Welcome to CFO 4.0, the future of finance. The CFO role is changing rapidly, moving from cost controller to strategic visionary. And with every change comes opportunity. We are here to help you take advantage of this transition to win at work, drive your career forwards and lead with confidence.
Join Hannah Munro, Managing Director of ITAS, a financial transformation consultancy, as she interviews key experts to give you real-world advice and guidance on how to transform your processes, people, and data. Welcome to CFO 4.0, the future of finance.
Did you know that 70% of CFOs still make decisions based on gut feeling rather than actual data? Join Hannah Munro. your host of CFO 4.0, for an online presentation where she discusses what you need to truly become a data-driven finance leader.
This session will not only talk about the why, but will also identify how you can automate your financial operations and get meaningful data to drive your business forwards. Check out the link in the show notes,
So hello everybody and welcome to this episode of CFO 4.0. Today we're talking about everything data, privacy and security. So with me on the podcast today, I have Stuart from the Compliance Consultancy. So Stuart's been doing this for a very long time. He's got various different qualifications that are lovely and long to name in security and privacy.
He works with businesses from all different sectors, including those governed by the Financial Services Authority and specialises in e-commerce, the IT sector and education. Now, and I love this. He's given some great facts about him as an individual. So obsessed with golf, handicap of seven, which you're obviously very proud of, Stuart.
And you've mentioned that you've had a rescue dog that was on carpool karaoke. How on earth did your rescue dog end up on carpool karaoke?
Well, I'm fortunate to be friends with somebody in the public eye who will remain unnamed. But there was a particular picture that was taken of him in my front room, which also instantly appeared on Graham Norton's show. James Corden produced this picture out of the in the car when he was recording the programme. So, yeah, Herb is significantly more famous than I am.
That's a real claim to fame. And you've always had a long interest, longstanding interest in privacy, haven't you? Because you had a bit of a detective moment back in the day. Do you want to just tell us a little bit more about how you managed to trap some dodgy email dealers?
Yeah, so... At the time I was working for an ISP, so it was told that it was quite easy for me to buy my own domain. So I bought my own domain and set up what's called a catch-all email account. whatever appears before the at sign still comes into my inbox regardless.
So that basically means that if I was on Tesco's website and they were asking me what my email address was, I'd write Tesco at. If I was on Starbucks, I would write Starbucks at, et cetera.
And it basically meant that if ever I got emails from an organisation that wasn't represented by the name before the at sign, then I knew that that company had either sold or lost my data.
And, you know, in truth, the reality was it was mainly to avoid spam so that I could just put a rule in Outlook and make sure all those emails were directed to the delete folder.
And what, can I ask, what do you do with the ones that were doing the dodgy dealing or selling your data on? Did you actually manage to get them to stop or get them to remove you from lists?
Well, I didn't need to because the... because I was just able to delete the emails automatically. So once I created the rule, I never saw the emails again. There have been a few occasions of me still getting emails now from organisations.
And according to GDPR, I do have the ability or the right to follow those up in court, but it's not something that I've got around to as of yet.
So yeah, talking about obviously GDPR, which has been sort of a buzzword hasn't it, for the last couple of years. So tell us about sort of where things are at at the moment in terms of data compliance. Are there any sort of recent developments or changes that we need to know about?
Certainly. I mean, the most notable, I mean, if anyone's happened to have seen the news over the last 24 hours, they'll have seen that Facebook is threatening to withdraw itself completely from Europe, which I'm sure nobody believes. But it all comes on the back of what is termed as the Schrems 2 pandemic.
judgment, which is a judgment within the EU courts, which basically invalidates what's called the privacy shield, which is the mechanism for transferring data to the US specifically.
The history of this, this is actually known as the Schrems 2 case, because prior to the Privacy Shield, there was something called Safe Harbour, and that was invalidated thanks to the same gentleman, Max Schrems, who is an Austrian lawyer and privacy activist, who went to court to question whether or not the EU data privacy rights were being upheld within the US.
Now, the implications to the latest judgment actually stretch beyond the US, but the principle being is that The first case came around because of the Ed Snowden revelations, insofar as the fact that the US government was caught snooping into Facebook and Gmail and such like, and therefore Privacy Shield was brought in, which in theory had independent effective oversight,
which meant that they had to have what is effectively a third party to oversee to ensure that US companies were applying the relevant data protection rights.
