A homepage image for data-privacy.io representing that we are a CISO and DPO as a Service Company
A homepage image for data-privacy.io representing that we are a CISO and DPO as a Service Company
A homepage image for data-privacy.io representing that we are a CISO and DPO as a Service Company
an image of security and data privacy governance frameworks used by data-privacy.io

Security Governance and Data Privacy Consultancy Services Home

Based in the north east, we provide highly experience governance consultant services for financial services firms who need support with their security compliance programs.
We cover most major standards such as ISO 27x, PCI-DSS & GDPR and can provide data protection & information security officer role based support on a flexible contract basis.

Contact Us

an image of security and data privacy governance frameworks used by data-privacy.io

Security Governance and Data Privacy Consultancy Services Home


Based in the North East, we provide highly experienced governance consultant services for financial services firms who need support with their compliance programs.
We cover most major standards such as ISO 27x, PCI-DSS & GDPR and can provide data protection & information security officer role based support on a flexible contract basis.

 



Our Services

Data Protection Officer

Information Security Officer

Featured Posts


What is GDPR & Data Privacy?


Whether you’re new to GDPR or you’ve been working with data privacy for awhile, it’s important to understand the basics of what it is and why it’s needed in the first place. The basic question for many people is, “what is GDPR?” and why does it matter?.

As this term is the number one searched term related to data privacy on Google, I thought this relatively short primer may help clear things up.

GDPR Primer

GDPR or general data protection regulations came into effect in May 2018 as a successor to the Data Protection Directive of 1995. The intention of the regulations was to create one set of rules for all EU states to follow when protecting personal data.

The regulations are mandatory as opposed to the data protection act which was a voluntary code of conduct and identifies three main parties in the data protection chain. These are a data controller, data processor and subject (an individual person) which I’ll explain shortly.

Why GDPR came into being?:

At a simple level, the rules came into place as a result of the age of big data and the internet and revelations around abuse of how our personal data was being monetised by ad-tech, data brokers, tech giants and others.

It’s widely believed that the revelations of Edward Snowden around US government mass surveillance programs which targeted US citizens but also inadvertently included EU citizens triggered alarm bells in Europe and pushed the issue of data protection to the fore.
Another major case recorded was Max Schrems vs Facebook Ireland in 2013 in an action where Schrems won.
The issue at hand was with respect to Facebook’s failure to get his consent to transfer his personal data back to the US for further processing. This of course had larger ramifications for all EU citizens data and how it was automatically transferred outside the EU without knowledge or proper supervision.

More >>

Data Privacy Trends


Over the last number of years, we’ve witnessed a surge in regulatory activity on a global scale. Last year, saw an incredible average of 220 regulatory change alerts per day in the financial sector alone.  A ten fold increase over ten years.

We of course saw GDPR implemented in 2018 but this has spurred a raft of follow-up legislation internationally at the country and state level. I mentioned in my previous article What is GDPR? developments with the data protection acts of 2018 in Ireland and the UK.

These changes are essentially refinements and in some cases dilutions of GDPR regulations. But what about the US? Well in 2019, 5 US states alone implemented new or updated data privacy laws whilst in 2020, California implemented sweeping changes with it’s CCPA regulation (“What is CCPA?”:Related Article) while New York enacted it’s data privacy updates with the implementation of it’s Shield Act which strongly focuses on data safeguards, expands the definition of private (personal information) and strengthens it’s breach notification rules in instances where HIPAA or Graham-Leach-Bliley doesn’t take precedence.

Developments on international transfers have also been to the fore in 2020 with the ruling on the invalidity of the EU-US privacy shield “Privacy Shield is struck down”:Related Article muddying the waters for US companies doing business in the EU. It’s safe to say that each regulation has it’s own nuances which is further complicated by the fact that many companies operate under multi-jurisdictional data privacy rules which are often subject to conflicting interpretation.

Perhaps one of of the more interesting trends in compliance, is the rise of AI and underlying technologies. I refer back to my article on CCPA regulation and the section on Innovation Automation. Where I highlight 3 companies and their approach to specific data privacy challenges.

It’s apparent that regulated firms, globally, have been overwhelmed by the burden of regulation and they need automation and skilled resources such as legal compliance help, privacy practitioners (such as myself) and regtech solutions integrators to address the challenges.
Fines and reputational damage are too costly not to get it right anymore as the regulators seek to make examples as never before.

