Fight For DPOs With Introduction of GDPR
Technology and employment commentators are predicting that with the already high demand for skilled and talented Data Protection Officers (DPOs), the introduction of GDPR may see businesses having to compete to recruit the right one.
What’s A Data Protection Officer?
A DPO’s role is essentially that of looking after any legal and ethical issues related to handling customer data. They are required to have specialist knowledge in matters relating to data and information privacy and security.
What Is Demand For DPOs Like Now?
According to figures from the Indeed job search site, DPO job listings posted in the UK have increased by no less than 700% over the past 18 months. That’s the equivalent of an increase from 12.7 listings per 1 million in April 2016 to 102.7 listings per 1 million in December.
Triggered An Increase In Training
The huge increase in the demand for DPOs has led to a corresponding increase in the demand for GDPR training, as individuals spot a potentially lucrative career, and companies seek to bring their in-house DPOs up to speed.
Some GDPR training providers have reported selling out of courses for the next six months as demand for GDPR-Ready training programs for DPOs have increased by as much as one-third.
Even Bigger Demand With Introduction of GDPR
The International Association of Privacy Professionals (IAPP) estimates that, with the introduction of GDPR in May this year, 28,000 DPOs will be needed in Europe and U.S. and perhaps as many as 75,000 around the globe.
Why?
GDPR requires that companies must have a DPO to help with tasks such as data audits for compliance with privacy laws, training employees on data privacy, and to be the main point of contact in the company for European regulators.
With its 99 articles, under the guidance of 6 privacy principles, General Data Protection Regulation (GDPR) is long, and complicated, and it needs as well as requires someone within the business to understand it, and how it should be practically applied. Failure to comply with GDPR, and data breaches resulting from non-compliance can bring large fines and other potentially disastrous consequences for businesses and organisations e.g. loss of customers, and damage to brand and reputation.
Legal and business commentators are also predicting that companies may only want to deal with suppliers who are GDPR compliant in order to maximise their own compliance and avoid the penalties.
What Does This Mean For Your Business?
For those who are already, or are currently training to be DPOs, the immediate future looks bright in terms of their choice of employment, the massive (and growing) demand for their services, and the bargaining power that this may give them with employers e.g. for their salary.
For businesses that are already trying to get to grips with the complications and costs of complying with GDPR, and who already know that they will need somebody in the DPO’s role, they may not have anticipated the extra complication of having to compete with other businesses to get one. With the demand for good DPOs looking like continuing to out-strip supply, the situation may arise where some businesses attempt to poach DPOs from others.
With X-day already past, and the introduction of GDPR just 3 months away, the clock is now ticking loudly for businesses that may not yet have given any serious thought to the role of DPO, or where to get GDPR training.
Tech Tip – Find Files By Date
If you have produced and stored many files on your computer over time, in multiple folders, it can sometimes be difficult to find the file you need. One way to narrow the search in Windows 10 is to search by date. Here’s how:
1-Choose the folder, drive, or library you want to search.
2-Click in the search box (upper right corner of the File Explorer window).
3-Type datemodified: operator (doesn’t matter if there’s a space after the colon), followed by a date / date range.
The format for the date range can be e.g. a single date in any standard date format, a range of dates e.g. 20/1/2018 .. 20/2/2018, a month or year or both, or a relative term e.g. last week, last month. Alternatively :
1-Click in the search box to bring up the Search Tools tab on the ribbon.
2-Click the Date Modified button.
3-Choose one of the available options.
Tech Tip – Windows 10: Near Share
One helpful feature to look out for in the Windows 10 update this Spring will be ‘Near Share’ whereby nearby Windows 10 devices can share files and URLs with you via Bluetooth.
This feature is similar to Apple’s AirDrop, and it works in the following way;
1-Apps e.g. Photos, Microsoft Edge and File Explorer display a Share icon.
2-Click on the icon to see and chose local devices to share with by Bluetooth.
3-The recipient gets a notification via the Action Centre.
4-Acceptance of the notification by the recipient allows the transfer to take place.
Facebook In Authentication Spamming Row
Facebook is facing criticism for allegedly using sign-ups to 2 factor authentication as an opportunity to send spam SMS notifications.
What 2FA?
Facebook has been allowing users to sign up for SMS-based two-factor authentication to mitigate the risk of phishing attempts and to help protect people from having their accounts compromised.
Spam Too
Unfortunately, in addition to receiving the authentication texts / security tokens that they expected, some sign-ups have also reported receiving what are essentially extra spam texts from Facebook with links to other things happening on the social network.
