Tag: Data Privacy

Categories
Blog

The Importance of Effective Policies and Training in Data Protection: Lessons from a Scottish Hospital Breach

I recently had the chance to visit with Jonathan Armstrong on a recent data breach case that occurred in the health service provider NHS Lanarkshire (Scotland) during the COVID-19 pandemic. This breach serves as a stark reminder of the challenges organizations face in maintaining data protection and compliance, especially when it comes to communication platforms like WhatsApp. In this blog post we will explore the lessons learned from this incident and discuss practical advice for organizations to ensure robust data protection measures.

Background

According to the Cordery Compliance Client Alert on the matter, over a two-year period between 2020 and 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where there were a minimum of 533 entries that included patient names. The information included 215 phone numbers, 96 with dates of birth and 28 included addresses. 15 images, 3 videos, and 4 screenshots were also shared, which included personal data of patients and clinical information, which is a “special category” health data under both EU and UK law. Other data to the WhatsApp group was also added in error. Other communications were also identified where the staff in question had used WhatsApp.

WhatsApp was not approved by NHS Lanarkshire for processing personal data of patients.  The use of WhatsApp was an approach adopted by the staff apparently without organizational knowledge. It was used by the staff as a substitute for communications that would have taken place in the clinical office but did not do so after staff reduced office attendance due to the COVID-19 pandemic. No Data Protection Impact Assessment was in place and no risk assessment relating to personal data processing was completed concerning WhatsApp, as WhatsApp was not approved by NHS Lanarkshire for the sharing of personal data relating to patients. NHS Lanarkshire undertook an internal investigation and reported this matter to the ICO.

ICO Holding

The UK ICO determined that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. Additionally,  there were a number of infringements of UK GDPR, not the least being not implementing appropriate technical and organizational measures (TOMs) to ensure the security of the personal data involved, as a consequence of which personal data was shared via an unauthorized means and an inappropriate disclosure occurred. There was also a failure to report this matter, as a data breach, to the ICO in time.

Armstrong noted that ICO recommended that NHS Lanarkshire should take action to ensure their compliance with data protection law, including:

  1. Considering implementing a secure clinical image transfer system, as part of NHS Lanarkshire’s exploration regarding the storage of images and videos within a care setting;
  2. Before deploying new apps, consideration of the risks relating to personal data and including the requirement to assess and mitigate these risks in any approval process;
  3. Ensuring that explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed;
  4. Reviewing all organizational policies and procedures relevant to this matter and amending them where appropriate; and,
  5. Ensuring that all staff are aware of their responsibilities to report personal data breaches internally without delay to the relevant team.

Armstrong concluded that “In light of the remedial steps and mitigating factors the ICO issued an official reprimand – a fine has not yet been imposed. The ICO also asked NHS Lanarkshire to provide an update of actions taken within six months of the reprimand being issued.”

Discussion

This case highlights the challenges organizations face when it comes to communication during internal investigations. In many instances, the most interesting documents are not found in emails, as one organization discovered. Employees often turn to alternative platforms like WhatsApp to avoid leaving a paper trail. However, it is crucial to understand that these platforms may not provide the expected privacy and security.

While platforms like WhatsApp may seem secure, they still share data with big tech companies, raising concerns about privacy. Organizations must adapt to the preferences of digital-native employees who may find email restrictive and opt for alternative communication methods. However, this adaptation should be done consciously, ensuring that policies and procedures are in place to protect sensitive information. Armstrong emphasizes the importance of revisiting emergency measures implemented during the pandemic. As remote work continues, organizations must conduct thorough data protection impact assessments to ensure compliance across all communication platforms and measures.

As with all types of compliance, setting policies and procedures is just the first step. It is essential to communicate and educate employees on these policies to ensure their understanding and compliance. Annual online training sessions are not enough; organizations should provide engaging training that goes beyond passive learning. In addition to targeted and effective training there must be ongoing communications provided to employees. Armstrong also related on the ineffectiveness of off-the-shelf online phishing training. Waiting for an incident to occur and then providing training is not enough to prevent people from clicking on malicious links. Organizations should focus on providing better training before incidents happen, rather than trying to enhance training afterwards.