However, because of the surveillance laws in the US, which are specifically the Foreign Intelligence Surveillance Act 702, as it's known, again, the EU court has established that EU data subjects' privacy rights cannot be kind of be respected with the current US law.
And essentially it means that if a company in America was relying on the Privacy Shield, then they are currently processing data illegally because the Privacy Shield has been made invalid.
So for those that don't quite understand what the privacy shield is, can you just sort of explain that to our listeners?
Yeah, so I mean, essentially, if you want to transfer data outside of the EU, there are a number of different mechanisms for doing that. The first one is adequacy. And that's essentially where the EU identifies the privacy law of the third country.
as it would be, as being of a standard similar to GDPR and that would provide an adequate level of protection to EU data subjects. So adequacy is another conversation because it's something that the UK is likely to try or want to rely on after Brexit. And we can come back to that later if you want.
But essentially, what was negotiated with the US because obviously there's a huge amount of data that passes from the EU. So we're talking as well as the Facebooks and the Googles of this world, it includes the likes of Sage, Microsoft less so because they are trying to move a lot of their data to the EU, but the likes of Dropbox and such like as well.
So massive amounts of personal data is transferred across to the US. And what they wanted to do was to put in place an easy mechanism for US companies and EU companies to be able to use so that that transfer was made legal.
So that's the mechanism that's now, from what I'm gathering, is actually now defunct. And there's a new mechanism or a new way of approaching sending data across the ocean, as it were, to the US. So if people want to be compliant, which I'm assuming a lot of listeners do, how do they need to approach that?
It's a very interesting question. And there's a lot of discussion within my sector about how people might do that. But essentially, so where the privacy shield can't be used, there are essentially two other options to look or potentially three, I suppose. But the two main ones, one is standard contract clauses and the other is binding corporate rules.
And both are very similar. in terms of how they work. They are standard contract terms that you put into an agreement with the company, the processor in the third country. And essentially they provide the protection to data subject rights that we've discussed before.
However, the court case also suggested, and it's yet to be confirmed by the EU courts, but certainly has been confirmed by various data protection authorities across the EU that both standard contract clauses and binding corporate rules aren't effective where there are surveillance laws in the third country.
And obviously, we're talking about the US here, but it's exactly the same if you're looking to transfer data to another country that has, shall we say, oppressive surveillance laws. which suggests that they are also invalid on the basis of that.
The only other real option would be to use derogations, which talk about getting consent from the user and such like, but they can't be used, they must only be used as an occasional nature and a case-by-case basis, and certainly they can't be used where you're looking at bulk.
So as it stands at the moment, it's very difficult to put a specific case for any data transfer from the EU to the US or any other third country where you're relying on either the Privacy Shield standard contract clauses or BCRs binding corporate rules.
So there has been some advice put out by some data protection authorities and each country has at least one of those. So ours here is the ICO. The advice given both by the European Data Protection Board and the ICO is essentially to risk assess, to identify what real risk there is to the data subjects' rights and the data that's being transferred across.
So to do a risk assessment and what they're talking about is adding supplementary measures in order to create the adequate level of protection. However, what they haven't done as yet is identify what those supplementary measures are. I think at the moment, most data protection authorities are fair. They were not expecting this, so there was no real preparation for it.
And certainly most data protection authorities are not likely to come down very hard on you because they have an allowance until there is in theory but not not not written an allowance for companies to be able to adapt but the reality at the moment is that any transfer of data to the us is probably invalid and illegal
so and when we're talking about any transfer
um
Does that cover any kind of data in any shape or form out of interest?
Well, it needs to be personal data or personal data is all that's relevant. So in terms of data that can identify an individual.
And can you just, because this is something that I know there's been a lot of debate about, and I like to think we've all talked a lot about GDPR, but can you just define what it means by data? So in a finance team or a business, what kind of data, if you had somebody's business email, would that class as personal data?
Yeah, anything that identifies you. So ironically, a name on its own, so Hannah Munro doesn't identify you because there's probably more than one Hannah Munro in the world. However, as soon as you say Hannah Munro at and where you work, that almost certainly identifies you and couldn't be with reference to anybody else.
