DPO Stories #3 - 007

ONCE UPON A TIME...

The department responsible for answering third party requests for bank information on bank customers received a letter from the national secret service. They have no instructions on how to handle those so they forward the question to the data protection officer.

The data protection officer (DPO) looks at the letter and scratches his head. The letter is not signed and it does not indicate the basis on which the request is made beyond a general reference to the law installing the secret service, which was recently amended with new powers for the secret service. There are however a contact person and his coordinates in the letter. 

The DPO contacted the public number of the secret service as confirmed by a local police department and the public website of the secret service. There, by merely dropping the case number mentioned on the letter, the DPO asks to speak to the handling officer. Being passed on to the contact person as mentioned on the letter, the DPO could connect some dots. Thereafter, the DPO openly discussed his problem with a letter like that, because it would be quite easy for a fraudster to send such a letter to get access to information. 

The secret service took the banks reaction seriously. A meeting was set up to discuss what procedure would give the bank sufficient comfort to answer questions. The solution included a two channel verification of the requests, letters having to be signed (by people on a list), a clear indication of the actual article on which the secret service based its request, etc.

COMMENT

There are some lessons in this story:

- Always remain sceptic towards requests for information. 

• The department responsible for answering third party requests made the right call to question whether or not this "non-standard" request could be answered.
• Calling upon authority is an often used social engineering technique. People are in awe of authority and tend to drop their guard for them. Being "healthily and respectfully critical" towards anyone calling upon authority is therefore often a good call.

- Investigate via independent sources.

• Do not investigate by using the contact information in a request. That would be the easy way but it is also what fraudsters expect you to do. They can control your investigation by answering your questions ... themselves.
• Here obviously the DPO had to end up with the secret service, but the way to get there was via a channel that was not under control of the initial sender.

- Set up procedures that give you comfort in terms of authentication, if possible with the person/body that needs to be authenticated.

• You may be surprised that even public bodies are prepared to enter into a discussion on how to set up the process.
• You can not always ask every potential person/body to be authenticated, but talking to a (set of) "test case" person(s) could help setting up a procedure that actually works, rather than not because it is too complicated, has to high a treshold, etc.

THE POWER OF STORIES

(repetition of the intro of the series:) Stories are of all times, but lately organisational behaviorists and marketers have a renewed interest in them. DPOs have stories as well of their own experience or heared in there community. And they should use them to engage the organisation, at least to raise awareness, questions and/or discussions. Note that we keep some obscurity and that any reference to a name or situation you may know is likely to be based on coincidence. :-)

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Do you have experience with secret service requests?

DPO Wharfs #1: Retention

Data retention is often a tough wharf to work on as in most cases there are quite a number of regulations that all apply at the same time.

I tried to make a high level overview presentation just to wrap my head around the big ideas. I posted it on Slideshare.

This is more or less the main slide. Thereafter I go into some more detail per "force".

Please, comment to improve. Thanks.

Periodic Awareness Tip #8 - Posters etc.

MATERIALS

Sometimes it is good to confront the staff regularly, even if subconsiously, with data protection triggers.

Around 2005 Barclays developped a large scale data protection awareness program with a marketing bureau under the theme "Think Privacy" with wall-posters, standards, wobblers for the computer monitors, pins, messages in the toilets, ... The whole works. 

It was presented on the 2008 ENG seminar on Strategic Data Protection and Privacy. The program got the CEO's buy-in because the CEO had to sign off under personal liability that Barclays was data protection compliant. For there on they could create, implement, support and control an action plan broken down in manageable business segments.

Barclays put a lot of money in that awareness campaign. To recover some of that investment, they looked for others to re-use the materials against a fee. And so the think privacy community was born. If you join, you can re-use the efforts.

But often the program doesn't have to be that heavy. The same can be implemented in smaller, lighter campaign, as long as they are fit for the organisation. It can even be wrong if you over-do it.

And by the way, all that effort, still is no guarantee. Barclays had some individual cases published: e.g. of an employee accessing customer data without a need to know in 2012 and in 2013. In February 2014 however Barclays was confronted with a(nother) big data breach which was reported on in quite some media (e.g. the Daily Mail, Reuters, the Guardian). But they can argue that they have made data protection awareness a priority in their organisation.

