The US and China have rarely seen eye-to-eye. But with years of appeasement getting it nowhere fast, the US is now not only talking tough on trade with its biggest rival but also taking steps to harm the business interests of Chinese firms. Here’s my latest for IDG Connect:
This month a deal between Huawei and AT&T to sell its smartphones in the US collapsed after pressure from senators worried about unspecified security concerns. It was a major blow to the world’s third largest device maker and could result in tit-for-tat retaliation by Beijing. In China, Apple announced it would be handing over management of iCloud services to a local government-owned partner — in order to comply with Chinese laws created as a result of escalating tensions and protect its revenue stream in the Middle Kingdom.
These two tech giants are at the center of what could well become a major trade dispute between the world’s pre-eminent superpowers. If it continues to escalate, it could spell disastrous news, not just for IT buyers, but the global economy.
A long time coming
It’s a battle that’s been brewing for years. On the one side, US firms — and technology players in particular — are desperate to access China’s vast market of over one billion internet users. To do so, they’ve been prepared to put up with strict Chinese laws which demand partnering with domestic firms, and technology transfers which can expose IP to the local partner. Along with out-and-out IP theft in the form of cyber espionage — carried out with the blessing or perhaps even backing of the government — this has helped Chinese firms catch up fast in the technology stakes over the past few decades. Censorship of various US platforms — think Twitter, Facebook and Google — also helped to provide a useful vacuum for local players to thrive.
China’s new Cybersecurity Law (CSL) may overlap with GDPR, but could still deliver the opposite effect from the intended one. How will China’s GDPR-like Cybersecurity Law impact business?
Now the US is hitting back. The first big move came when lawmakers effectively banned Huawei and ZTE from touting for telecoms infrastructure contracts in the US, citing national security concerns. Then came the NSA leaks and revelations from the portable USB drives of Edward Snowden, describing how US intelligence had been spying on China for years by intercepting and bugging US-made Cisco routers. That was all Beijing needed to escalate its own policy of prioritising homegrown products and putting yet more roadblocks in the way of US firms.
Huawei rival Cisco was hardest hit, seeing its China market share reportedly plummet over 30%. But some reports suggest that the number of government-approved foreign tech firms in China fell by a third between 2012 and 2014, while those with security-related products fell by two-thirds.
Microsoft has also been singled out, with Windows 8 banned for government use, while Qualcomm was hit with an anti-trust fine of nearly $1bn. Then China introduced a rigorous new Cybersecurity Lawwhich — although seemingly designed to improve baseline security for local organizations — could also provide a legal basis for forcing US firms to hand over source code during national security ‘spot checks’.
This law is the reason Apple has been forced to transfer local iCloud operations to partner Guizhou on the Cloud Big Data (GCBD). It claims to have “strong data privacy and security protections in place” and says that “no backdoors will be created into any of our systems”. But experts are sceptical. Threat intelligence firm Recorded Future previously claimed that the law could give the government “access to vulnerabilities in foreign technologies that they could then exploit in their own intelligence operations.”
That’s not all. By handing over local control of iCloud accounts to a Chinese partner, Apple may be putting at risk the privacy and security of employees of US firms operating in China.
“This latest move by Apple to essentially cede control and operation of its cloud services in China to the Chinese government is part of a larger and disturbing trend by Western technology companies to limit user privacy in exchange for continued access to the Chinese market,” Recorded Future director of strategic threat development, Priscilla Moriuchi, told me.
Hackers could have a head start on researching exploits that US firms have not yet caught wind of. Why does China spot security vulnerabilities quicker than the US?
“Per Apple’s security procedures, GCBD would have access to metadata about Chinese users’ iCloud documents, as well as complete access to any unencrypted @icloud email activity.”
While it’s not clear if this is the case for foreign firms operating in China, the vagueness of the CSL certainly makes it possible.
The big freeze
Now the speculation is that President Trump could escalate what is already a de facto tech Cold War by imposing unilateral sanctions on China in retaliation for claimed IP theft and forced tech transfers. So is a full-blown trade war looming?
China-watcher Bill Bishop is pessimistic of future US-Sino relations. In his popular Sinocism newsletter he had the following:
“I think the forced termination of the Huawei-AT&T deal significantly raises the likelihood that a major US consumer electronics firm with meaningful operations in China will be smacked down at the first sign of a real US-China trade war.