What is CCPA?


The California Consumer Protection Act or AB 375 came into effect in January of 2020 Building on pre-existing privacy laws such as CalOPPA and Shine the Light Law, CCPA was perhaps a logical step by the California state legislature to respond to mega breaches of the Equifax (147m records) variety and the reckless behavior of Facebook in the Cambridge Analytica scandal.

So what’s in the CCPA regulations?
Applicability: It applies to any qualifying business, in any country who has customers or employees based in California. Qualifying businesses being those who have annual gross revenues in excess of $25 Million or trades data on more than 50,000 customers annually or derives 50% or more of it’s annual revenue from selling personal information.

Sanctions: California consumers may invoke the new law where enforcement actions may include a $2,500 penalty per record for an unintentional violation and $7,500 penalty for an intentional violation. (If Cambridge Analytica happened today, that would be 50 million multiplied by $7,500 or 375 with nine zeros).
At a lower level, the act allows a “Private right of action” for California Residents, allowing claims of $100 to $750 per incident, whether actual harm is proven or not. This law is tied to the recently updated California Data Breach Notification Law AB 1130 which defined data in scope including driver’s license, social security number, email address, account numbers, as well as medical, health and biometric information.
More >>

GDPR | CCPA – 10 Steps to Designing the Right Data Protection Program


In a recent report by DLA Piper data breach notifications topped 160,000 and fines reached 114 million Euro ($126m) since GDPR rules came into effect in the EU in May 2018. The largest of which was recorded in France for 50m Euro against Google for GDPR violations.

In the UK the latest information commissioners office report shows that GDPR fines have tripled in the space of a year on the back of BA and Marriott rulings, while in the US, the California Consumer Privacy Act (CCPA) and New York Data Shield acts have just been enacted in 2020 and will certainly see data security perp walks of sorts very shortly if data breach history teaches us anything.
Well, let me start by saying, I’m sorry to be alarmist, but it’s my  job in security to be the squeaky wheel sometimes. So, in this article I hope to set you in the right direction if you have more than a passing interest in privacy by design (PbD) and data protection regulations, in particular how EU and US registered businesses in a post privacy shield era can better prepare for GDPR and CCPA regulations using a 10 point plan. The plan has been designed more toward medium to large size regulated firms given that budget constraints for security controls like IAM and the ability or requirement to hire a data protection officer maybe beyond reach of smaller firms.

In order to prime you for these steps, may I recommend that you have a glance at the GDPR FAQ’s from the EU commission press office, CCPA guidance from the Office of the Attorney General in California and New York Shield Act text from the NY Senate which is useful at a high level.

More >>

RECENT POSTS


– LATEST-

  • An image showing social media icons for an article on what to follow in 2021 by data-privacy.io

Security and Privacy Links to Follow in 2021 !

Are you looking for ideas for top privacy & security links to follow in 2021? Here are a few of my suggestions for practioners to stay on top of trends, reports & regulatory alerts based on personal research for articles I wrote in 2020

  • An image depicting the Russian Foreign Intelligence Service known as the SVR-RF for an article by Paul Rogers - Data-Privacy.ie

Who is the SVR-RF and has Putin won the Cold War?

Corporate espionage has seen a marked increase in sophistication and involvement by hired hackers and nation states on a global scale. In this article we discuss boardroom espionage methods, motivations and the law in the US and Europe.

Data Privacy Consulting Services by Paul Rogers

Need a Data Privacy Expert?

Are you looking for a highly experienced, qualified, data privacy consultant on flexible contract terms. If so, click below to find out more about our consulting services.

Testimonial

“We worked with Paul at Data-Privacy.io to gain authentication for our Compliance and Internet security policies. Paul has all round experience across a range of verticals and brings his knowledge and understanding of this critically important area to the benefit of our business. We are very happy with the project undertaken and the results will have lasting impact on our business. We look forward to working closely with them on other projects and are delighted to recommend him to other companies.”

 Our Privacy Policy


Data Protection and Privacy is of the utmost importance to us which is why we take great care with how we use personally identifiable data. Click on the link below to read about our policy and alignment to GDPR and data protection acts.
The General Data Protection Regulation [GDPR] enacted in May 2018 includes a series of data protection rights which you should be aware of while using our site and services. These rights are captured in principles or articles which for the purposes of our policy constitute data subject rights. You can find our Data Privacy policy on our Privacy Policy Page

.