So Any piece of data that identifies an individual is considered personal data. So yes, business email addresses do. The areas where that wouldn't be relevant would be where it's a mail at or a home at and that sort of thing are obviously within a business contact is unlikely to identify you.
But you've also got to take into consideration the possibility of sole traders as well, where there's only one person at the end of that email address. But essentially business email addresses should be considered personal data.
And in terms of the piece of this, and just to clarify my understanding on this, is that this is only for data that is stored outside of EU data centres, isn't it? So if it sits on a server within the EU block, then it's classed as you wouldn't have an issue.
If it's just the data that's been emailed across, so a spreadsheet that might be sent to a colleague in the US, for instance, would that be a breach?
Yeah, it could be. And it's also worth considering that if you're using a US company, there's sort of a grey area at the moment as to whether data stored by a US company in or on EU servers, for instance, would still be applicable with regard to the surveillance of that particular company.
So the actual remedies for this are, firstly, does FISA, which is the Foreign Intelligence Surveillance Act, does the company that's processing the data, are they covered by FISA?
And as I understand it, although I'm absolutely not an expert on US surveillance law, it doesn't necessarily cover every single company secondly can you can you get away with not transferring it to that third party so is the transfer necessary um can you shut down the transfer without affecting business is there an alternative company you could use um and finally could
you obtain assurance that the data is out of reach of the US surveillance, US government, from that third party. And it's your responsibility to ensure that any assurance you're given are valid.
Yeah, true. So this is really interesting, isn't it? Because if you think a lot of people and big groups of companies might share servers, they might have their finance system on the US server, for instance, or be sharing the US database for whatever reason.
So technically, if they are storing and individual contacts emails where they are a UK-based company and they are using, say, the head office that's in the US using their servers to store their financial systems data, that technically would be a breach. Correct. Yeah, unless it's interesting.
So I'm going to be honest and say that's not something that I think a lot of people are aware of. And how recently did this development happen?
So the actual case was in July and in the period since that there's been obviously a lot of opinion pieces and advice and guidance offered by the likes of the EDPB, the ICO and various different data protection authorities across Europe.
So there are potentially other solutions So if for instance, the data was encrypted on the US servers and the key to that encryption was held, in the EU by the EU company or the UK company, for instance, then that may be a supplementary measure that's considered acceptable.
And depending on the data, it may be possible to anonymise it or to use other techniques and pseudonymisation is one which is recommended from within the privacy sector. the principle of pseudonymization is where let's say you had a spreadsheet with your names down column one or column A and the variety of other information across the spreadsheet.
If you remove the name and replaced it with a number and then put that name and that number in a different spreadsheet and you then held those in two separate places with different level with different uh passwords etc and obviously very secure securely then in theory again you are it's a it's a type of encryption if you like that will avoid which would mean that
the information was therefore anonymized or effectively anonymized
Fantastic. So yeah, there's obviously a lot into this.
So I think we'll go at the end, we'll go through and we'll make sure that we put a link to your website and your contact information and your LinkedIn profile in the show notes, because I can imagine this being, especially with the fact that it's only July, it being a big challenge for a lot of companies, especially where they've got an international element to
what they do. It's going to, yeah, huge. So this will obviously a big one for your industry at the moment and it's going to have a big impact on a lot of businesses in various different sectors and any other recent developments that are giving you some interesting conversations?
Yeah so again speaking with colleagues from the industries I confess I haven't had a client that's had to had problems with this but a company by the name of Blackboard had a serious breach The breach happened in February, but they didn't discover it till May, which is a concern in itself. And then the users or their clients were only notified in July.
And there's a lot of problems with that. So the obvious apparent failures, and obviously we're not party to the specific details, but the apparent failures would suggest that any breach you should inform the Data Protection Authority within 72 hours. So clearly that didn't happen.
Whether the data was encrypted or encrypted to a high enough degree, it would be a question that would need to be asked. It seems strange that they didn't have some form of monitoring on their network that would either identify this. There are systems called intrusion detection systems, which are designed to do just this.
And so a company of Blackboard size would be something you'd expect to have a budget that would include that sort of thing. It didn't really end there, unfortunately, because what actually happened was that the criminals that hacked in stole a large subset of data and then essentially asked for a ransom from Blackboard.
