Episode 1 transcript: Understanding Europe's privacy future - The GDPR

Ian Todd: Hello and welcome to the new realities of cyber security podcast. My name is Ian Todd, I’m a data privacy and cyber security consultant here at PwC.

In this podcast series we’ll explore the new realities of cyber security, discussing the various underlying challenges that our clients face, or will face in the future.

We’ll spend time each week talking to experts in their field who understand the ever evolving world of threats.

Today I’m joined by Jane Wainwright, Director of Privacy and Data Protection at PwC, who will discuss the upcoming general data protection regulation, the largest data protection regulatory changes seen their generation.

Jane has a diverse and decorated history and today we’ll cover everything from her career in the army and time secured in the London Olympics, to her role as Director of PwC’s rapidly growing privacy team.

So Jane, thanks for joining us on the podcast, I think this is a really topical area right now for cyber security, I know with Brexit and the upcoming changes to the data protection laws, people are really interested in privacy and cyber security so, I guess to start with a little bit of your background, an introduction from yourself would be interesting, I know you’ve done a lot of stuff with the army in the past and some stuff with the Olympics that’s fascinating, so a little bit of an introduction would be lovely.

Jane Wainwright: Yeah, thank you Ian, so I’m a Director in the Privacy and Data Protection team, so I sit in our Risk Assurance business, but I work very, very closely with colleagues in Consulting and in Legal Services as well so the team is made up of many, many skills and expertise and I’ve been doing data protection I guess for the last two and a half years in the firm but you know, as you described my career has been very different in the past. So I started at the military in 1996, many many years ago and I joined the intelligence core, so I was British Army Intelligence for 12 years and I served most of that time in Northern Ireland, so my role there was primarily around counter intelligence and I guess I finished in the military around 2008, where I was looking at the insider threat to the Armed Forces, so had somebody joined the military with the intent of doing something bad, or was somebody in there that had been persuaded in some way or changed their mind to do something and it does happen, it happens all over the place. You know you’ll see in the press as well that, people in business do bad things, now it doesn’t mean they always had that intention, but something can change that makes them do something bad, so it’s not exclusive just to the commercial world, it does happen, you know, in the public sector as well.

So I left in 2008 and I went to the defence contractor Raytheon, so we were the prime in the eBorders project and that was about the digitisation of the UK border, so we’d won that project from the Home Office and I was responsible for the security aspects of that programme. So looking at how the design of the eBorders environment was going to be kept secure, now eBorders itself whilst it does continue on, it isn’t in the same way that it had been built back in, in the earlier 2000’s because contractors have changed in and out, but I suppose the premise of it still exists in borders needed to be tighter in security. So that was about the biometrics and it was really born because the Prime Minister at the time couldn’t answer the question as to how many illegal immigrants we have in the United Kingdom, so that’s why they designed this idea of eBorders so you could count in and count out people coming and going and it was to allow legitimate travel, but to prevent people from coming in that had a different agenda, whether it works or not is a different question - but you know the principle is still there.

But I was there for a couple of years, then I was offered the opportunity to go and work for London 2012, so in 2009 I was asked to join LOCOG and the OCOG itself stands for the Organising Committee and the L just for interest comes from the fact that it was in London, so Rio just was ROCOG, that’s how it works.

So I joined LOCOG in 2009 as the Head of Corporate Security, so I was responsible again for the insider threat to the games. So a workforce of 200,000 plus people, had somebody joined the workforce with a hidden agenda, to have done something during the games. I had information security as well. I had data protection, so looking at all the information relating to every single ticket holder, people who bought a teddy, a mascot you know, whatever it maybe and I had intellectual property protection as well, so Wenlock and Mandeville you may remember fondly or not which were the mascots, so I looked after the intellectual property around the protection of the image of the mascots as well, cause that’s quite a big deal for a business and if you think about some of our clients that protect information, what assets that mean a lot to them, you might be surprised to hear in fact that the images of mascots mean a lot to an Olympic games because it’s part of their brand. So I was with those guys up until 2012, I had the best professional experience of my life apart from PwC of course but it was fantastic and I learnt a lot and you know, trying to stage an Olympic games in a decade that we’re in, in a city like London, is incredibly complex, so you know, it’s a learning experience that I will never have again, so I feel very fortunate that I had that.

