Good governance is critical to business success. However, organisations are often let down by their business practices, and a key culprit is poor (or no) data and analytics (D&A) governance.

Organisations that are successful in D&A governance have a data-driven culture. They actively engage and influence their stakeholders, promote data sharing, break down silos and evangelise data literacy. Gartner’s Seventh Annual CDO Survey found that chief data officers (CDOs) who link D&A to prioritised and quantified business outcomes and metrics are more successful than their peers. There are five key steps to achieve this.

1. Identify unachievable business outcomes due to poor D&A governance

First, present business leaders with a problem statement that they can recognise and own. The organisational business strategy should be used as a primary source to understand the goals and direction the organisation expects to take, the market drivers and the regulatory landscape. Following this, engage with key business leaders to find out where D&A is working well, and where it is not, and focus on the business implications of poor D&A governance.

Next, obtain internal audit reports that show the audit observations, audit points and risks that have been raised in the enterprise and assess these in relation to the governance of D&A – within and across business areas – and their cost.

Before proceeding, explore high-level findings to key business leaders and ensure the problem statement is expressed in the right business language and business priorities, and valid assumptions are correctly understood.

2. Connect business performance with information value through metrics

The causal relationship between poor data and analytics and poor business performance must be highlighted if a compelling business case for governance is to be made.

Initially, look to identify the business processes and process owners that are critical in addressing the problem statement. These will often span multiple business areas, so look to focus on key processes rather than on lines of business. This will help break down the silos that have led to the insular and disconnected governance of data and analytics.

Determine the most impactful key performance indicators (KPIs) and key risk indicators (KRIs) for business success, and then identify the specific data and analytics assets that are used in the KPIs and KRIs. These assets are the ones that must fall within the scope of the data and analytics governance proposal.

3. Outline the scope and footprint for governance through people, process and technology

A key characteristic of highly successful D&A governance initiatives is their ability to effectively define and manage scope. Be clear on what is in scope and what is out of scope for governance while identifying the key stakeholders needed in the D&A governance steering group. Also highlight the need for a governance footprint within the business areas, so that decision-making and decision-execution are properly aligned through roles such as the information steward.

Look to then create and evaluate all potential models for delivering key business outcomes for D&A governance, analysing the benefits, costs, risks and assumptions for each of these options. In addition, use knowledge and experience of how the organisation works to select the best option.

Finally, assess the likelihood of success of the proposed governance solution by testing it with the key business stakeholders who will require to share their initial insights and final approval on the proposal.

>See also: Three pillars for scaling intelligent automation: process, technology, people

4. Define the approach, deliverables, time scales and outcomes

To define the approach, use the statement of governance scope to segment the delivery of business outcomes into manageable phases. For each of these planned deployments, identify the business value that will be delivered, to whom it will be delivered and the specific business impact on the organisation.

Select the adaptive D&A governance approach as the governance deployment model, recognising that the application landscape is complex and contains multiple platforms. Identify the deliverables produced through the phases of governance and their specific contribution to business value improvement. Connect these deliverables to data-driven business decisions, improvement in organisational behaviour and the ability to drive new business value.

5. Complete the financials for the proposal

Ultimately, a clear set of financials that numerically demonstrate the value of the governance proposal and the financial implications of not proceeding are crucial – and this will take time and effort. Look to assess the governance proposal in terms of the total cost of ownership (TCO) and develop the return on investment (ROI) model based on a spread of possible outcomes.

Before presenting the final business case to senior business stakeholders, review the storyline, logic and evidence for the governance business case. Include a “do nothing” as one scenario and project the financial implications of this option. Engage supportive business stakeholders to help find the holes in the proposal before it is presented to the formal decision-making board and be prepared to update the business case based on actuals, new data and new issues raised by the review team.

Saul Judah is vice-president analyst at Gartner.

Related:

How to drive business value from edge analytics — With data exponentially outgrowing the capabilities of centralised storage and management, here’s how edge analytics can help organisations overcome this challenge.

IoT governance: how to deal with the compliance and security challenges — As the Internet of Things becomes more prevalent across an organisation’s network, the question of effective IoT governance becomes increasingly relevant.