There are various opinions on whether criminals should be paid in this instance. However, they did pay them. The consequences of paying them is that they demonstrate that they've got a willingness to pay, so they're going to be more attractive to criminals than potentially other companies. It may encourage other attacks of a similar nature.
probably most importantly, it funds the particular criminals to launch attacks on the next people. So there's definitely a question attached to whether or not they should be paid or not.
They justified paying them on the basis that saying that they believed that data stolen had been deleted and apparently used quite an interesting justification for this on the basis that they said that the criminals have a reputation to consider.
Yeah one of criminality perhaps.
Well exactly so that was definitely an interesting side to this but you know the as I understand it the the victims in this are mostly non-profits. So in the UK, that includes the National Trust, many tens of universities, as I say, non-profits such as Sue Ryder, as well.
There was over 125 companies affected, some of which were obviously US-based, including Boy Scouts America. So it's had a very serious implication.
And obviously, where you're talking about a number of those organizations you're talking about children's data as well so it's a definite concern and there was a similar event a few years a couple of years ago a company called Chegg who had their data stolen and some of that data is now appearing on the dark web so The fact that there's nothing, none of the
blackboard data has yet appeared on the dark web is a question of what to wait and see, because at the end of the day, if you're a criminal and you've got data which is worth an awful lot of money, then you're probably going to be quite happy to cash in on it more than once.
And so I guess that that comes down a lot, doesn't it, to the security of the organisation. If you are going for cloud solutions, making sure you ask the right questions. So what What questions should you be asking of a solution provider if they're going to be controlled, obviously hosting your solution around this to try and stop this from happening?
So the first thing to consider really is that specifically with cloud, and I should say right up front is that I'm not, I wouldn't class myself as a data security expert in terms of the IT element of it. What we're taught is very much to utilize the expertise of IT data security professionals.
uh experts in terms of they're going to be the most uh familiar with with best practice and most recent sort of techniques that have been brought in however uh as i'm aware that with with most cloud providers there's nothing to stop you putting your own encryption software uh into into the environment um so so that would be one thing that i would say with regard
to that But in respect of when you're looking at suppliers, ideally you should really have an outsourcing policy and an element of due diligence. Certainly at the moment I'd be inclined to probably try and find UK-based cloud service providers, of which there are plenty. for the obvious reasons around what we talked about before with Schrems too.
And certainly when you're dealing with UK companies, then ISO 27001 would be a key consideration and obviously understanding what commitment they've made to GDPR.
So the first step is have a look on the website and if the website either doesn't have a privacy notice or the privacy notice is short or looks like it's been copied and pasted, pasted, then that would be red flags right up.
If you did get through that stage, then you're really looking at getting an understanding, as I say, of exactly what commitment they've got to GDPR. And within GDPR, where you utilise a third party or a processor, as they're known, you have the right to audit them.
And if your data is is of a sufficient sensitivity, then that's certainly a route that I'd consider going down.
Yeah, great. You know, all great questions. And I think certainly the Blackfield story will prompt a few more questions, I think, when people are talking about cloud and, you know, publicly available cloud. So interesting
stuff. Monthends Close is one of the most time-consuming and stressful processes for financial teams. 74% of mid-sized organisations take over a week and between two and five staff members to complete their close.
Join us, the ITIS team, for our on-demand webinar where we look at key findings from a close-the-book survey conducted with 762 participants across a range of industries and platforms. Learn how Brian Goldrick from Vera Whole Health shortened his clothes by 60%, increased team efficiencies by 25%, and 10 best practices that you can take to reduce your clothes.
Visit www.itissolutions.co.uk and go to our events page or click on the link in the show notes to sign up now.
So we talked a lot about managing data across borders. Have you got any sort of thoughts or recommendations for those that have remote workers in foreign countries, for those that are employed by the company and perhaps are in a different location outside of the EU, probably in this case?
Yeah, I mean, in terms of sort of remote workers, If you think about the remote worker principle, it actually is very similar to the fact that a number of people are now working from home and it's largely around the area of security and such like.
So whether they're at home or in the other side of the world, you want to make sure that the transfer of data is secure. whether that be via a VPN or via utilizing a telecom solution such as MPLS, which is a private network, which would certainly be useful. And, you know, there are additional security options as well, such as DNS filtering.