I then moved out to NBC Universal, the film media group, so I was the Director of Security there for the European operations and again it was pretty creative so I looked at content protection but because we had a wing of our business that was about news, I had to support operations in hostile environments as well, so journalists going into places like Syria and the Middle East and I also looked at the security of the operation for NBC so that could be everything from film crews doing red carpets in Leicester Square again to things like dropping off journalists in the middle of a war zone.

But then I moved on to PwC, so I’ve been with the firm now, I think it will be actually four years in April, so started out in cyber security because of my broad security background but moving into privacy as I described earlier but I have done a number of things since I’ve been in the firm around the security spectrum, so you know I’ve given physical security advice as well as personal security and other areas so yeah, that’s where I am today.

Ian: Fascinating I guess, what underpins that entire journey is data and the security around data, like you say maybe intellectual property, it might be personal data and I guess that fits quite nicely into obviously where you are now and as the first question for me is to ask you how things have kind of progressed or changed over the last five years from a data protection point of view and what the challenges are for organisations, I mean how have things changed over the last five years?

Jane: So I guess, I mean I suppose you’ll find the same story when you ask people just about cyber as well, is it has become less of a single responsibility, where I suppose if you think about data protection as a subject, it’s the lawyers or if it’s cyber security, it’s the IT people and I think what I’ve seen is that there has been this advance in the way people think about the subject matter, in that everybody needs to understand about it, not just in a commercial sense but also personally at home, you know so you’ll find there’s adverts on TV now about how to protect yourselves and your data, where years ago that probably would’ve been lock your doors and your windows right, because it’s about protecting your property from burglars, where now in a digital age you know the same principle applies it’s just people relate to it more and it affects more people than it ever did and I think it is just about you know, the upsurge in how technology has moved you know, what happens in a space of a year has taken decades and decades to get to but now exponentially you know it changes in a matter of weeks and months and I think that’s probably what’s you know, increased the level of risk that we see, not helped or helped in some cases by media stories as well but you know, the prevalence of data and the sharing of it, you know that kind of digital economy. If you want to buy services and goods online, quite often there’s a trade-off between you buying something and giving you the data but of course there’s consequences to that, quite often they can be positive if a business is able to do something good with that data like profiling for example, you may find that the products and services you then get as a result of changing that data with them or sorry handing it over, allow them to give you a better service but equally for some people they find that intrusive and then if that business does get breached in some way, you know you feel invaded in some way so I think there is a trade-off but it definitely, definitely has changed and I think it’s only going to get worse.

Ian: That feeds into I guess my next question really is what are the big challenges for organisations? Obviously we’ve touched upon the complexity of the amount of data that’s there but what other big challenges are we seeing at the moment?

Jane: I guess, so for some and I think it’s a very sector specific answer, for some it is very much about the protection of it and for others it might be about liberating and using it to their advantage, so you know, you’ll hear the phase quite often, big data. Big data can be used in many different way, so if you think of you know, farm or life sciences for example, you know they’re trying to use data that’s been collected over years and years to perhaps find the magic cure for something that they’ve struggled with, in fact the answers always been there, they just haven’t be able to use data in the way, you know modern technology allows them to, but then if you look at it from a retail perspective, you’ve got those guys there that are hoovering up data because they want to do the profiling that I described earlier and package it up and sell it on as well that you see with some sectors like you know, insurance for example so in financial services there’s the selling of data which is seen as quite prolific there. Now it’s not to say it’s against the law to do that but the way data is used is actually very, very different.

Ian: So a big aspect of privacy that I’m reading more and more about is this idea of privacy by design, I believe it was one of our colleagues over in Canada, some of the guys over there been talking about this. Is this a solution, this privacy by design, I know there’s not one solution to everything, but is this something that organisations should be thinking more about and I guess maybe explain what privacy by design is, would be helpful as well for listeners.