The next step is monitoring as compliance with policies and procedures should be actively monitored. Technical solutions are available to help companies track compliance, but it’s crucial to involve individuals at all levels of the organization when designing these policies. Additionally, a balanced approach is needed, where employees are recognized for their service but also held accountable for policy breaches. The days of solely relying on punishment for enforcement are gone.

The data breach in the Scottish hospital serves as a wake-up call for organizations to prioritize data protection and compliance. Communication challenges during internal investigations, privacy concerns associated with alternative platforms, and the need for effective policies and training are crucial areas to address. By conducting regular data protection impact assessments, providing engaging training, and ensuring buy-in from employees, organizations can strengthen their defense against cyber threats and protect sensitive information. Always remember that compliance is an ongoing process, and continuous evaluation and improvement are necessary to adapt to the evolving digital landscape. Finally stay vigilant and proactive in safeguarding data privacy and protection.

Categories
Blog

Protecting Personal Data in the Banking Industry: Lessons from the Farage Controversy

Today I want to consider a burgeoning imbroglio in the UK involving Nigel Farage. While you might not think of Farage as a candidate for the FCPA Compliance Blog, it turns out that his current banking situation has some very interesting data privacy issues, shedding light on the data protection risks faced by banks and the importance of compliance with GDPR regulations. So in this blog post, we will explore the lessons learned from this incident and provide practical advice for financial institutions to ensure the security and privacy of customer information.

The recent episode surrounding Nigel Farage’s banking situation has sparked concerns about data protection and compliance within the banking industry. Farage, a prominent figure in the Brexit movement, had his bank account with Coutts, a high-end bank owned by NatWest, closed and was offered an account with another associated bank. The alleged reason was that he did not have a high enough net worth to merit the account with Coutts. It turned out the real reason was his right-wing politics, particularly around leading the charge for Brexit.

NatWest then compounded its problem by leaking a story to the BBC, that Farage had been dropped because, as reported in the Guardian, the CEO of NatWest, Dame Alison Rose had been the source of the leak to the BBC of this false information. All of this raised concerns about a potential data breach. Coutts had closed his account after lengthy discussions over the reputational risk that his political views posed for the bank.

Rose tried to apologize to Farage but as the New York Times reported, “The apology and a promise to review the bank’s policies were not enough to ease the pressure on Ms. Rose. Reports late Tuesday that the government, which has a 39 percent stake in the bank, was “significantly concerned” about Ms. Rose’s leadership seemed to seal her fate. Before dawn, the bank announced her immediate departure” in late July. Peter Flavel, the boss of its private bank, Coutts was also sent packing.

From the regulatory, data privacy and GDPR responses, NatWest is in severe trouble. Not only had the Bank violated its own data privacy regulations in providing the information to the now former CEO but it also released that same information to the BBC. The consequences of non-compliance with GDPR regulations can be severe, particularly in regulated industries like financial services. Banks may face potential violations and internal policy breaches, which could lead to legal action and impact their banking license and fit and proper provisions. CEOs can be held liable for consent and connivance in data protection cases, emphasizing the importance of understanding data protection laws and potential criminal offenses associated with them.

The controversy surrounding Nigel Farage’s banking situation serves as a wake-up call for the banking industry to prioritize data protection and compliance. Financial institutions cannot afford to overlook these issues, as the consequences in the era of GDPR can be significant. It is crucial to establish proper policies and procedures, provide training and education for top-level management, and ensure a compliance culture is embedded throughout the organization.

There are multiple lessons to be learned from this controversy and several key takeaways that can help banks navigate the complexities of data protection and compliance:

1.Be cautious with written communication: The incident underscores the importance of being mindful of what is written in emails, as subject access requests can expose them. Consider whether a controversial email would be better discussed through a phone call or read aloud before sending.

2. Learn from previous compliance issues: NatWest had previous issues with data protection compliance, leading to the resignation of CEO Dame Allison Rose. This highlights the need for organizations to build a compliance culture at all levels, including those in top positions.

3. Allocate resources for subject access requests: The bank’s CFO has provided extra resources to handle subject access requests, as the cost of non-compliance is usually higher than the cost of compliance. It is estimated that it takes a six-figure sum for a bank to respond to a subject access request.

