once lessons have
been learned in one location they can be
applied elsewhere. “I would prefer people
to see me as an enabler rather than a disa-
bler. It’s not just about me saying ‘no’ to
people, unless there is a good logical rea-
son and a legitimate legal reason to do so.”
So, what about his own privacy? We
know he uses LinkedIn and joins online
discussion groups around his specialist
subjects. However, he doesn’t use Face-
book, because of “the crossover between
what I do socially and privately and my
work. I think that is too blurry.”
His watchword when it comes to per-
sonal privacy is vigilance. “When I say
vigilant, I mean vigilant from a profes-
sional perspective. We’ve all got several
personas. You come into work and you’re
professional. At home that’s a different
persona. You have a duty of care to pro-
tect your personal persona and your pro-
fessional persona. My advice to anybody
is that what you choose to share and who
you choose to have access to it is down to
you alone. So if you’re willing to tick a box
to say you will share information (or you
didn’t have time to untick), don’t be sur-
prised if your data is then shared with 30
other partners. Data is valuable.”
And he makes a prediction: “We will
have to get to a position in ten to 20 years
where we are responsible for our data as
individuals and we choose who to share it
with. We will become owners of our own
central database.” l
Jon Bernstein was deputy editor of the
New Statesman between 2009 and 2012.
He is a freelance editor and writer
t
“I would prefer to be
seen as an enabler rather
than a disabler”

By Nick Pickles
THE CITIZEN’S VIEW
The real price
of privacy
The digital revolution is a long way from
finished,butalreadythesignsofacreaking
regulatory framework are visible. Wheth-
er it is revelations about government sur-
veillance or the boom in wearable tech-
nology, what is becoming clear is that
citizens are increasingly powerless in the
face of an all-out assault on our privacy.
Parliament could never have imagined
the scale of the transformation that digi-
tal technology has unleashed. Go back 20
years and ask people how they would feel
about carrying a personal tracking device
and I expect the answer would be a de-
finitive “no”. Now we all carry them, but
they let us make phone calls and browse
the web, too.
A critical part of this transformation has
seen private companies collecting more
data on us than ever before. Mass surveil-
lance is not just the purview of govern-
ments – it has become a business model.
Equally, no sooner had the first versions
of Google Glass gone on sale than various
UK police forces announced their officers
would start using body-worn cameras,
recording their interactions with the pub-
lic. Government is as data-hungry as ever,
from new NHS databases drawn from our
GP records to plans for greater police ac-
cess to our web activity.
So, how do we address these risks to
ourprivacy?Certainlynotviatechnology-
specific legislation. The EU’s cookie dir-
ective is a recent warning of what hap-
pens when you go down that path. Legis-
lative whack-a-mole does little to reassure
consumers or promote investment and
should be avoided at all costs.
Yetitisequallyclearthatthelawwehave
doesnotreflectthemodernworld,wheth-
er that’s surveillance laws written for
copper telephone cables being used to tap
fibre-optic internet cables carrying mil-
lions of people’s communications, or the
paltry powers of the Information Com-
missioner to tame corporate data lust.
A £500,000 fine – the highest that the
ICO can level – is hardly going to trouble
the sleep of executives who run companies
with turnovers that exceed the GDP of
some moderate-sized countries.
The legal framework needs to reflect
the greater value of information about us,
strengthen the rights of citizens to decide
what happens to their data and give regu-
lators the powers to deter and prosecute
those who step over the line.
Equally, citizens voting with their feet,
or their clicks, are fierce regulators. That
doesn’t mean regulators should plead
helplessness in the face of global corpo-
rate behemoths. They need to innovate,
too. Recently France’s privacy regulator,
theCNIL,orderedGoogletopublishano-
tice on its home page, linked to the watch-
dog’s website, detailing why it had been
fined €150,000 for infringing French pri-
vacy law. The cynics who asserted con-
sumers didn’t care about privacy were
somewhat surprised when so many peo-
ple clicked on the notice that it crashed the
CNIL website. Who knew if you offered
to inform people, they would care?
As the Internet of Things comes to life
and wearable technology becomes com-
monplace, the information being gener-
ated about us will increase by an order
of magnitude. One person’s ubiquitous
computing is another’s ubiquitous sur-
veillance. The danger is that if the current
landscape of regulation and consumer
power remains constant, a new breed of
digital oligarchs will be born, with a few
distant firms controlling ever-increasing
amounts of information about us.
Worse, we will lock in business mod-
els driven by free services and advertis-
ing, rather than allowing innovation to
flourish alongside greater control over
our privacy. The digital marketplace can-
not afford to allow competition to be sti-
fled by forcing new businesses to emulate
the data-hungry practices of the estab-
lished players.
That sense of powerlessness is already
leading to new technology that tries to act
as a barrier between you and those who
try to track you, whether government or
corporate actors. The Snowden revela-
tions have raised fundamental questions
about the internet infrastructure we rely
on and the technical community will not
sit quietly by and wait for new law.
As the adage goes, if you’re not pay-
ing, you’re the product. That is the story
of free services but not free people. It’s
up to us all to make sure we don’t end up
knowing the value of privacy but having
no control over our own. l
Nick Pickles is director of the campaign
group Big Brother Watch
Mass surveillance is not just the purview of governments – it has become a business model
GETTYIMAGES