The post Five steps to build a business case for data and analytics governance appeared first on Information Age.

The clock is ticking on CSRD – is your IT department ready?

The EU has strong ambitions to reach its goals of no net emissions of greenhouse gasses by 2050, and to reach these, accountability needs to increase. New legislation in the form of CSRD will affect not only organisations that are headquartered in the EU but impact any business with operations in the European Union or UK tech supplier/vendor relationships with organisations which are expected to be CSRD compliant. The potential impact for UK and global technology companies is huge.

What is CSRD?

CSRD, or the Corporate Sustainability Reporting Directive, is legislation which requires companies to report on the impact their corporate actions and activities have on the environment. This important legislation is still being defined, but it is on schedule to be fully implemented in 2024.

What we know for certain is that companies are going to need to provide significantly more detail when reporting on their companies’ environmental impact, and companies which fail to provide accurate and detailed records will be subject to audits and fines.

The EU announced its adoption of this initiative as it aligns with the commitment it made under the European Green Deal. This deal recognises that climate change and environmental degradation are negatively impacting our world and seeks to hold businesses to a higher standard. Part of overcoming these challenges will include turning the EU into a more resource-efficient and environmentally conscious economy, which includes a commitment to no net emissions of greenhouse gasses by 2050, and a reduction of these emissions by 50 per cent by 2030 – which will bring emissions back to the levels they were at in 1990.

Holding businesses to account

CSRD recognises that businesses in various sectors make a significant contribution to environmental degradation and waste. And it’s time those companies are held to account. In the past, much of the conversation around sustainability has been focused on consumers, but to create real change and improvement, the EU believes the largest contributors need to be accountable.

On top of compelling companies to reduce their emissions, the CSRD will help investors, consumers, and stakeholders evaluate aspects of how companies are run, outside of financial performance. This will enable consumers and investors to advocate for green practices with their wallets, further encouraging companies to prioritise a sustainable approach to their business practices.

What is the aim of CSRD?

The overall aim of CSRD is to have larger companies integrate aggressive sustainability strategies to prove that they are fully green by 2030. The issue is that, for some companies, this is the first time they are seriously considering and discussing sustainable practices.

There are many questions the leaders of these companies are only just beginning to ask such as:

• Where does our carbon footprint start?
• Does it start with fossil fuels?
• What is the journey across the supply chain like for our products?

These questions will help inform the pursuit of sustainability.

How to get ready for CSRD

#1 – Collect as much information as possible

Companies should begin their efforts by collecting as much data and information as possible on their environmental impact, from every level of their infrastructure. This will help them understand where they really are in terms of sustainability and the steps they need to take to move forward.

#2 – Set realistic net-zero targets

In addition to data collection, companies should set realistic targets for achieving 100-per-cent net zero. A robust data collection plan can include the implementation of cloud-based software into the back-end of company structures to analyse how their technology is affecting waste, so that they can prove by 2030 that, at minimum, they are fully green. Gathering end-user metrics across your entire tech landscape (hardware and software measurements) is essential for organisations to measure and report on their carbon footprint. 

For example, how many hours per day is your laptop running? Even if it is in sleep mode (and therefore consuming less energy), it is still using energy. It might seem like a minor thing to measure the energy from a sleeping device, but every little bit adds up, and when you think about major enterprises, we’re talking about energy waste across tens of thousands of employees. This level of detail is incredibly important for companies that want to achieve true sustainability, limit energy consumption, and positively contribute to the planet—which is the big-picture aim of CSRD.

Does CSRD apply to tech firms in the UK?

The driving principles of CSRD certainly apply to tech firms in the UK, and CSRD regulations have implications for any tech firm that serves businesses within the EU.

The short answer is yes, CSRD applies to tech firms in the UK, but there are certain qualifications.