“Beijing assumes the US government is so paranoid about Huawei because it uses US firms to do what it says Beijing does with Huawei, and the Snowden revelations confirmed many of those suspicions. If anything, Beijing has been remarkably tolerant of some US consumer electronics firms given the treatment of Huawei and what we learned from the documents Snowden stole.”
Given the large percentage of US tech firms with manufacturing facilities in China, a trade war would have a catastrophic impact on global supply chains, making parts and products more expensive, reducing choice for IT buyers in the West and devastating parts of the US economy. If the revenue made by large multi-nationals in China were to dry up, jobs would be lost — not only in those firms but all their partners, suppliers and local economies.
Canalys analyst, Jordan De Leon explained just how reliant on foreign suppliers both Chinese and US organisations are.
“In the US Lenovo is the fourth-largest PC vendor and has a massive installed base. It also has key clients in its datacentre business in the US. Similarly, in China, Dell is number two and HP is number four in PCs,” he told me by email.
“In the event of a trade war, though unlikely, these three brands will be impacted. The extreme scenario is if there is legislation that is made to totally ban US-products in China and vice versa, which means businesses in those markets have to comply. China is also an important market for Apple, not to mention the fact that China is a vital manufacturing base for Apple.”
However, Forrester principal analyst, Andrew Bartels, believes strong opposition from big business could be enough to prevent Trump from creating such a scenario.
“A US-China tech war is more likely than US-China trade war, despite Trump’s periodic Tweets, because there are strong institutional forces built around supply chains that would cause big businesses to resist through legal and political action any imposition of trade barriers,” he told me by email.
“The US-China tech war is kind of in an uneasy truce, with the US government tacitly accepting that the Chinese government is favouring its own technology developments and vendors in China, and the Chinese government tacitly accepting that the US is going to put up barriers periodically to Chinese firms buying US companies.”
Ultimately, this dynamic should be enough to temper the policies even of a dogmatic populist like Trump. This is a numbers game, and China has the numbers — both in the size of its domestic market, and the $340bn+ surplus it’s running with the US. Acting tough with Beijing can be a dangerous game to play, and the tech industry is first in the firing line.
It might not have escaped your notice that critical infrastructure (CNI) organisations are increasingly being probed by nation state hackers. Traditionally, IT managers in these environments might have relied on “security-by-obscurity” to get by. But with many now connected to the public internet and running Windows systems, that defence is no longer valid. One of the main challenges appears to be mitigating risk on legacy systems which can no longer be patched.
I’ve been speaking to experts in this area for an upcoming feature and thought I’d share their best practice advice.
CNI under attack
There’s certainly no doubt that CNI firms are coming under attack far more frequently than they used to. Witness the alleged North Korean WannaCry attacks, which hit 34% of NHS Trusts and nearly 600 GP practices, leading to cancellation of an estimated 19,000 operations and appointments. Or arguably more sophisticated attacks – think China and Russia – designed to carry out reconnaissance work on key systems, or even in some cases disrupt power supplies, causing widespread black outs.
Recognising the uptick in threats, the European Commission’s NIS Directive will look to enforce a minimum standard of security across providers of “essential services” in the UK and Europe. However, from what I’ve heard, there are varying levels of awareness about the new law, set to come into force on 9 May 2018.
“Yes, awareness and activity has been on the rise, but generally still behind where it should be I think,” KPMG cybersecurity practice partner, Martijn Verbree, told me. “Many organisations haven’t realised to what extend this applies to them and the impact.”
So how exactly do CNI firms keep legacy, unpatchable, systems secure — appeasing regulators in the process? Most experts I spoke to pointed to SCADA and ICS systems as exposing organisations to most risk. Interestingly, air-gapping isn’t necessarily going to work, according to Michail Maniatakos, assistant professor at the NYU Tandon School of Engineering.
“Given the rapid increase in the numbers of mobile computation devices, air-gapping has proven to be an illusion as individuals enter air-gapped locations using their laptops, smartphones, smartwatches etc. There are documented cases of USB drives breaching the air-gap, ie Stuxnet,” he told me by email.
“The most appealing option is layered security, and the assumption that every layer can be breached. The advantage of this method is that even if a layer is breached, the window of opportunity for the attacker will be limited to go through all the layers of security — similar to the security offered by multi-factor authentication. Needless to say, this approach needs also advanced intrusion detection capabilities as well, in order to quickly understand whether an adversary is in your control network.”