DEFINITIONS
Big data
Describes the petabytes of complex,
unstructured data that organisations and
governments collect internally from their
own systems and employees; externally
from their customers, suppliers, partners
and shareholders; and from technology
tools, such as social media, that harvest
data from users.
Binding Corporate
Rules
A European Union initiative, these are
a set of internal guidelines – similar to
a code of conduct – which establishes
policies for multinational organisations
to transfer personal information not only
within an organisation, but also across
international boundaries.
BYOD
Short form for “bring your own device”,
a term that describes employees
using their personal mobile devices
(smartphone, tablet, laptop, etc) at work,
for work. This may include having access
to protected company networks, and
privileged data and applications.
Cloud
Cloud computing most often refers to
virtual repositories in which individuals
and organisations can store data. Public
clouds, the most ubiquitous of the bunch,
are available to the general public and are
owned by a third party providing cloud
computing services. Other cloud models
include private, community and hybrid.
Cyber attack
A deliberate, unauthorised breach of a
computer system’s or network’s defences
by an individual or an organisation intent
on viewing or stealing information it is
not meant to have.
Cyber havens
Cloud computing service providers and
other data hosts operating in countries
with lax or non-existent security and
privacy regulations.
Data portability
Enables users to move data between
various applications and computing
environments or among cloud
service providers. For consumers,
data portability also allows users to
co-ordinate personal data across multiple
social networking sites.
Data processing
Obtaining, recording or holding data, or
conducting any operations on the data.
Data protection
officer
Either a full- or part-time role within
an organisation. The DPO is primarily
responsible for overseeing the creation
and management of processes, policies
and tools that protect the personal data
the organisation collects.
Information asset
management
In its simplest form, this refers to
the management of an organisation’s
information assets – documents,
intellectual property, emails, web
content, images, video and other relevant
digital or physical content.
Information
privacy
Information privacy refers to the rights
and obligations of individuals and
organisations with respect to collection,
retention, disclosure and disposal of
personal information.
Information
security
Information security refers to the
protection of data from unauthorised
access, modiﬁcation or removal from
an organisation’s computer systems
or networks.
Internet of things
The Internet of Things describes
nanotechnology, such as embedded
sensors or image recognition
technologies, which until recently
had been used primarily in security
systems, but are now being applied to
our day-to-day lives.
Privacy policy
Internal statements for users of personal
information which deﬁne the handling
practices of that personal information.
Privacy notice
Statement that describes how the
organisation collects, uses, retains and
discloses personal information.
Risk management
This is about identifying, assessing and
prioritising the risks that matter most
to an organisation, and then managing
or mitigating those risks according to an
organisation’s appetite for risk.
Safe Harbour
A set of principles the US department
of commerce developed in consultation
with the European Commission to
enable US companies operating in the
EU to transfer personal information
legitimately from the EU to the US.
Jargon-buster
14 Jargon Buster.indd 4 11/03/2014 11:18:35

