The deadline to comply with GDPR has finally arrived, and after the years of debate over terminology and European parliament wrangling, the new data protection regulation has become the law.
Infosecurity was recently invited to attend a press briefing at City, University of London, where some of the PhD students are doing their research around data protection and data privacy. Two of those students, Paul Pedley and Cher Devey, were present at the press briefing.
Pedley is a PhD student whose research topic asks “What is the impact of digital technologies on librarians’ ability to protect the privacy of their users?” while Devey’s research touches on personal data breach incident response, privacy harm and breach notifications under the GDPR.
At the press briefing, a number of subjects were discussed in relation to data protection, from portability of data to the sharing of data, and how “GDPR will become a gold standard for protecting business” while the agreement was made among participants that GDPR was intended to protect the common man.
The theme of the right of individuals carried throughout evening, specifically regarding portability of data, and what the rights of Europeans are if they leave the continent.
Devey’s focus was on the reluctance of organizations to disclose data breach incidents and reminded her audience that the GDPR will hold organizations accountable with fines and penalties. She said: “Organizations will be called upon to be transparent and respect the rights of individuals to know about breaches.”
"For a researcher it is a minefield and a goldfield, which very few UK universities are tapping into."
Devey’s particular area of focus was of interest, and Infosecurity met her a few days later one on one to discuss some of the finer points of her studies.
Devey said she had been attracted to City for its visualization research within the Computer Science department, and the reputable Cass Business School. She did a post-graduate diploma in International Commercial Arbitration (with Queen Mary College, London) and became interested in e-discovery.
While this was nothing to do with data protection, a subject she also studied as part of an LLM course with Queen Mary College was on the struggle on gaining evidence that further sparked her interests in data protection and privacy.
She said: “I joined City back in October 2013 in the Computer Science department, and my research has evolved over the past four years. My initial research examined cyber risks, supply chain relationships and cyber insurance. However, due to departmental changes and the replacement of supervisors, my topics also changed.”
Devey explained that she focused on personal data incident response, as while there are researchers focusing on security protection, there were too few researchers on data incident response and privacy harm assessment.
She said: “I am familiar with communication issues in organizations, and responding to a data incident requires a crisis response approach.” In particular, her research was funded by City for three years, originally part funded by Cass and now she is close to finishing her thesis.
As part of her research, Devey has built a prototype dashboard which she explained was to aid companies to prepare for compliance and do data breach assessments for breach notifications. “How do you do a privacy harm assessment in a crisis? In IT security, investigators use triage for gathering information and evidence, but my focus is triage for privacy harm assessment during data incident response,” she said. “So I hope my research will have practical applications besides contributing research knowledge.”
“Portability, ‘right to be forgotten’ and breach notification or breach reporting are challenges for organizations. However, when there is a data breach that is the one thing that people – and usually more than one - need to know about as soon as possible or without undue delay. That makes breach notification a big challenge for unprepared organizations” she said.
She said that people are not used to looking at the impact on the person and are looking at devices, or the harm to organizations, but for a data breach it has to be the first step in an investigation. So, the dashboard allows a triage of the data to identify the likely harm to individuals, and it contains a matrix to do scoring which is based on how the compromised data is likely to affects individuals.
“GDPR doesn’t use the word ‘human rights’, but GDPR tries to bring in human rights, and that is the major change from current legislation as it is all to do with data privacy of the individual,” she said.
“GDPR has re-ignited and united these two complex subjects: human rights and data privacy. For a researcher it is a minefield and a goldfield, which very few UK universities are tapping into. From my experience in industry we tend to work in silos, similarly in academia where multidisciplinary and/or transdisciplinary research are not common especially in PhD research. There are many issues which will require a wide spectrum of understanding.”
Devey acknowledged that her dashboard has commercial value, but there is “still a lot to do” as there is no single spectrum view that works for everyone when it comes to privacy harm.
In terms of the future, she said she will go back to work in industry. “I am interested in helping individuals: I feel somehow access to justice doesn’t exist. It is all very well with the law saying - ‘yes you have a right to know - and can claim compensation or sue a company,’ but it is expensive and very few lawyers are experienced or willing to deal with an individual even though ‘distress’ is a recognized non-pecuniary loss.”