BeyondTrust VP of technology, Morey Haber, explained that layered security should include ACLs and port filtering, which would have protected against threats such as WannaCry and Bad Rabbit.
“If networks are properly zoned, malware or ransomware that leverages exploits can’t attack additional assets if the ports and IP ranges are blocked against lateral movement from adjacent resources or untrusted zones,” he told me. “This mitigates the threat temporarily while patches are being deployed but is good practice to block an infection in the first place.”
Another key technology to consider is continuous network monitoring, baselining normal behaviour and then alerting when suspicious activity is spotted.
“This includes looking for command and control using DNS or communications obscure IP addresses or unapproved resources via lateral movement,” continued Haber. “It is not enough to monitor TCP/IP traffic alone but also all the supporting services from NTP or DNS that can be used in a modern attack. Deviations in these patterns may allude to a growing or persistent threat.”
He also recommended removing all admin rights — citing a Microsoft estimate from last year that 84% of vulnerabilities can be mitigated by doing exactly this. Risk exposure can be further minimised by turning off all unnecessary services, ports, and features, he added.
Advanced security controls are also vital, such as network and web firewalls, IDS/IPS.
“While these may be integrated technologies, when was the last time they were upgrade to the latest firmware, pen test for best practice rules, or planned for replacement due to end of life?” said Haber.
“While every security professional would agree the perimeter has dissolved due to the cloud and Internet, local area network resources still need to be protected. Using the latest technology and verifying your devices are not obsolete is key to defend against attacks and stopping modern threats like ransomware.”
In addition, there’s always the option of paying for extended support — a deal the NHS had with Microsoft until 2015, for example. This might be expensive, but with some firms like FedEx and Maersk claiming NotPetya cost them hundreds of millions of dollars, it might not be such a bad investment.
Last week, the Irish High Court made a judgement on transatlantic data flows that could have far reaching implications for US tech firms and point the way towards economic disaster for the UK.
Yes, it might not have received much coverage at the time, but the court’s decision was a biggie.
It asked the European Union Court of Justice (CJEU) to scrutinise the mechanism by which Facebook and many other firms transfer data: standard contractual clauses (SCCs).
Why? Because Austrian law student Max Schrems is still not happy that his personal data could theoretically be snooped on by the US authorities whilst residing in Facebook datacentres over there. His previous battle with Facebook over this issue led to the collapse of the Safe Harbour agreement between the EU and US.
Its replacement, Privacy Shield, is the other main legal mechanism – aside from SCCs – that govern data transfers outside the US.
“In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that,” Schrems said in a written statement following the court’s decision. “As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”
Emily Taylor, CEO of Oxford Innovation Labs and Chatham House associate fellow, took time out to discuss the issue with me.
“The reference to the CJEU is no surprise, and the fact that the US government applied to be joined as party shows how high the stakes are on all sides – for governments, for big data platforms like Facebook, and for individuals,” she told me.
“The case shows that the Snowden revelations continue to reverberate on both sides of the Atlantic. The CJEU has taken a consistently hard line against mass data collection and retention, and increasingly relies on the EU Charter of Fundamental Rights. The Charter allows for ‘more extensive protection’ of fundamental rights such as privacy, compared with the more familiar European Convention.”
That spells some uncertain times ahead for Silicon Valley, especially with Privacy Shield also facing an uncertain future.
That’s not all though. The case tells us much about what may happen to post-Brexit Britain.
Our digital economy is worth around £160bn and responsible for over 1.5m jobs, by some estimates. That makes it a vital part of the economy, and means unhindered data transfers with the EU – our biggest trading partner and the largest trading bloc in the world – are absolutely essential.
So how do we square the EU’s requirements around strong privacy protections for citizens, with the round hole of the UK’s brand spanking new Investigatory Powers Act? Also known as the Snoopers’ Charter, the new law has given the UK authorities probably more power than any country on earth – save for China and North Korea – to snoop on their own citizens.
“It is difficult to see how the UK’s mass data collection requirements under the Investigatory Powers Act could satisfy the EU Charter and this could have a severe impact on EU-UK data flows, potentially damaging UK business interests post-Brexit,” Taylor concluded.
That should be getting people in all sorts of high places very nervous indeed.