All listed companies in the EU (included listed SMEs, even ones outside of the EU if they generate a net turnover) must comply with CSRD. Additionally, if large undertakings (including parent undertakings) exceed two of the three following criteria during two consecutive financial years, they must comply:

• €20 million balance sheet total
• €40 million net turnover
• Average number of 250 employees

The biggest takeaway for tech firms in the UK should be that these regulations will surely set the precedent for sustainability across the world, and they will likely be expanded upon. Tech waste is a large-scale issue, but even smaller-scale organisations could be asked for data in 2030. Research indicates that the UK is on track to become one of the biggest global contributors to tech waste, a startling finding that makes CSRD initiatives all the more pressing for businesses. This same research states that the UK produced a total of 1.6 million tonnes of e-waste in 2019 and was set to surpass Norway as a global leader in tech waste by 2023.

This is only the beginning. We can expect more elaborate and detailed regulations, increased requirements for reporting, and initiatives for tracking and monitoring sustainability metrics to increase exponentially. The faster your company can adopt and adapt, the better.

Beyond the detailed insights that will allow organisations to make easy adjustments to their energy use — such as telling employees to shut off their devices at the end of the day – tech companies need to think about the lifecycle of each device and how a lack of insight into that lifecycle can lead to hardware waste.

Comprehensive monitoring solutions that thoroughly analyse every area of a business’s hardware and software to accurately assess how devices are performing will help companies upgrade and replace equipment based on need rather than having a standard schedule for computer upgrades. This will ensure that computers, phones, monitors, and more are being used as long as they are functioning efficiently, rather than being needlessly tossed for new equipment.

Leveraging metrics per end-user device will help you correctly assess your carbon footprint through correct usage and accurate lifecycle planning.

Monitoring solutions push green IT initiatives forward through the identification of opportunities to reduce energy consumption, reduce waste, optimise hardware purchases based on performance through lifecycle management, differentiate your footprint across personas and device types, and educate your entire business on the importance of these sustainable technological practices. 

There are numerous benefits companies will gain from implementing these sustainability practices now, and not waiting until more requirements or regulations are applied. First and foremost, once the initial lift of implementation is addressed, it sets the business up for success in managing sustainability initiatives for the years to come. As organisations grow, they will be set up to track, measure, and understand the overall consumption and sustainability of the entire company because IT monitoring is already built into everyday business processes.

When does CSRD come into force?

CSRD enforcement is imminent. Companies will need to submit reporting on the first day of 2024, but there will be a staggered rollout for regulations. This is a swift timeline, and the most critical problem that companies are facing is a lack of awareness about CSRD as a whole. This unawareness is costly. A lack of compliance will result in fines, and the financial penalty will be significant. In order for companies to be in a position to provide reports by 2024, they must start now. Metrics must be measured now so that reports shared in 2024 are robust, accurate, and clear.

What happens if I don’t comply with CSRD?

The most straightforward cost, of course, are the fines companies will face if they fail to comply, but the cost of not complying goes beyond fines.

In the B2B space, if you, as a vendor, cannot provide assurance of compliance, you will lose out on clients. Your customers will vet potential vendors through the lens of CSRD, and they will choose to work with companies that demonstrate a high sustainability rating. As their vendor, your company’s sustainability ratings will reflect on their overall sustainability ratings, meaning they, too, could be subject to fines if your rating is poor. The best method for retaining your clients is protecting their reputation and wallet by making sure you have your ducks in a row.

B2C is not exempt from this. Consumers are becoming more aware of the impact of their purchases on the environment. They will choose not to engage with brands that neglect sustainability initiatives. They hold power, and they understand that their purchasing power can determine how companies invest in climate change initiatives.

Even further, compliance with CSRD and an overall prioritisation of sustainability affects brand image. Companies run the risk of losing out on employees, clients, and public respect if they do not take sustainability seriously. The time to act is now. The method for success? Cloud-based software that can provide highly detailed information on energy usage, device performance, and more to help inform your sustainability strategy and make sure that you’re able to prove the results of your efforts. 

Ayelet Elstein is VP EMEA at Lakeside Software

Related:

Emerging sustainable technologies – expert predictions – Harnessing emerging sustainable technologies including solar and wind energy transmitted through hi-voltage undersea cabling could mean we end up with surplus energy, not power outages. Michael Baxter makes some exciting predictions

Everyone likes to talk sustainability, but who takes responsibility? – The business value placed on sustainability has undergone rapid transformation over the last decade

The 10-point green plan – what about e-waste management? – The steps that the UK government has taken will begin to reverse some of humanity’s impact on the planet, but gaps still remain

The post CSRD and how it applies to UK tech firms appeared first on Information Age.