Where possible, you want to minimize local storage.
So if you're able to have the access is essentially done uh utilizing a central database so the data never lives on the on the device of the remote worker obviously encryption and pseudonymization where possible access control and utilizing two-factor authentication and a remote access policy obviously is crucial um there are still companies who are accepting their staff use
their own devices um for access to company data. It's not great, but if the financial reasons for that or whatever, then fair enough. But the company has to have a bring your own device policy as well in order to cover those areas to make sure.
There's a lot, obviously, of concern around somebody doing work at home on a PC that their wife then uses to do her shopping on, and the daughter then uses to go off and look at Disney and such like, and their teenage son does goodness only knows what on. And there's obviously massive concerns around that.
So there are technical solutions which enable companies to control the areas of the device that are used for business, but regardless, but certainly in terms of device management you need to be encrypting the hard drive, making sure that patching is automatically done, malware etc protections.
I guess it's becoming more prevalent and more problematic during lockdown you know and you never know we might have another one on the way but where they are sending documents here, there and everywhere? Because it's not just digital data, is it? So if you've got a document with an email address on, would that be counted under personal data out of interest?
Yeah. So, you know, obviously in an office, you'd want to have a clear desk policy. and obviously it's incredibly difficult to monitor for home workers and such like.
I do hear of certain companies who are utilising cameras to keep an eye on their staff and that inherently has problems as well because if you're not telling employees that you're doing that by way of an employee privacy notice then you couldn't use that footage for anything even if you you saw them doing something that was was you know against the principles of the
business so um there are lots of of potential uh hurdles and problems that homework has caused uh and also you've got to consider that remote workers are more at risk of sort of spear phishing attacks and that sort of thing
so what's spear phishing that's that's a that's an interesting name for an attack
Okay, so phishing is the principle where you get an email saying, please click here and the hacker is hoping you'll click through and either it goes to your bank, a page purporting to be your homepage or your sign-in page of your bank and such like. Spear phishing is when it's targeted at an individual.
and certainly the typical examples would be where an attack comes in because somebody is working, it's an email from the MD or the FD and these are very well known saying please pay this person so and so and here's their bank details and please do it immediately and sort of works on the principle of fear that the MD is insisting that this payment is made in
the next 10 minutes so somebody doesn't have the chance to query it uh obviously if um if somebody's working from home as opposed to an office it's much more difficult to query those sort of things because quite often staff probably don't want to bother their mds and fds and cfos etc so um There are more, certainly there's a lot more in terms of cyber attacks
that are happening now and any home worker is going to be, potentially has an issue with regard to, you know, how well their Wi-Fi is locked down and the router that they're using, whether they've changed the standard default password on it, which can make hacking incredibly easy if somebody knows what they're doing.
Yeah, and you forget sometimes, don't you, about the basics. And I think, you know, as the COVID piece continues, because I think we're stuck with it for a while now, that's going to become more and more important because it's going to be a continued working from home. And those criminals are going to take advantage of it in terms of, yeah.
Absolutely. And the other thing to think about with COVID is also, I mean, hopefully the companies will have utilised a business continuity policy in the event that staff can't get into the office.
But those documents, those policies should also be updated for the principles of local lockdowns and the principle that also even if we do have a return to the office at some stage, it's not impossible to have an outbreak within an office. And business continuity policies and plans should be updated to that effect as well.
Yeah, I think we're all going to have a COVID section in our business continuity plans for the future. Yeah, so isn't it interesting, actually? And that's a whole different podcast, the concept of business continuity. I think it's really brought to life.
I was on a call this morning, and we were joking about what happens if somebody gets hit by a bus and this happens. And actually, when you think about it, we've got probably more likelihood of catching COVID than we have of being hit by a bus at the moment. I think that's pretty safe.
maybe that should be the new phrase what if somebody goes down with covid so depressing thought hey
yeah yeah well absolutely the other thing to consider by the way with regard to remote workers and this is specifically around remote workers uh in foreign countries and far seas and such like is that you're processing uh employee data um so you need to make sure that uh all the relevant changes are made in terms of the employee privacy notice uh and make sure
that you're able to um to to respect the rights of uh of the data subjects who are in this case the employees uh think about the cross-border transfers we obviously talked about that with standard contract clauses and such like and then you've obviously got issues so gdpr provides a legal basis for processing data, which is relevant to an employment context.