Jane: Yeah, so I guess the concept or PBD as it’s also known is about, when you start something new, how do you make sure that privacy or data protection is reflected in the blue print of it, if your initiative touches on personal data in some ways. So rather retro fitting it in later on, which happens quite a lot, it’s important that you build it in and again you know, this is a fairly oldish concept that we’ve seen, you know security by design, particularly in the physical world, is not new. So if you think about designing an airport for example, you know you may not feel it all the time but security has been built in everywhere, even things that look like benign bollards are in fact probably hostile vehicle mitigation, which means that a cars not going to get through that, but you wouldn’t understand that when you see it. I think privacy by design has got the same concept, is that it may not scream privacy at you but it’s been designed with privacy in mind and I think that helps particularly from a client perspective, it helps them to get themselves out of hot water later on because a lot of the risk that we see is legacy risk and it’s because it wasn’t considered at, you know the very inception of whatever initiative it is that we’re going to describe. So if you can start as you mean to go on and build privacy in from the outset, it’s a lot easier to manage risk and stop yourself getting in trouble or you know, being non-compliant if you like, then it is when you’re trying to look backwards and dig yourself out of a hole.

Ian: And are organisations understand that, I mean do you see organisations saying, yeah this is the best way, do this I guess, start-ups and younger companies will probably be more willing to privacy by design just by the nature of their business as it growing they can get privacy right in there, I mean do we see a lot of organisations adopting this right now?

Jane: I would say not really because it’s quite complex where you have organisations that have a lot of initiatives going on at the same time, particularly very data centric organisations. You need the discipline and rigour to get privacy by design in from the very outset. Now given what we’re describing is, whilst data protection and privacy is not a new concept, it’s prevalence in the economy is becoming, is more of a new concept and therefore, expecting that level of maturity is perhaps slightly unfair but I think it is understood now more so because of the new regulations that’s coming through Europe and the benefits of doing it and I think it’s not to say that clients or you know in particularly businesses that I’ve been alongside, disagree with the concept, it’s how do you make that live and breathe in practice when quite you’ll have a data protection officer and then you’ll have maybe 60 or 70 initiatives in a business, how do you get the discipline in to, you know to get these people to do that from the beginning, it’s quite hard in fact.

Ian: So I mean we’re quite fortunate to actually catch you in London today and you’ve been travelling everywhere all over the world, so how does the picture of privacy look where you’ve been travelling, because I know you’ve been over to Asia, you’ve been over to North America, how do we compare from the European perspective and what’s the feeling from other parts of the world about privacy?

Jane: So it’s interesting that there is a perception that we are very preoccupied with privacy in Europe, you know and I’ve had direct questions, you know just as you’ve referred to my travels in Asia, by clients in Japan over why the Europeans are so hell bent on making sure that their rights are observed and you know in the States what you’ve got there is a very litigious environment there as well so it’s not to say that they don’t consider it but they, you know they know what their rights are if something goes wrong. So I think right across the globe you’ve got this almost, this agnostic definition of what privacy may or may not be to people because what it means to you or me is different, you know to people who are listening to this as well. Yeah you would argue that most people would like to have the right to a private life, you know unless you’re in the public eye then obviously there’s a trade-off there but most of the time I think you know, people do want to have their privacy observed but if you look at behaviours online, some people are more willing to give data away than others for example and what you expect in return from that is different as well. So some people quite happy to post pictures of their family online, you know it’s not an issue for them and others are really not. So I think in that respect it is you know, I’m sure there is a way to describe us as, as a continent or even, you know how Asia looks at it different from Europeans different from the Americans but I think even within there, you’re going to get mixes and it is about perception.

Ian: So the big question, I guess there is two points to this question but first of all how is the GDPR, the General Data Protection Regulations that we’re going to see in May 2018, how is this going to affect the privacy landscape, I mean obviously from a legal compliance perspective it’s huge, but everything else, I mean how big the impact do you see this being?

Jane: So I guess for the, so the General Data Protection Regulation is the new kind of one stop shop law coming out of Europe which governs the management of personal data and that’s related to the 500 million citizens of Europe, so if you are business that is touching data relating to Europeans, yet you’re in the States, you’re still governed by the GDPR. So it’s about the protection of the information and rights of the citizens of Europe.

Ian: It really is a global, globally it will impact organisations everywhere?