The new Digital Markets Act in Europe is set to challenge the dominance and anti-competition practices of big tech monopolies

The build once, sell-to-everyone business model of tech companies has left power and wealth concentrated in the hands of a tiny group of big tech companies over the last few decades. New anti-trust legislation in Europe, the Digital Markets Act, may well bring those companies back under legal control and revolutionise how we shop and work online in the coming years.

Dirty practices of big tech companies

Big tech companies have developed some very dirty habits over the years. Take for example, those online clips you see of influencers who have ‘found amazing Amazon dupes’. It won’t have taken much time and effort to locate them. Amazon is the parent business to hundreds of small companies that manufacture products under different brand names. Its business model is simple: use Amazon sales data to identify best-selling products, commission a clone, undercut the original prices, place the Amazon clone at the coveted top end of search returns, and offer free Prime next day delivery as a final incentive. It effectively steals all the business from companies that believe they have a client relationship with Amazon but, at some point, became their direct competitors. Anti-counterfeit laws have had little to no impact on this shady practice over the years.

It’s not just Amazon using their power to make more money. Google and Apple may appear fierce rivals in the iPhone and Android market. They are not. Google pays a percentage of their profits to Apple to ensure that they remain the default search engine behind the Safari logo. It was a deal struck in 2007, and has allowed Google to control around 90-95 per cent of all queries in the US. To put that in perspective, anti-monopoly laws used to consider any company that controlled 25 per cent of a specific market to be a threat to economic stability. These large tech companies have become too big to care, but that may be about to change across Europe.

>See also: What regulation means for digital interoperability

Who is impacted by the Digital Markets Act?

The Digital Markets Act aims to reverse these practices, and comes into force across Europe in October 2023. It has largely gone unnoticed in business circles, partly because only a handful of gatekeeper companies need to directly adapt to comply, but we all stand to benefit.

Today, only the big five tech giants match the definition of a ‘gatekeeper’ company: Apple, Meta (Facebook), Alphabet (Google), Amazon and Microsoft. There are social disadvantages that come with refusing the services of these companies, but very soon we will be able to shop, use online services and share information with smaller rivals with few negative consequences.

For a start, Amazon’s use of 3rd party data to commission clones will become illegal practice across Europe overnight, giving greater protection to small- to medium-sized businesses. Messaging apps will be forced to operate like email and allow external companies to link in. We rarely question that we can send an email from Outlook to users with a Yahoo or Gmail address and things will render fine. That is because email developed before big tech leaders got greedy and built closed loop systems. Messaging services and social media came afterwards. The new interoperability clauses in the Digital Markets Act mean that advantage will disappear and small competitors can viably allow users to send messages from a rival messenger service to, say, Facebook’s Messenger.

The laws on uninstall rights perhaps provide the greatest protections, though. There are certain apps on your phone that you cannot uninstall. Phone manufacturers retain tight control over the App Store for good reasons. This allows them to refuse any business that they do not like, citing ‘technical incompatibility’ issues. For example, when Apple and Google were renegotiating their deal in 2019, Apple blocked all Google employees from using the phones in a tit-for-tat public spat.

This gives them a dangerous level of control. Swedish-owned Spotify could, for example, be blocked from phones and put out of business at any moment under the current laws. The App Stores also allow phone giants to force users through their payments system, where they charge premium fees. The Digital Markets Act will allow users to delete the default app and use a rival, fairer, and cheaper provider if they wish.

Possible impact of Digital Markets Act

So, will it reign in these tech giants? The companies affected are inevitably bringing their considerable resources to bear to fight these laws, despite them passing the European Parliament. The tide may finally be turning on big tech, though. The punishments for breaches will be brutal — up to 10 per cent of annual revenue for a first offence and 20 per cent for repeated violations.