Donald Trump made some questionable remarks this week that have rightly caused an almighty backlash. But one thing he did that may have more support, is sign an executive memorandum which will most likely lead to a lengthy investigation into alleged widespread Chinese theft of US IP. This is a big deal in Silicon Valley and something that has irked US business in general for years.
The question is, will this latest strategy actually result in any concrete changes on the Chinese side? As you can see from this new IDG Connect piece, I’m not convinced.
Years of theft
There are few things Democrats and Republicans agree on, but one is that China has had things far too long its own way when it comes to trade. The US trade deficit between the countries grew to $310 billion last year, helped by the growing dominance of Chinese businesses. Many of these have been able to accelerate their growth and maturation thanks to IP either stolen by hackers from US counterparts or take via forced joint ventures and tech transfers. Many of them are selling back into the US or their huge domestic market, undercutting American rivals.
Chinese firms don’t have the same restrictions around forced JVs and tech transfers to enter the US market. In fact, the likes of Baidu even have Silicon Valley R&D centres where they’re able to recruit some of the brightest locals, while government-backed VC firms have been funding start-ups to continue the seemingly relentless one-way IP transfer.
There are, of course, more nuances to the dynamic, but you get the point.
So, will this investigation get us anywhere? After all, it will empower the President to take unilateral action including sanctions and trade embargoes. Well, on the one hand, little gain can be made from stopping Chinese IP hackers, as they have stopped outright theft ever since a landmark Obama-Xi deal in 2015, according to FireEye Chief Intelligence Strategist, Christopher Porter.
“If anything, discontinuing straightforward theft of intellectual property for strictly commercial purposes has freed up Chinese actors to focus more on these other targets than ever before, so the risk to companies before and after the Xi Agreement depends heavily on what industry that company is in and what sort of customer data they collect,” he told me via email.
That’s not to say the Chinese aren’t still active in cyberspace, but it’s less around IP theft, which is the focus of this investigation, Porter added.
“We have seen an increase in cyber threat activity that could be Chinese groups collecting competitive business intelligence on US firms selling their products and services globally—several companies that were targets of proposed M&A activity from would-be Chinese parent companies were also victims of Chinese cyber threat activity within the previous year, suggesting that they may have been targeted as part of the M&A process to give the Chinese company a leg-up in negotiations,” he explained.
Which leaves us with JVs and tech transfers, which have provided Chinese companies with vital “know-how” and “know-why” over the years. To my mind, if there’s any area where the US can and should focus its diplomatic and negotiating efforts, it’s here. However, as reports in the past have highlighted, it took China years to construct a gargantuan, highly sophisticated tech transfer apparatus, and it won’t be looking to bin that anytime soon, especially with the Party’s ambitious Made in China 2025 strategy now in full swing.
Neither side will want to become embroiled in a trade war. The US has too many companies which count China as a major market – it’s Apple’s largest outside the US, for example – and Chinese firms are doing very well selling into the US, as that huge trade deficit highlights.
In the end, my suspicion is that this is just another bit of Trump tough talk which will actually produce very little.
“This long-awaited intervention should also probably be viewed in the larger picture of the way the Trump administration operates: in terms of ‘carrot and stick diplomacy’,” Trend Micro European Cyber Security Strategist, Simon Edwards, told me.
“It is also well documented that the US administration is trying to use trade deals to get action on the situation in North Korea; and perhaps this is more of a stick to be used with the accompanying ‘carrot’ of a greater trade deals?”
Time will tell, but it’s unlikely that US tech companies operating in China, and their global customers, will be any better off after this latest test.
We all know that skills shortages in IT, and information security in particular, are endemic. Globally, the industry is expected to need 1.8 million more workers by 2022, according to the Center for Cyber Safety and Education and (ISC)². One sure fire way to reduce this imposingly large total would be to encourage more women into the industry.
With that in mind, a new report, Women in Cybersecurity, makes for fascinating reading.
The report was compiled by Caroline Wong, VP at pen testing firm Cobalt, on the back of interviews with hundreds of female IT security practitioners in the US, UK, Singapore, Australia and elsewhere.
“Recent press coverage on the topic has a tendency to focus on the negative – under-representation, unfair pay, and challenges in the workplace,” she told me.
“These aspects are true, however I know there’s a story that’s just as true, and that’s how many women in the field are thriving. I personally know so many women – and now I have the data to back it up – that love their jobs, feel deeply satisfied by the work they’re doing, and are tremendously successful.”