Jane: Yeah, if you do touch citizens in Europe then, you know you definitely, you know you come into scope of the regulation. I guess, you know what we had before that was a disparate amount of laws and regulations that came out of Europe that basically said to European countries, here it is but you can kind of do what you want with it. So in the United Kingdom we have a Data Protection Act and the challenge we had across Europe is that many different countries thought about data protection in different ways, so there’s an in-balance in some places and perhaps an over-protection in others, you know as it was perceived. So now what this does is it just regulates all of Europe in the same way and I guess, you know it’s been in the making for many, many years, that was actually born in the UK, so it was the UK Information Commission at the time that suggested that this was a good thing to do. So businesses have been aware of it and it’s been evolving over time, so there’s been many iterations but it comes into full effect in May 2018. So businesses have been given a fairly shortish window to move into what the GDPR is asking them to do and you know there are very interesting stories to be told across the economy where some that, have just put their head in the sand and said well, we’ll see what happens, is it a bit Y2K? and we see other clients that have been you know really getting themselves geared up for it and prepared for it and we’ve also seen others that have been trying but perhaps have not been doing the right thing or not been approaching it in the right way. So it’s a bit of a mixed bag but fundamentally what it’s trying to do is, you know put the power back in the hands of the citizen, so you know the changes there really are allowing the citizen to take more control of their data. It allows more powers by the regulator, so fines have increased from, if we think of the UK for example, the maximum fine that the regulator can give at the moment, and the regulator here is the Information Commissioner, is £500,000 which is you know, fairly small fry compared to the new fines as of 2018 which is €20m or 4% of worldwide group turnover. Compulsory rights to audit – so the regulators will now have those compulsory rights. Mandatory breach notification – so if you breach now you have to tell the regulator and you also have to tell the citizen if it’s deemed bad enough.

Ian: I think that particularly is a really interesting point. I think that gets overlooked quite often, correct me if I’m wrong, but I think its 72 hours.

Jane: 72 hours yeah

Ian: That people have, so – and I don’t know how many organisations are comfortable with being able to diagnose a breach and then relay out that information, like I say to the Commission Office or to the people who, not their employees sorry, their customers – I think that’s a really difficult thing for organisations to do and I kind of feed into this idea about the DPO – the Data Protection Officer – how they’re going be having more responsibility with the GDPR and this will be part of their remit I suppose, but I don’t know how many are actually ready for this.

Jane: I mean I think you know, there’s been a number of public breaches over the last couple of years that have been heavily criticised for not coming out quicker than what they did – and one of them in particular you know, came out within say 40 odd hours or so and was criticised for that, so if you think they were actually under the bar for the GDPR, yet they still got criticised and I think anything that touches on consumers, or the general public – it’s very hard to get it right when it comes to response. Now you’re given a 72 hour notice, I think that’s interesting on paper, in black and white in the regulation – but how that translates into practice and how a business actually responds on the day I think is the thing that’s most important. So we would always say to clients, you know should really rehearse yourselves in these scenarios, because they’re becoming ever more prevalent and we see it on the news all the time and there’s no excuse really, if you know, if you had a CEO in front of a Select Committee – perhaps a decade ago they wouldn’t have been able to lean on any other examples in the economy of where this had happened and therefore what the expectations where, but now there’s plenty of them, where I’m sure they’d get grilled to say ‘well you heard about so and so and you saw that happen and why did not you not learn from that?’ so I think the excuses are wearing thinner and thinner and even though you’ve got 72 hours – how you react in those 72 hours I think is one of the most important things.

Ian: Absolutely and I think even before a breach even occurs, we’ve seen this in organisations we’ve worked for, or worked with, where there’s an expectation that you should have been doing stuff a year ago, 2 years ago, 3 years ago – just in case a breach happens and we’ve seen where these breaches have occurred and there’s just not really any controls there, there’s no security in place and I think even with the GDPR in the horizon, I do worry for a lot of organisations that just aren’t prepared internally for any of this. They don’t know where the data is, they don’t know what their retention policies are, they don’t know what the controls are around this data and all of this will really boil over I think from May 2018 onwards.

Jane: Yeah and I think you know it’s about understanding your journey between now and then and I think it’s very important for businesses when they take custody of data to do the right thing by it and its consumers, or the data subject – not because the law requires them to and of course that is a big player in all of this, but because ethically it is the right thing to do, if you have got data related to people it is your charge to take care of it.