REPEATED SERIES INTRO

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So let me periodically and in no particular order share some awareness raising materials. Let's aim for once per week and we'll see where we can get.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc. 

BELGIUM / FLANDERS - Specific regulation for DPO in government bodies

In Belgium / Flanders there is a very particular regulation on Data Protection Officer (the actual title is more like "security consultant") for bodies that are part of the exchange of information between the Flanders government.

I made a slidedeck on that (in Dutch) and published it on Slideshare.

The presentation is basically cut up in 3 chapters:

1. When does a DPO have to be appointed?
2. What does the DPO have to do (based on the legislation)?
3. What is the position of the DPO?

DPO Stories #2 - Burdens of a Farmer

ONCE UPON A TIME...

A local branch manager of a bank calls the DPO in a bit of a panic. He received a letter from a customer in which the customer threatens to divulge information that was openly available on the desk of the branch manager so the bank would be labeled as not protection the data of its customers as it should. His ransom: granting him his loan request to buy a tractor.

OK, this is strange. Let us back the story up a bit.

WHO?

The main character is a 67 year old farmer. Farmers are hard workers. Some cannot stop working at the "normal" retirement age: some do not want to stop, others have not built up a retirement fund so they economically have to continue working to maintain an income. In any case, this farmer was not ready to stop and applied for a loan to buy a new tractor... five times. The bank every time had declined those applications, mainly because - amongst others due to his age - the farmer was not considered creditworthy. The farmer actually had escalated his application to the centralised credit department of the bank, but that service had rerouted the request to the local branch office, because that was the procedure for loan application up to a certain amount. So the farmer was... frustrated. He had made a new appointment with the branch manager.

The branch manager was the boss of a local bank branch with only a handful of staff members. So he is no "manager-manager", but actually did quite a lot of day-to-day work in the office. That included handling most of the loan applications above a certain amount, like house loans and bigger commercial loans.

THE MEETING

The farmer had been, for a big part of his life, a good customer of the bank. So the branch manager accepted to meet the farmer once again. He squeezed him in after another meeting before closing the branch.

The farmer came to the meeting prepared. He had the reply of the central credit department and a new calculation of how he planned to pay back the tractor. He also came early. So after letting out the couple that came for its house loan, the branch manager did not get the time to prepare for the new meeting. He immediately let the farmer in. The discussion could begin.

After a while the branch manager agreed to look at this new proposal, without making promises however as the prior applications were really looked at in depth and - after this talk - he did not expect anything significantly different. But ok, he would make a copy of the farmer's proposal and look at it the day after. 

The branch manager left the office to make the copy, in a few moments returned and handed the copy to the farmer. Here the story is a bit blurred. Either the house loan application information of the couple was on the branch manager's desk and the farmer took it; or that information was on the copier and the branch manager accidently assembled it with the farmer's copy and handed the information to him. 

In any case the farmer now had more or less a complete financial overview of the couple, residents of the same (small) town. And he decided to (ab)use that position by putting pressure on the branch manager. In a small town like their's the rumour would go really fast and might harm the business of the bank for quite some time.

THE REACTION

The branch manager chose not to try to solve this on his own, but used a help line. He called the data protection officer to help look for a solution. And they, together with a member of the litigation team of the bank, decided to write the farmer a letter describing the situation, stating that his action was inappropriate, disrespectful and contrary to the law, and giving him a chance to rectifiy his action by bringing back the information and signing off on a declaration that he had not taken copies.

THE OUTCOME

The farmer did immediately bring back the information and did sign off the document. He did not however get his loan. The creditworthiness had not changed.

COMMENT

I like this story because it shows a number of things:

- loosing data is more common than you would think:

• it does not per se require a "bad" bad guy, the farmer was a very ordinary person
• it does not require big mistakes from the staff, having some papers on your desk or on the copier after a meeting and being in a hurry, who is not guilty of that sometimes?
• it does not require high tech hacking, it can be as simple as information on paper in an office

-  seek help immediately 

• Covering up or handling it on yourself is a natural reflex, BUT... 
• following that reflex can and often does lead to more problem; in this case going along with the "blackmail" would have led to a breach of the credit adjudication policy of the bank, so that would have been discovered; providing the loan himself was impossible for the branch manager; calling the farmer's bluff may have blown up in the face of the branch manager; etc. Quite a lot of movies  build on that combination of covering up and how it turns bad.
• overcoming that reflex opens up (more) possibilities to finding a solution (faster)
• When looking for help immediately the team looking at the problem has more options to tackle the issue and only has to tackle a limited, not-cumulated number of issues. Options generally diminish and issues generally cumulate as time passes.