One of the key takeaways from the report is the need for employers to prioritise diversity in their hiring. Often firms narrow their options too far by failing to consider candidates from other backgrounds. According to Wong, it’s critical that hiring managers are engaged in the process and thoughtful about what skills are needed for particular roles. In fact, over half of those women she spoke to had no IT or computer science background when entering the industry – but instead had experience in areas as diverse as compliance, psychology, internal audit, entrepreneurship, sales, and even art.
“I was pleasantly surprised by the seniority and diversity of the women who responded to the survey. The topic of women in cybersecurity has received more press in the past few years than ever before, and I think it’s possible for readers to assume that women working in this field is something new – it’s not,” concluded Wong.
“Some 36% of respondents have been working in the field for 10 or more years, while 53% have been working in the field for more than five years.”
So, listen up hiring managers. Try thinking outside the box when you’re next looking for candidates. The cybersecurity industry desperately needs fresh blood, and women make up a paltry 11% of the workforce globally at present. This needs to change – and fast.
I realise it’s been a while since I posted something up here, so here’s an article I wrote recently for Top10VPN’s new Privacy Central site:
The UK has been unlucky enough to know terrorism for quite some time. Many will remember the IRA campaigns of the 1970s and ’80s. This was an era before smartphones and the internet, yet the Irish paramilitary group continued to wage a successful campaign of terror on the mainland.
It continued to recruit members and organise itself to good effect. Politicians of the modern era, led by Theresa May and various members of her government, would do well to remember this when they launch into yet another assault on Facebook, Google, and the technology platforms that are alleged to provide a “safe haven” for Islamic terrorists today.
Now she is calling for greater regulation of cyberspace, something the independent reviewer of terrorism legislation has openly criticised. Along with increasing moves across Europe and the world to undermine end-to-end encryption in our technology products, these are dangerously misguided policies which would make us all less safe, less secure and certainly less free.
Our “Sliding Doors” moment
Every time a terror attack hits, the government continues its war of words not simply against the perpetrators, but against the tech companies who are alleged to have provided a “safe haven” for them. After all, such rhetoric plays well with the right-wing print media, and large parts of the party.
“Safe haven” has become something of a mantra for the prime minister, alongside her other favorite; “strong and stable”. She argues that terrorists are hiding behind encrypted communications on platforms like Facebook’s WhatsApp and Apple’s iMessage, and are using social media platforms like YouTube to recruit members and distribute propaganda.
“We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet, and the big companies that provide internet-based services, provide,” May said after the London Bridge attacks. “We need to work with allied democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorism planning.”
Part of the regulation May wants to bring in could include fining tech companies that don’t take down terrorist propaganda quickly enough. Max Hill QC, independent reviewer of terror legislation, has rightly questioned this hard-line approach.
“I struggle to see how it would help if our parliament were to criminalize tech company bosses who ‘don’t do enough’. How do we measure ‘enough’? What is the appropriate sanction?” he said in a speech reported by The Times.
“We do not live in China, where the internet simply goes dark for millions when government so decides. Our democratic society cannot be treated that way.”
China is an interesting parallel to draw, because in many ways it offers a glimpse into an alternative future for the UK and Europe; one in which government has total control over the internet, where freedom of speech is suppressed and privacy is a luxury no individual can claim to have.
The problem is that no one sees authoritarianism coming, because it happens slowly, drip by drip. Regulating cyberspace would begin a slow slide into the kind of dystopic future we currently know only from sci-fi films. As Margaret Atwood’s heroine Offred says in her acclaimed novel The Handmaid’s Tale: “Nothing changes instantaneously: in a gradually heating bathtub you’d be boiled to death before you knew it.”
In many ways, we sit today at a Sliding Doors moment in history. Which future would you prefer?
The problem with backdoors
End-to-end encryption in platforms like WhatsApp and on our smartphones and tablets is something Western governments are increasingly keen to undermine, as part of this clamp down. It doesn’t seem to matter that this technology keeps the communications of consumers and countless businesses safe from the prying eyes of nation states and cybercriminals – it’s also been singled out as providing, you guessed it, a “safe space” for terrorists.
The Snoopers’ Charter already includes provisions for the government to force tech providers to effectively create backdoors in their products and services, breaking the encryption that keeps our comms secure. In fact, the government is trying to sneak through these provisionswithout adequate scrutiny or debate. They were leaked to the Open Rights Group and can be found here.