Ian: Yeah

Jane: So whilst there may seem a lot to be done, I think what we advise businesses on is: what is the right thing to do that gives you the greatest benefit, to protect that information  - whether it be from security or you know, for some sectors accuracy is a very important thing, so if you think about healthcare for example – you certainly don’t want to tell a patient that they’ve got cancer when they haven’t - and that has happened because of inaccurate data – so again that is a data protection issue, so you know, the message there is data protection isn’t just about security, it’s about how long you keep data for, it’s about how accurate is it and why have you got it in the first place and how are you using it. I think that’s been a misconception around data protection quite a lot and I speak to CEOs – just last week I was with a FTSE 100 board retailer and when you ask the question around what does data protection actually mean to you? Quite often you get ‘all about security, the security of data’ you know they can be forgiven for that, because that’s pretty much how they’ve been told, but of course, we know, we understand that its far broader than that and I think that’s what businesses need to understand is you may secure it, but there are other things that you could be doing with it that can still prove or result in harm.

Ian: Yeah absolutely. So I know we’ve touched on different areas that we at PwC are trying to help our clients and help organisations, so what are the main offerings that we have right now, and I know we’ve talked about the RAT, we’ve talked about some Boot Camps, but else are we doing? What are the big things that we’re offering out to clients?

Jane: So I’ve described the fact that there’s a small amount of time left and what we believe is that there isn’t enough time to do all that is needed and that’s for all clients, right across the economy and that’s not just here in the UK, because the UK team that I mentioned earlier, is actually the global centre of excellence for GDPR so we have team members that have been out, as mentioned in Japan recently had one of our senior managers come back from Australia, we’ve been out in the States as well, so it touches on many businesses across the globe and what we’re doing is trying to help them to figure out what’s the right thing to be doing now, in preparation for May 2018 and quite often what we’re seeing is purposeless activity we described it as – so people are doing stuff just burning away at doing stuff, so we’re trying to encourage them to put a stop on that and just have a little think about what does data protection actually mean to their business? Where are their biggest risk areas and what are they worried about the most? And once you get them to start to think like that it’s easier to then put investment into areas that really do need it, because between now and then you would almost need an army of people and more time than the day gives us to get yourselves compliant with GDPR. So it’s about fixing the stuff that matters most and that’s in the interests of the business and of the end consumer or the data subject if you like and we do that through a process that considers their vision and strategy for data protection for the GDPR, we want to make sure that clients understand that because with every good project it should have a vision arguably, because otherwise you don’t know if you’ve got there or not and then we look at the risk elements associated with their current state and then we try to help them to figure out – ok in which order should we now start to tackle this and then hopefully get them to state where they can do BAU and start to fight smaller fires as they get further down the road. You know I described the team earlier, we’re a mix of barristers, solicitors, risk professionals, cyber security professionals, data professionals and I think when you put all those people together in a room and you give them something like the General Data Protection Regulation, you know what has ultimately come out of that is excellent when it comes to a solution and a well thought through solution that isn’t just about a tick box exercise for compliance sake.

Ian: Yeah absolutely and I know you’ve touched upon this, but it covers all sectors ….

Jane: Absolutely yeah

Ian: ….all sizes of businesses, geographical location, everything, so this is a really all-encompassing change to the regulations isn’t it? And like you say we are fortunate here that we’ve got great lawyers, great cyber professionals, great data professionals, so we can offer a whole wide range of different things for clients which is really helpful.

Jane: Yeah

Ian: So I mean that was great, I think we could do this podcast 5 more times and have more information coming out, so I really appreciate your time today, I think it’s been really helpful for people who are wanting to know more about the GDPR, more about what PwC do and a bit of cyber in the middle there as well.

Jane: Thank you

Ian: So thank you for joining us, I think that was a really great introduction to the GDPR and some of the huge challenges organisations face up until May 2018.

Next week I’ll be joined by Charlie McMurdie discussing the future of cyber security law.

In the meantime we’d love to get your comments, suggestions and questions, so contact me directly on Twitter @iantodd86 or email me at ian.todd@pwc.com and please remember to subscribe to the series so that you won’t miss any future episodes.

I look forward to hearing from you.

Contact us

Abigail Wilson

Manager - Cyber Security, PwC United Kingdom

Tel: +44 (0)7841 803680

Follow us