Is the Cloud the silver lining for GDPR compliance?

According to a report by cloud-access security broker, Netskope, the average company is using 608 cloud apps in their day to day business, but organisations typically underestimate this figure by around 90 per cent. Netskope go on to pose a valid question: how can cloud-consuming organisations ever hope to comply with the GDPR if they don’t know 90 per cent of the apps they are using?

As 25 May 2018 looms (D-day for compliance with the General Data Protection Regulation), many businesses are well underway with the development and implementation of their compliance regimes.

The starting point for compliance is the same as for non-cloud based data: audit, audit, audit. You need to know what apps you are using, what personal data you hold or process, what you are doing with it and why. Cloud-based apps commonly used by businesses include Facebook, Gmail, Twitter, LinkedIn and Outlook 365.

Another important consideration from a cloud perspective is where cloud apps are processing or storing data. Establish where your app vendor is hosting your data (this is not always the same location as the app vendor’s headquarters) and consider what the implications of this could be.

Check what terms you have in place with your cloud providers and review these to ensure that you are comfortable they comply with the requirements of the GDPR, including the security measures the cloud provider takes in relation to personal data. If you’re not confident that the terms are sufficient, consider whether to re-negotiate the terms to ensure compliance or switch provider.

There are steps you can take internally to limit risk: consider what personal data you really need to hold and process in order to function as a business. If you don’t need certain personal data, then continuing to hold it simply exposes your business to an avoidable risk. Having a process of regularly reviewing the data you have and erase anything that you can no longer need is a step in the right direction for GDPR compliance.

Personal data stored or processed in the cloud should be treated no differently than any other personal data, so take care to incorporate the audit and management of cloud-based data into your GDPR compliance regime.

Contact Us

RegTech: a new way to manage risk

“RegTech” is a term that is fast becoming a buzzword. Fusing together “regulation” and “technology” it represents the latest generation of technology aimed at helping businesses comply with regulatory requirements, particularly within the financial services sector (the FinTech sector).

The increasing digitalisation and automation within business (particularly in the FinTech sector) has the potential for businesses to expose themselves to increased risks such as data breaches, hacking, money laundering and fraud. Couple this with an increasing amount of regulation designed to combat some of the risks posed by such events (e.g. General Data Protection Regulation and Markets in Financial Instrument Directive II (MiFID)). RegTech offers a new generation of compliance solutions, designed to make it easier to comply with these regulatory requirements.

So how is RegTech different from previous solutions?

• Agility: with more reliance on cloud-based delivery, RegTech can react and adapt quickly to changes in the regulatory environment. This gives RegTech solutions a significant advantage over legacy systems where updates can take months to implement.

• Big data: many RegTech tools can utilise existing “big data” datasets and machine learning to reduce risk, e.g. by carrying out real-time risk-analysis to recognise suspicious transactions that are indicative of fraud or money laundering.

• Cost and scaleability: solutions deployed through the cloud are more easily scaleable and cost can be better linked to actual usage. Customers can also exercise more flexible control over data (e.g. access and sharing) than under non-cloud based systems.

A key consideration for RegTech solution providers and their customers will be the allocation of risk under the contracts. Customers will be keen to ensure that if they suffer loss as a result of a failure in regulatory compliance then they will be able to recover as much as possible from the RegTech provider. Meanwhile RegTech providers may be unwilling or unable to withstand exposure to this potential liability. Commonly the standard position adopted by software providers that their software/solution simply a tool to assist with compliance, not that the tool/solution guarantees/assumes responsibility for non-compliance is being adopted and therefore the risk still rests firmly with the customer. The exact balance of how risk and liability will be shared:

• is a matter of negotiation for each contract;
• will depend on the solution/tool being provided; and
• will depend on the bargaining power of the parties.

The road to a world of digitalisation and automation looks set to continue for the foreseeable future and it seems likely that increasing cyber-crime and regulation designed to protect consumers (and their data) will go hand in hand with this. Demand for compliance solutions and tools is only likely to increase and RegTech will become an established sector in its own right that we will all need to be familiar with.

Contact Us

Predictions then and now – where are we in 2018?

This time last year we made a number of “tech” predictions for the year ahead. In the year that saw President Trump’s inauguration, the UK take its first step towards leaving the EU with the triggering of Article 50 and the Great British Bake off move to Channel 4, we take a look back at tech in 2017 and consider whether our predictions were far off the mark.