- data protection officers are solution seekers or at least should be

• Lawyers, risk managers, compliance officers, (senior and middle) managers, etc. are often seen as people playing the blame game. And unfortunately that is quite often true. BUT... 
• good ones do not play the blame game but look for solutions. It is one of the principles a data protection officer should live up to.

THE POWER OF STORIES

(repetition of the intro of the series:) Stories are of all times, but lately organisational behaviorists and marketers have a renewed interest in them. DPOs have stories as well of their own experience or heared in there community. And they should use them to engage the organisation, at least to raise awareness, questions and/or discussions. Note that we keep some obscurity and that any reference to a name or situation you may know is likely to be based on coincidence. :-)

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Do you know movies where covering up turns bad?

DP Theory LVL2: Parties - Enter Some More

In the “one slide” section we indicated three main characters on the stage: the data subject, the controller and the processor.

In continued posts we will drill down further and

-       revisit the three main characters;

-       add two concepts from the EU Data Protection Directive (EU DPD):

o   the recipient, and

o   the third party;

-       add two concepts not in the EU Data Protection Directive (EU DPD):

o   the data exporter, and

o   the data importer;

-       show and give some insights in the complexity of the interplay of all these players.

Periodic Awareness Tip #7 - Animations

VIDEO-ANIMATIONS

Sometimes you come along computer animations on security. Some of them are good, others need some tweaking. I personally appreciate the one above, because - despite the limis on the animation - it has a pretty strong script and transgresses on language a bit which makes it stick. And indeed that remains key: have the message right, the channel is additional.

You can also try to work one out yourself. There is a lot of free(mium) or open source animation software to give it a try.

REPEATED INTRO TO SERIES

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So let me periodically and in no particular order share some awareness raising materials. Let's aim for once per week and we'll see where we can get.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc. 

DP Theory LVL2: Scope - Elements

In the one slide version we limited the reference to the scope of the EU Data Protection Directive (EU DPD) is focused on “processing personal data”. Let us dig a little deeper. 

Scope of legislation is in most cases approached from different perspectives:

-       what product or activity is in scope?

o   in the jargon “ratio materiae”

o   for EU data protection legislation: focused on “processing personal data”, with a few carve outs (art. 3)

-       what is the jurisdictional reach?

o   in the jargon “ratio loci”

o   for EU data protection legislation: a node with the EU is required (art. 4)

-       who is in scope?

o   in the jargon “ratio personae”

o   less relevant for EU data protection legislation as in principle every controller is in scope

We’ll discuss all of these angles separately.

Periodic Awareness Tip #6 - Fun

INSERT FUN

Awareness training has to be periodic, so it sticks and remains top-of-mind or somewhere in that region. It is absolutely wrong to continue launching the same message. Surprising the audience with a different approach, from serious to light-hearted and fun, sometimes even cautiously over the top if that works for you company, will get more people on board than repeating the same message over and over again.

A few examples:

Well-placed self-relativism and humor is often appreciated. It does not, as often is feared, have to be to the detriment of your reputation. On the contrary.

A longer example is the "hypnotic" yearly training in these two videos:

REPEATED INTRO TO SERIES

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So let me periodically and in no particular order share some awareness raising materials. Let's aim for once per week and we'll see where we can get.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc. 

Periodic Awareness Tip #5 - Training w Training

REPEATING INTRO

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So let me periodically and in no particular order share some awareness raising materials. Let's aim for once per week and we'll see where we can get.

VIDEO

This is a longer video, which probably makes it inappropriate to use in the corporation in its entirety. You can't have all staff spend about 25 minutes on this. The CFO might hang you. You also can't have your audience look at this during a training. Their attention will be right out the door. What you can do is have your audience watch it before they come to the training, or on the bus/airplain if you have them bussed or flown in, etc. Or you can provide it as a "further reading" for those that are more interested.

By the way, this video shows how data protection authorities (in this case the UK Information Commissioners Office) can be a partner in delivering material to support your organisation.