4. Scrutinize politically exposed persons and connections to Russian individuals: Financial institutions have an obligation to carefully scrutinize politically exposed persons and individuals with connections to Russian individuals. Balancing legitimate activities with obeying the law is crucial.

This affair provides valuable insights into the importance of data protection and compliance in the banking industry. The Farage controversy serves as a reminder that the security and privacy of customer information should be paramount for financial institutions. By learning from past incidents, allocating resources for subject access requests, and adhering to GDPR obligations, banks can safeguard their reputation, avoid legal repercussions, and build trust with their customers.

Categories
FCPA Compliance Report

FCPA Compliance Report – Jason Patel on Leveraging and Protecting Data

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, Tom Fox welcomes Jason Patel as they delve into the critical aspects of go-to-market security, market intelligence security, and customer privacy enforcement in today’s digital world.

 They discuss the importance of protecting businesses and customers’ experiences, leveraging data for security and marketing strategies, and ensuring compliance with privacy legislation like GDPR and CCPA. They highlight the services offered by Cheq.ai, a company specializing in go-to-market security, and stress the need for real-time compliance and a transparent approach involving various stakeholders. The conversation also explores the risks of relying solely on vendors for compliance and the impact of opt-in and opt-out strategies in data privacy. Looking ahead, they predict data privacy to be a leading issue, emphasizing the need for clear and explicit internet regulations to protect businesses and consumers.

 Key Highlights

·      Check: Go-to-Market Security and Customer Privacy Enforcement

·      Designing GDPR-compliant controls

·      Real-time compliance in data tracking

·      The Impact of Opt-In vs Opt-Out Strategies

·      The Future of Internet Regulations

Resources

Cheq.ai

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Data Driven Compliance

Data Driven Compliance: Jason Patel on Go-to-Market Security, Compliance, and Data Privacy: Safeguarding Business and Customers

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast, hosted by Tom Fox, which features an in-depth conversation around the uses of data and data analytics in compliance programs. Data-Driven Compliance is back with another exciting episode. The intersection of law, compliance, and data is becoming increasingly important in the world of cross-border transactions and mergers and acquisitions.

In this podcast episode, Tom Fox and Jason Patel delve into the critical aspects of go-to-market security, market intelligence security, and customer privacy enforcement in today’s digital world. They discuss the importance of protecting businesses and customers’ experiences, leveraging data for security and marketing strategies, and ensuring compliance with privacy legislation like GDPR and CCPA. They highlight the services offered by Cheq, a company specializing in go-to-market security, and stress the need for real-time compliance and a transparent approach involving various stakeholders. The conversation also explores the risks of relying solely on vendors for compliance and the impact of opt-in and opt-out strategies on data privacy. Looking ahead, they predict data privacy to be a leading issue, emphasizing the need for clear and explicit internet regulations to protect businesses and consumers.

Key Highlights:

  • Check: Go-to-Market Security and Customer Privacy Enforcement
  • Designing GDPR-compliant controls
  • Real-time compliance in data tracking
  • The Impact of Opt-In vs. Opt-Out Strategies
  • The Future of Internet Regulations

 Resources:

Cheq

 Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Life with GDPR

Life With GDPR: Banking’s Data Dilemma – Farage’s Account Closure & the Risks of Data Breach

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning Life with GDPR. The recent controversy surrounding Nigel Farage’s banking situation highlights the risks and compliance challenges faced by the banking industry in relation to data protection.

In this episode, Tom and Jonathan discuss the closure of Farage’s bank account with Coutts, a high-end bank owned by NatWest, and the potential data breach that ensued. They discuss the risks of internal emails being exposed through subject access requests (SARs) and emphasize the importance of caution in email communication. The conversation also explores the cost and consequences of non-compliance with GDPR obligations, particularly in relation to SARs. The potential legal implications for banks that violate their own policies or delete data that should be provided in response to a SAR are highlighted. Overall, the episode underscores the need for banks to prioritize data protection, compliance, and proper decision-making in the financial industry.

 Key Takeaways:

·      Nigel Farage’s Banking Controversy

·      Data Protection Risks in Banking

·      The Cost and Consequences of Subject Access Requests

·      Serious concerns about data protection and access to banking

 Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Blog

Navigating Go-to-Market Security and Data Privacy

I recently had the opportunity to visit with Jason Patel, with Cheq.ai, a global leader in go-to-market security. We had the opportunity explore the importance of protecting businesses and customers, leveraging data for marketing strategies, and complying with privacy regulations like GDPR and CCPA.