VIEW FROM EY
C
onsumers have seized the power
to dictate what they want, when
they want it, whom they talk to,
whom they buy from and how much
they want to pay. Organisations, eager
to please the voracious appetites of these
super-consumers, seize any opportu-
nity available – often through an ever-
emerging array of new technologies – to
communicate, build relationships, gather
reams of data and sell their services.
Consumers are also adopting new life-
styles, using their mobile devices to sup-
port day-to-day tasks beyond just con-
necting with friends and communities,
browsing and shopping. Personal devices
are making their way into the workplace,
with significant and growing numbers us-
ingtheirsmartphonetohelpthemdotheir
job. Once seen as a trend that could im-
prove efficiencies and deliver cost savings
for organisations, it has put organisations
at substantial risk of data loss, and intro-
duced a huge number of privacy challeng-
es. Organisations need to maintain the
privacy of their information, but if it sits
on a mobile device outside their control,
how can this be achieved?
The upsides and downsides of this digi-
tal revolution are huge. Every time con-
sumers log on, browse the net, post to a
social media site, or shop online, they are
voluntarily – sometimes involuntarily
– giving away bits of information about
themselves. Organisations gleefully col-
lect these petabytes of data to provide
better services, market themselves and
sell more effectively. Yet both consumers
and organisations often leave themselves
vulnerable to disreputable elements that
want this personally identifiable data.
As a general rule, technology is now
moving far too quickly for privacy regula-
tors to be able to keep pace. Some regula-
tory mechanisms remain effective, such
as the European Union’s binding corpo-
rate rules. More often, however, regula-
tions are outdated almost immediately
on release. And then there are some, such
as Safe Harbour – the US-EU framework
of principles, which has been in place for
longer than a decade – that are under re-
view and may be altered.
So,wheredoesthatleaveorganisations?
Howcantheysafeguardtheprivacyofdata
in this age of technological innovation?
Theanswerinpartliesmoreingovernance
than regulation, in innovation more than
compliance. Organisations need to focus
on privacy accountability that follows an
ethical path as well as aligning with sug-
gestions from regulators; that adheres
to the spirit rather than just the letter of
regulation; and that builds the trust of
those whose privacy an organisation has
pledged to protect, rather than erode that
trust by not instilling enough importance
in the idea of privacy in the organisation.
The answer also lies in taking action to-
day; organisations need not wait for the
regulatortoact.New,harsherregulationis
coming and in all likelihood the essence of
itwillnotchange.Thefirstkeystepsevery
organisation could take today are to find
out what its biggest privacy challenges
are: what personal data it has, where the
data is, who has access to it, where this
creates risks and what improvements can
be put in place.
If new regulations are going to focus
on organisations being accountable and
providing evidence of compliance, then a
documented plan, even if implementation
has not yet begun, will demonstrate that
the intention is there, and this can also be
a powerful asset to take to the boardroom.
Focusedandeffectiveprivacywillrequirea
fundamentalchangeinattitudeandbehav-
iour by consumer and organisation alike,
in how they view data privacy, and what
they are willing to do to protect it. l
Sagi Leizerov is executive director, privacy
assurance and advisory services, and Ken
Allan is information security leader at EY
A privacy policy that follows an ethical path involves adhering to the spirit,
not just the letter, of the law
By Sagi Leizerov and Ken Allan
Opportunities, yes –
but handle with care
Are you a business leader?
Seven questions to ask to find
out how well-equipped your
organisation is to tackle today’s
and tomorrow’s privacy issues:
l How mature are your
organisation’s privacy measures?
l Is privacy a board-level priority
within your organisation?
l What steps do you take to
anonymise consumer data and
safeguard its privacy?
l Is privacy a consideration
when acquiring or installing
new technology?
l Does your organisation
have privacy governance and
operating models?
l Does your privacy programme
include documented processes and
regular risk assessments?
l Do you monitor and measure
the effectiveness of your privacy
mechanisms and processes?
15 EY view.indd 4 11/03/2014 11:22:10

©2014EYGMLimited.AllRightsReserved.ED0715.
In today’s technologically fast moving
world, where regulation is rapidly
playing an ever greater role, there
is no time to waste in protecting
the privacy of your and your
customer’s data.
EY believes that every organisation
today needs to consider a privacy
improvement programme supported
by greater data protection monitoring.
There are four critical steps:
1. Create an inventory to fully
understand what data you process,
where it is, and who has access to it
2. Perform a “current state
assessment” to identify compliance
gaps and assess the risks
3. Develop and implement the
privacy improvement programme,
prioritised to focus on high risk
gaps and quick wins
4. Conduct on-going monitoring of
data protection compliance
To help your organisation take these
steps, talk to one of our Privacy or
Information Security professionals, or
email Ken Allen: KAllen@uk.ey.com
To read our Privacy Trends 2014 report
visit: ey.com/privacy2014
SPEED YOUR WAY
TO IMPROVING YOUR
DATA PRIVACY

20140317eyinformationsupp

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 20140317eyinformationsupp

Similar to 20140317eyinformationsupp (20)

20140317eyinformationsupp