On 3 October 2023, the UK Information Commissioner’s Office organised its annual Data Protection Practioner’s Conference 2023 (DPPC 2023). This year its focus was on Cybersecurity – a topic that concerns organisations across the board. Here are the takeaways from the DPPC 2023 (the event sessions available here).
- Cyber security risks remain significant, the most common of them being phishing attacks. Generative AI is a new factor as a cyber threat, capable of making phishing attacks more effective.
- Cyber Incidents are caused by poor cyber defences and can be mitigated by taking security measures. Data minimisation, knowing where data is and what is in the files, can be critical for quick and efficient recovery from an incident.
- To the questions on what security frameworks or standards should be used (e.g., NIST), the ICO’s response was that there have been a number of laws introduced recently that require certain security measures to be adopted. Any framework could be used as a baseline as long as the focus is on security as an outcome and not compliance.
- Supply chains were also covered. When using third-party services, you need to conduct due diligence, have security questionnaires, and have specialist teams, rather than procurement teams, review the responses and standard terms. The NCSC has published useful guidelines on supply chain management.
Designing for Safety
The ICO introduced a concept of designing for safety, i.e., protecting vulnerable users against abusers. The ICO discussed several use cases where abuse scenarios are possible in an in interpersonal relationship: current/former partners, parents/children, colleagues, etc.:
- Devices should be transparent about options that might have consequences for privacy of users: location being visible, surveillance capabilities, use of the device by other users, etc.
- Interconnected devices should prevent secret surveillance, invasion of privacy, and allow physical override of device controls.
- Where joint bank accounts are used, both account holders should have same authority over the use of funds to prevent power imbalance that might permit one person to have control over another.
- Surveillance devices should make it transparent that surveillance is on and put safeguards in place to protect non-consenting adults.
- Devices that show location should have privacy by default and allow turning location off. Location should be off when the person is logged off the device.
The ICO recommended steps to integrate safety into devices:
- Research similar products
- Define the abuser archetypes and what they want
- Brainstorm about different things not covered by the research
- Find solutions to mitigate the harms
- Test the solutions and continue to improve the solutions.
Innovation Advice Service
The ICO reminded us of its Innovation Advice Service, where it advises organisations pursuing innovation on the application of the data protection rules within 10-15 working days.
Guidelines the ICO is working on
The ICO reminded us of its existing guidelines available online and announced its plans to issue guidance on the meaning of vexatious requests as part of the Subject Access Request guidelines and how to conduct the Transfer Risk Assessments for transfers of personal data to third countries to accompany its existing TRA tool.