Patel believes that one of the top mistakes companies make is underestimating the extent of compliance regulations, such as GDPR, and only making surface-level changes. Compliance is a cross-functional requirement that affects operations, marketing, revenue, and customer engagement. It is crucial for businesses to take full responsibility for data protection instead of relying solely on vendors. Lack of visibility and control over data once it enters someone else’s servers is a genuine concern.

When it comes to safeguarding businesses and customers, it is important to have a technology solution that sits in the browser, monitoring data collection and data sharing partners. Such a solution takes into account both company policies and end users’ preferences regarding data tracking and sharing. The goal is to provide a transparent layer that seamlessly operates until a change or new partner needs to be introduced.

Real-time compliance is critical due to the speed of data collection and the need to adapt to evolving technologies and practices. Compliance in this area involves understanding and engaging with end users without resorting to invasive tracking methods. It is about respecting user choices and immediately stopping data collection when requested. This not only ensures compliance but also builds trust and loyalty with customers.

I took a deep dive with Patel into the refinement of laws and regulations regarding businesses and the internet. As the internet becomes an increasingly integral part of society, regulations are being addressed in the digital ecosystem. Clarity on data transfer and identification in the ad tech space is essential. Questions are being raised about how vital services on the web should be governed and managed. Striking a balance between trading data for services and avoiding excessive data trading is a key consideration. Monitoring of these initiatives are critical for any compliance professional in the data privacy space.

Complying with privacy regulations is one of the key challenges of digital marketing organizations in mind. The focus is on controls-driven workflows rather than procedural workflows to maintain efficiency and minimize risks. The gold standard for data privacy protection is GDPR, which shares similarities with other legislation such as the CPRA in terms of data usage, disclosures, and consumer rights. Complying with GDPR can already cover a significant portion of the requirements for other legislations, making it a crucial framework to follow.

Opt-in and opt-out strategies are debated in the United States. While opt-out is preferable for businesses, an opt-in approach, similar to the GDPR model, is more comfortable for end users. The opt-in approach sets up a good compliance posture and encourages meaningful engagement with users. Indeed this standard would appear to be what the rest of the world is moving towards. Technology standards are moving towards responding to consumer choices before legislation catches up.

I see data privacy as a leading issue in the next few years, even up to it being addressed more explicitly at the Board level. Enforcement actions for privacy regulations are only going  to increase. GDPR and CCPA are prime examples of privacy regulations that have been implemented. It is essential for both B2C and B2B businesses to prioritize customer privacy to build trust and maintain a competitive edge. By doing so, such businesses can create a true business differentiator for themselves and compliance professionals can build more trust within corporate organizations. Even if the US Congress continues to be unable to pass national data privacy standard, the EU example of GDPR will continue to be the gold standard for the world and the one to which companies should aim to comply with going forward.

In this insightful conversation Jason Patel and myself have explored the world of go-to-market security, market intelligence security, and customer privacy enforcement. We consider the importance of protecting businesses and customers, complying with privacy regulations, and respecting user choices. By focusing on real-time compliance and engaging with end users, a company can navigate the complex landscape of data privacy and security. As data privacy continues to gain prominence, it is crucial for businesses to stay informed, adapt to evolving regulations, and prioritize the privacy rights of their customers.

Categories
Data Driven Compliance

Data Driven Compliance: eCom Surveillance and Cybersecurity Data Management

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast, hosted by Tom Fox, which is a podcast featuring an in-depth conversation around the uses of data and data analytics in compliance programs. Data Driven Compliance is back with another exciting episode The intersection of law, compliance, and data is becoming increasingly important in the world of cross-border transactions and mergers and acquisitions.

Data has become much more ubiquitous and needs to be incorporated into business processes. AI data cleansing helps to reduce false positives and provides context to alerts generated by the system. AI capabilities are divided into three categories: removing duplicative content, detecting risk, and providing context. AI-powered data cleansing strips out non-human generated content and focuses on what was sent by an individual. This helps to lower false positives in alerts generated by the system.