But obviously with all these individuals, they'll be in countries with their own employment law as well.
So you'll need to make sure that those things are covered and that those employees are also familiar with, it's the same principle around outsourcing that we talked about before with cloud suppliers, make sure that they're trained so they understand the principles of what to do in a breach. and essentially to respect GDPR and understand it in that way.
It really depends on whether they've come from an EU base or they've been employed from abroad.
And it is interesting to be fair and you can see how much you know, how much is involved in maintaining data compliance from a company just by listening to this conversation and having this talk with you. So and traditionally, in a lot of cases, the finance director is the one that's taking responsibility for a lot of this.
So whose role in your experience do you think it should be within the organisation?
I mean, as is the case with 99% of questions about data protection, the answer is it depends. But the thing to remember, I think, so the first thing is, does the company actually need to appoint a data protection officer? Not every company does. So public authorities do.
Any company whose core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. And a lot of these are undefined, so to speak. But examples of the large scale could be a telecommunications company. And in fact, some of the types of companies are defined by...
So what is now the European Data Protection Board used to be called the Article 29 Working Committee.
And they specified certain types of companies that do require DPOs such as telecommunications, pharmacists, obviously it's relevant to the type of data that you're processing and the third type is processing a large scale of special category data and that's typically around the discriminatory um types of data so political uh racial religious philosophical and but also includes
genetic and biometric data and health data which is which is crucial because most hr um applications will will include health data so you've also got to make sure that you've got the legal basis right and the and more and equally as importantly the uh make sure the security uh of that data is prioritized.
Brilliant. And I'm going to be very honest to say, Stuart, I've learned a huge amount about data compliance. I did not expect to learn. So thank you so much for joining us today. And do you have any sort of top tips for anyone working, you know, finance directors, CFOs around data compliance you'd like to share?
The main thing for me is that with all of my clients, I'm always shocked at how open their social media accounts are and also of their families. Social media is an area that criminals will need to utilize as much as possible.
So if you or your spouse or your children have sort of geotagged or mention that you've been to a restaurant or the dog's in the vet and such like that sort of information is is is music to the ears of criminals because this is where spearfishing comes in if you say that you've been to you know if they can go onto your open facebook account for instance and
see that you've been for a meal at a particular restaurant um then It's very easy for them to spoof an email to make it look like it's come from the restaurant itself and say, thanks for coming last Tuesday. I hope you enjoyed the meal. Please click this link for a free bottle of wine next time you come.
And it's actually quite difficult to spot unless you know what you're looking for. So closing, just put all the the relevant privacy features onto your social media so that they're all locked down and people you don't want to have access to it anyway can't see it
that's brilliant and so thank you so much Stuart so for if somebody wants to get hold of you they'd like some advice on data compliance or any of the topics that we covered in today's podcast what's the best way to get hold of you
certainly via the the website which is the compliance consultancy at stuart davenport on linkedin they're probably the easiest two obviously there's an email address and contact details on my website
Fabulous. And we'll, for those that are listening that are interested, we'll also pop those links into the show notes as well. So people could just click and have a look. So thank you so much, Stuart. You have been, it's been really informative and you've been fantastic. So thank you for joining us.
And I hope you'll be back to talk to some more data compliance soon.
Fantastic. Thank you very much indeed.
Thanks, Stuart.
Bye-bye.
Thanks for listening. And I hope you enjoyed this episode. I actually have a favour to ask. Reviews and shares are incredibly important to the success of any podcast. If you could spare a minute to share this episode on your social network or leave us a comment to tell us what you liked, I would really appreciate it.
Feel free to tell me what topics interest you most. I would really love to hear your feedback. Don't forget to check out our latest CFO 4.0 webinar on budgeting and planning in a volatile environment. Click the link in the show notes or visit www.itassolutions.co.uk and click on our events page for more info and great content.
And if you want to reach out at any point, tell us what you liked, tell us what we can do better, then feel free. Just email us at cfopodcast.itassolutions.co.uk. Thank you and speak soon.