To make matters even worse, any replies to the spam texts e.g. requests to stop the texts, were reported to have been posted onto the user’s Facebook profile page.
Facebook Sorry
After complaints were received, Facebook released a statement saying that it was sorry for any inconvenience caused, and that it was not their intention to send non-security-related SMS notifications to the phone numbers that customers had submitted as part of the two-factor authentication service.
With regards to posting customer replies to the spam texts on their own Facebook profiles, Facebook explained that this was a throwback to a time before the ubiquity of smartphones when Facebook supported posting to profiles via text message. Facebook admitted, however, that this feature is now less useful, and that it would soon be deprecated..
Bad Publicity In Europe
This incident comes on top of plenty of recent bad publicity in Europe for Facebook. Firstly, after a dispute dating back to 2015 where Facebook fell foul of Verbraucherzentrale Bundesverband (vzbv), or Federation of German Consumer Organisations, a German court has just ruled that Facebook didn’t do enough to alert people to the pre-ticked privacy settings on its mobile app. It also found that eight clauses in Facebook’s terms of service were invalid, including terms that allow Facebook to transmit data to the US and use personal data for commercial purposes.
In a separate long-running spat, this time in Belgium, Facebook lost in a court case with Belgium’s privacy watchdog, the Belgian commission for the protection of privacy (CPP), where it was ruled that Facebook failed to comply with Belgian privacy laws. This time, it was found that Facebook had been using cookies to track people who may or may not have been Facebook users without their consent, and then stored the tracked personal data that it obtained illegally in the first place.
What Does This Mean For Your Business?
As well as highlighting how it appears that the behaviour of some big US Internet companies in Europe are being closely monitored (and needs to be), it highlights how data privacy laws and courts differ in different countries.
This story also brings into focus the importance of the imminent introduction of GDPR in May this year, which should go some way to making data privacy and security laws more uniform and consistent across the EU region. Even though the UK won’t be in the EU soon, GDPR will apply initially, and then the Data Protection Bill (DPB) will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law for the future.
On the subject of GDPR, businesses should be reminded that we have now passed what is known as ‘X-Day’ (100 days from GDPR’s introduction), and that businesses and organisations need to quickly adopt an automated, classification-based, policy-driven approach so that they can meet the regulatory demands within the short time frame available.
In relation to the Facebook case of ‘accidental’ spam after sign-ups for the SMS-based two-factor authentication service, this behaviour would contravene GDPR because, under GDPR, the users would have only given consent for the 2FA service, and not for anything else. GDPR may, therefore, make companies think very seriously about what SMS and email messages they send to user groups based on their initial consent. The whole area of consent and GDPR is something that will need more discussion and clarification to help businesses understand the new boundaries for their online marketing.
Facebook Postcards To Combat Election Interference
Following disclosures of how Facebook was used by advertisers who may have been seeking to influence the US election result, Facebook has suggested that in future in the US, those backing candidates with advertising campaigns will receive a ‘snail mail’ postcard sent by Facebook with a verification code.
Ads Mentioning A Candidate
The measure is reported to be only applicable to those who run adverts mentioning a specific candidate, rather than paying to promote a political message e.g. a policy. The verification code sent on the post card can then be used to confirm the advertiser lives in the United States.
Won’t Solve Everything
Facebook’s global director of policy programs, Katie Harbath, has reportedly acknowledged that the postcard idea may not solve all the all problems, but it is the most effective solution that the company could come up with for the time bring to stop similar illegal activity happening on its platform.
How Bad Was It?
Back in November, Facebook released figures ahead of its Senate hearing showing that Russia-based operatives uploaded 80,000 posts to Facebook in the last 2 years. Taking into account posts published between June 2015 and August 2017, it is believed that 29 million Americans saw the posts directly, and that 26 million American users may have seen, and perhaps been influenced by, liked and shared messages and comments that could have originated in Russia.
Also, US Special Counsel Robert Mueller said recently that no fewer than 13 Russians and three Russian companies are believed to have committed criminal offences by using social media to interfere in the US election.
What Does This Mean For Your Business?
It does seem a little ironic that one of the world’s most famous Internet companies must resort to ‘snail mail’ to solve a major problem, but as the company says, it seems like the only effective option for now. It would also be easy to see how this overt, but fairly limited option could be gotten around by e.g. determined state sponsored players.