The need for eCom surveillance is increasing as communication sources become more varied. Slack, Zoom, Teams, Bloomberg chat, and Ice chat are all becoming commonplace, and companies need to be able to capture data from these sources. Artificial intelligence and machine learning models are being deployed to empower a compliance officer to focus on what’s important and be risk-based. Companies that have been hesitant about the cloud are now moving their data to the cloud.

The amount of voice business that is happening over Zoom and teams and other voice channels has skyrocketed. Regulators have been very clear that you need to capture and record that voice data. Customers have asked for more and more data sources to capture, including audio. Compliance teams need systems to manage collaboration, case management tools, and review tools. Technology allows compliance teams to no longer use Excel or SharePoint to manage their own internal processes.

The combination of technology and compliance is transforming the industry. Artificial intelligence capabilities have come a long way in the past few years and are already good enough to provide a lot of value to customers. The innovation over the next few years will be on the defensibility front, proving defensibly why something was alerted on and why something else was not. Technology is available to capture every data source that’s out there, and it is essential for compliance teams to leverage this technology to remain compliant and competitive.

 Key Highlights

·      Ecom Surveillance

·      Cybersecurity Data Management

·      AI and Compliance

Resources:

 Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: July 12, 2023 – The US-EU Data Sharing Agreement Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • EU-US agree on data sharing pact. (NYT)
  • EU privacy advocates slam pact.  (BBC)
  • Max Schrems slams back, vows legal challenge.  (YaHooNews)
  • Challenges to data sharing pact likely.  (Reuters)
Categories
FCPA Compliance Report

FCPA Compliance Report – Maria D’Avanzo on Privacy Issues in the US and Beyond

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Join Tom Fox, the host of FCPA Compliance Report, as he speaks with Maria D’Avanzo, Chief Evangelist Officer at Traliant about privacy issues in the US and around the world. Discover the challenges businesses face due to the lack of national law in the US, with multiple state laws led by California. Compare this to the EU, where GDPR has been in place since 2018, and similar laws have been implemented in other countries such as Singapore, Australia, and Brazil. Learn how GDPR has changed the way businesses handle privacy by making it a part of business processes. Discover the importance of consulting with a good outside counsel, especially for global privacy policy implementation.

Explore how to handle cybersecurity incidents and disclosure of information, as regulations on this topic are still developing. Hear from Maria on how to address these incidents internally and the importance of an incident response plan. Find out how collaborating with the Chief Information Security Officer is crucial in developing a specific plan for these incidents, including a group effort from various departments.

Hear about instances where organizations share confidential information or data, leading to legal backlash and damage to reputation. This section discusses the Tesla case and suggests a broader conversation about company culture may be necessary to prevent such privacy infringements. Don’t miss out on this insightful podcast and tune in now to get important insights into privacy and cybersecurity from two industry experts!

Key Highlights

·      The Evolution of Privacy Issues Post-GDPR

·      Navigating Privacy Laws and Meeting Legal Standards

·      Cybersecurity Incident Disclosure Decision Making

·      Importance of Cybersecurity Incident Response Plan

·      The Impact of Sharing Sensitive Information

Resources

Maria D’Avanzo on LinkedIn

Traliant

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
From the Editor's Desk

February and March in Compliance Week

Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Kyle Brasseur, EIC at Compliance Week, unpack some of the top stories which have appeared in Compliance Week over the past month, look at top compliance stories upcoming for the next month, talk some sports and generally try to solve the world’s problems.

 In this month’s episode, we look back at top stories in CW from February around the changes in DOJ efforts to encourage corporate cooperation and compliance and; the Treasury Department’s renewed enforcement efforts against banks for violations of OFAC Regulations. We previewed some of the stories CW will look at in March, including several articles about data privacy in the US and Europe in a CW special issue.

Kyle relates some of the upcoming Compliance Week 2023 Conference highlights from May 15-17 in Washington, DC. Listeners of this podcast will receive a discount of $200 by using code TF200 on the link below.

 We conclude with a look at some of the top sports stories, including a recap of the Super Bowl, the insanity of the NBA trading deadline, and the opening of Spring Training.

 Resources

Compliance Week 2023 information and registration here

Kyle Brasseur on LinkedIn

Compliance Week