Our predictions centred around Big Data and in particular Cloud offerings, Artificial Intelligence and Digital Products. We wondered if some of our predictions were more akin to the story lines of sci-fi movies; however, it soon became evident that technology that was once the preserve of an active imagination is now becoming an everyday reality. For example, consider whether a year or two ago it would have been conceivable that you would have a voice enabled smart speaker “personal assistant” named Alexa in your home? Now, according to a recent report from Juniper Research, 55% of US households will have an Alexa installed in their home by 2022. Our tongue in check question, “What’s next…driverless cars??” edged ever closer to becoming a reality.

Recap on our top 5 predictions for 2017

1. High profile cyber-attacks

Unfortunately, 2017 picked up where 2016 left off with some extremely sophisticated and crippling cyber-attacks. However, even we couldn’t have anticipated the scale of the global cyber-attack that used hacking tools widely believed to have been developed by the US National Secuirty Agency to introduce ransomware known as “Wanna Cry” to systems, which severely impacted the NHS’ infrastructure and affected more than 300,000 computers in 150 countries. And the NHS attack wasn’t the end of it; 2017 saw cyber-attack after cyber-attack and we firmly believe that this is a trend that will continue into 2018 and beyond.

2. The Information Commissioner will continue to flex its muscles

The ICO did indeed continue to flex its muscles as we saw a succession of penalties levied throughout the year. We stand by our prediction that the ICO will take an even tougher stance on businesses failing to comply with their obligations in respect of privacy and data protection once the General Data Protection Regulation (GDPR) comes into effect later in 2018.

Already, we have seen a record fine issued by the ICO not even 2 weeks into the new year. Carphone Warehouse was fined £400,000 for a breach of data protection as the company failed to protect customer data collected by its website. Outdated word press software was used which had vulnerabilities compromising the security of customer data. Carphone Warehouse was also penalised for not taking adequate measures in relation to data security. The ICO continues to recommend businesses take a layered approach to data security.

3. Migration to the Cloud

Given the perception that the Cloud is a safer environment than traditional data centers, we anticipated businesses would look to the Cloud for costs savings and efficiencies. Research undertaken by the Cloud Industry Forum during the course of last year has these figures at 88% which is an 83% increase from when the research was first carried out in 2010. Their findings also noted that businesses are adopting a hybrid approach to the Cloud. The main concern with the Cloud still remains around data privacy. Will 2018 see the first sustained and successful cyber-attack on Cloud providers?

4. Business Continuity and Disaster Recovery (BC&DR)

“BC&DR” and “disaster recovery plan” did not become the buzz words of 2017. However, cyber-attack and cyber-security were, not least due to the sheer number of high profile cyber-attacks, WannaCry, Uber and Equifax to name a few.

We predict that this year’s buzz word will be “blockchain”. Blockchain is a digital ledger in which transactions made in bitcoin or other “cryptocurrencies” are recorded publicly. Again, there are similar issues here to cyber- attack. 58bn yen (£380m) was taken from Coincheck, the bitcoin exchange, earlier this month. This is believed to be the largest cryptocurrency theft to date.

5. The changing legal landscape

Although to date the law has not kept pace with modern technology, 2018 will see the implementation of legislation aimed at aligning the law with modern day technologies with the implementation of the GDPR and the ePrivacy Regulation. Watch this space for more guidance and practical advice as to the implications of the legislation for businesses. The ICO has not yet finalised all of its practice notes and may not do so before the new legislation comes into effect. However, business will be expected to be demonstrably compliant when the legislation takes effect on 25 May 2018. Given the ICO has been on a recruitment drive, increasing the number of enforcement officers, we anticipate the ICO will hit the ground running in terms of its enforcement regime against businesses found to be non-compliant with the new legislation.

Our predictions for 2018

• Emergence of Blockchain platforms offerings as an alternative to traditional cloud platforms.
• Software developers to come under greater scrutiny from customers looking for software security guarantees and reassurances.
• Artificial intelligence and machine learning to become mainstream and the norm in business operations. What next, conversations with bot call handlers? In some industries, this has already arrived!

Whatever 2018 brings, it’s more than likely that this time next year we will continue to be in awe of the inconceivable places that technology continues to take us. Watch this space…

Contact Us

Meet Our Specialists

Home-grown or recruited from national, regional or City firms. Our specialists are experts in their fields and respected by their peers.

Mohammed Akeel Latif

Mohammed Akeel Latif

Akeel is a Partner and Head of the Corporate Commercial department at Myerson

Andrew Brown

Andrew Brown

Andrew is a Partner in our Corporate Commercial department

Carla Murray

Carla Murray

Carla is a Partner in our Corporate Commercial department

Scott Sands

Scott Sands

Scott is a Partner in our Corporate and Commercial department

Share our latest news update