It remains to be seen whether the British government could actually make this happen. An outright ban is unworkable and the affected tech companies are based almost entirely in the US. But the signs aren’t good. Even the European Commission is being strong-armed into taking a stance against encryption by politicians keen to look tough on terror in a bid to appease voters and right-wing newspaper editors. Let’s hope MEPs stand up to such calls.
The problems with undermining encryption in this way are several-fold. It would give the state far too much power to pry into our personal lives, something the UK authorities can already do thanks to the Investigatory Powers Act (IPA), which has granted the government the most sweeping surveillance powers of any Western democracy. It would also embolden countries with poor human rights records to do the same.
Remember, encryption doesn’t just keep terrorist communications “safe” from our intelligence services, it protects journalists, human rights activists and many others in hostile states like those in the Middle East.
More importantly, it protects the communications of all those businesses we bank with, shop with, and give our medical and financial records to. The government can’t have its cake and eat it: recommending businesses secure their services with encryption on the one hand, but then undermining the very foundations on which our economy is built with the other.
Once a provider has been ordered to create a “backdoor” in their product or service, the countdown will begin to that code going public.
Even the NSA and CIA can’t keep hold of their secrets: attackers have managed to steal and release top secret hacking tools developed by both. In the case of the former this led to the recent global ransomware epidemic dubbed “WannaCry”.
Why should we set such a dangerous precedent, putting our data and privacy at risk, while the real criminals simply migrate to platforms not covered by the backdoor program?
“For years, cryptologists and national security experts have been warning against weakening encryption,” Apple boss Tim Cook has said in the past. “Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”
In short, we need more police officers, constructive relationships with social media companies, and smarter ways of investigating terror suspects. Dragnet surveillance, encryption backdoors and more internet regulation is the quickest way to undermine all those democratic freedoms we hold so dear – and send us hurtling towards that dystopic authoritarian future.
Europe’s new data protection laws might have been over a decade in the making but it would take about as long again to read every piece of advice that’s since been produced on how to comply. In search of some simple answers to a typically complex piece of European legislation, I asked a few legal experts on their thoughts.
With 13 months to go before the compliance deadline, organisations across the country will be scrabbling to ensure they’re not one of the unlucky ones caught out in the months following 25 May.
Start with the Data
Most experts I spoke to were in agreement that firms need to start by mapping their data – after all, you’ve got to know where it is and what you do with it first before working out how to keep it safe.
“For those that are compliant with existing laws, GDPR is going to be an evolution. For the others, it’s going to be a deep, radical change. In general, I think that every organisation should be working on assessing their current practices in light of GDPR,” Forrester analyst Enza Iannopollo told me.
“My advice is, regardless of the kind of support an organisation chooses, it must put together a team of internal people – hopefully the privacy team – and make sure that that team leads the work. Compliance with GDPR is not a one-off effort, but an ongoing process that has to be ingrained in firms’ business model,” she said.
Change the culture
That cultural change might be the hardest thing for organisations to achieve, although a good start is hiring a Data Protection Officer (DPO) – one of the key requirements of the GDPR. Another is the privacy impact assessment, which PwC’s US privacy lead, Jay Cline, recommends as a key stage once you’ve completed a data inventory.
“Data protection impact assessments (DPIAs) are the eyes and ears of the privacy office throughout the company,” he told me by email. “DPIAs are how chief privacy officers enlist the help of the whole company to keep their privacy controls current with all the change going on in the company.”
For Alexandra Leonidou, Senior Associate at Foot Anstey, there’ll be a key role for non-IT functions inside the organisation.
“Who needs to know about the GDPR? Who are the key stakeholders? This isn’t just something for IT, information security teams or data officers. Boards should be aware of the risks, and HR teams need to think about employee data. Getting GDPR compliance right will be critical for marketing and communications teams’ activity,” she told me.
“You will need to engage key stakeholders and implement measures that leave you with an acceptable level of commercial risk.”
Leonidou was also keen to stress the need for independence in the DPO role.
“Guidance from Europe suggests that this role is likely to be incompatible with certain existing C-suite executives,” she explained. “The awareness-raising that follows on from the allocation of accountability will be an ongoing process.”
For those still in the dark, some useful free resources include the Article 29 Working Party and our very own Information Commissioner’s Office. It’s also expected that even post-May 25, the regulators will give firms a little bedding in time before they start going after some high profile offenders.