The bigger picture of the whole election result influence story (i.e. which party / candidate wins) is that it has a big effect on the business environment as well as on society. It is not a surprise that one country could seek to influence events in another, but it is a surprise to some people that tech companies and social media companies are still able to offer such a powerful voice and a channel to all.
The challenge that tech companies such as Facebook and Google (with YouTube) face is that they need to protect the idea that they reject censorship and interference from governments, while still being seen to be acting responsibly and proactively, while also protecting their brands and monetising elements of their business at the same time.
The election revelations have just served to add fuel to the arguments of governments and politicians, both in the US and the UK, that they don’t have more of an influence over social media and tech companies e.g. with the end-to-end encryption debate in the UK, and that they often only come up against lawyers for these companies rather being able to be seen to be publicly grilling the owners of these tech giants themselves.
GDPR Extortion Prediction
A report by Security Company Trend Micro has predicted that, as cyber criminals are now focusing more on maximising financial return, the introduction of GDPR this year could give them potentially lucrative extortion opportunities.
How?
The point that this report is making is that, with the prospect of massive fines under GDPR e.g. fines up to €20 million, or 4% of their global turnover, criminals could extort large sums of money from companies with the threat of a cyber attack that could lead to data security breach, which could in turn lead to a fine under GDPR. It has been suggested that criminals could first determine the penalty under GDPR that could result from an attack, and then demand a ransom of slightly less than that fine.
What’s Happening?
The recent trends in cyber crime are what have led to this latest chilling prediction. For example, the fact that cyber criminals appear to be abandoning exploit kits and indiscriminate attacks in favour of more strategic attacks with maximised financial gain is a trend that has become more apparent. This trend coupled with the fact that, although the number of reported breaches in 2017 was lower than in 2016, the amount of data compromised by cyber attacks increased, have led security commentators to believe that criminals will seek to exploit GDPR as a money-making weapon.
Predictions Started Last Year
Predictions that the threat of GDPR fines could be exploited by criminals first surfaced in the media last November when researcher Mikko Hypponen made the point that GDPR fine figures could give cyber-criminals who are using ransomware, or hackers stealing data, a price point to set the ransom at because now they know how much money they should be asking.
Hypponen argued that because the criminals know what data is worth / what covering-up a data breach may be worth to some companies (probably large, well-known ones), these companies may be actually willing to pay anything less than the full amount of the fine to avoid serious damage to their reputation, loss of customers and more.
According to Hypponen, ransoms could, therefore, be set at up to 2% or 3% of the targeted organisation’s global annual turnover. This could equate to millions of dollars in some cases.
Threat Of Reporting Too
As well as the threat of a ransom to avoid a direct, deliberate attack that would result in a fine, security commentators have also suggested that hackers / scammers could steal data with advanced ransomware and then blackmail the victims with the threat of reporting them to the data protection commissioner. This is because ransomware can affect the availability, access, and recovery of personal data.
Other Trends
Other Trends uncovered in the recent Trend Micro Report include:
- A 32% increase in new ransomware families from 2016 to 2017.
- A doubling of business email compromise (BEC) attempts between the first and second half of 2017.
- Rapidly rising rates of cryptocurrency mining malware (100,000 detections in October).
- A 22% increase from 2016 in BEC attempts to trick company employees into approving money transfers to criminal accounts, mostly targeting the chief financial officer (CFO).
- More attacks on vulnerable internet of things (IoT) devices, with software vulnerabilities also continued to be targeted (1,009 new flaws discovered and disclosed in 2017).
What Does This Mean For Your Business?
As well as being an opportunity to get the (data) house in order and to enhance competitiveness (GDPR compliant companies are more likely to want to deal with other compliant companies), the size of the fines and now the potential activities of extortionists are risks for the coming years for UK businesses. Even though these predictions relate to more daring and sophisticated crimes, companies should still make sure that they are at least covered against more basic attempts e.g. by keeping up to date with software patching, and covering all known vulnerabilities.
Ways that companies could protect themselves against hacking / ransomware threats include only giving users access to what they need and taking away admin privileges, backing up all critical files effectively and securely, and testing those backups to make sure that information can be restored in a usable form. Training of staff e.g. chief financial officers (CFOs) or anyone involved in payment, and establishing a clear process for checking and chain of command could reduce the risk of BEC attempts and socially engineered attacks. Businesses would also be wise to make sure that their Business Continuity and Disaster Recovery Plans are kept up to date in the light of emerging threats.
More security commentators are also now warning businesses against the potentially devastating combination of security oversights, increasingly aggressive threats and, perhaps, carelessness in some aspects of cyber and data security.