When GDPR was introduced, it seemed ineffective at first. Huge companies like the Interactive Advertising Bureau (IAB) Europe blatantly evaded GDPR, taking data before consent. It was a gamble that backfired earlier this year, though, and a court ruling against them may put them out of business entirely. Europe means to take back control of their economy, and these companies may not be too big to operate above the rule of law after all.

Around the world, there are similar plans. The Competition and Markets Authority (CMA) is looking into similar changes in the UK, and anti-gatekeeper laws have been slowly making their way through the US government, with bi-partisan support.

Much of the success of the Digital Markets Act will depend on the public recognising the benefits and making the decision to switch providers. We have seen similar laws on interoperable data rights in banking in the UK, introduced in 2018. The major banks still dominate the UK markets, but the law created an environment ripe for innovation and several new companies are now thriving. These new protections create tremendous opportunities for small companies to innovate and compete in the coming months.

Clare Walsh is director – education at the Institute of Analytics

Related:

FCA examining big tech disruption of financial services — The Financial Conduct Authority (FCA) is launching an inquiry examining the pending involvement of big tech in UK retail financial services.

How businesses can prepare for the Data Protection and Digital Information Bill — With the Data Protection and Digital Information Bill currently being reviewed in Parliament, Netwrix vice-president of research and development Michael Paye explains how businesses can amply prepare.

The post How the Digital Markets Act will challenge big tech anti-competition appeared first on Information Age.

Martin Riley, director of managed security services at Bridewell Consulting, discusses the problem of using compliance and regulation as a driver for cyber security strategy

Today, cyber security is a top five board issue — and not just for organisations operating in heavily regulated industries. The consequences of a cyber attack now stretch beyond disruption and revenue loss. Reputational damage, falling share prices and the potential for hefty fines due to regulatory breaches are a very real threat. And depending on the severity of a breach, a CEO’s position could even become untenable.

With the risks clear, many business leaders are looking to the industry for support, using regulation as a guide for best practice. However, while regulations such as the Network and Information Systems (NIS) Directive and the General Data Protection Regulation (GDPR) no doubt play a part in strengthening cyber security posture, too many organisations make the mistake of using them as a driver for cyber security strategy. Not only can this lead to huge amounts of investment in measures and controls that don’t always drive wider tangible benefit to the business, but it can also encourage a short-sighted approach focused on box-ticking.

Business leaders’ main responsibility is driving cyber security strategy from the top down, and a short-term tactical approach will not fit the bill. To stay cyber resilient in today’s landscape, organisations need to shift the emphasis from prevention to detection, containment and response, underpinned by the right services such as Managed Detection and Response (MDR) and validating recovery.

>See also: Network from home: how data privacy and security responsibilities must be shared

Defining objectives

To drive real improvements in cyber security, business leaders need to consider whether their pursuit of compliance is being guided by the right intentions. While meeting regulations is a necessity, inconsistencies in enforcement across different regulatory bodies, and interpretation in guidance from different organisations, make the use of regulation as a driver for security improvements an unreliable benchmark.

Instead, leaders need to define their own cyber security objectives and transformation required to reach their business goals and adopt a strategy of continuous improvement through intelligence and automation. To achieve this, they need to access external expertise to help define the baseline of where their security strategy sits today and identify the scope of the opportunity.

Shifting away from a compliance culture

Assuming that a security certificate on its own will provide an adequate level of cyber integrity is also a risky move. A compliance culture can foster a mindset of reactivity rather than proactivity; where security teams only invest time and effort when renewing their certifications. And if the focus is just to ensure the ink is dry on certifications, employees are less prone to feeling accountable or responsible for upholding security best practice.

The focus should not be on simply adding more and more controls but implementing the right ones and using them effectively to understand and mitigate risk. This can be achieved by adopting a MDR strategy that goes beyond the bare bones of simple regulatory compliance, and is tuned to allow organisations to remain primed against emerging threats.

>See also: Ensuring security of data systems in the wake of rogue AI

The role of MDR

MDR is a 24-hour cyber security service that combines modern security technology with human analysis, artificial intelligence and automation to rapidly detect, analyse, investigate and actively respond to threats, rather than simply generating alerts. And with the right solution in place, organisations can bring together existing investments in preventative security to reduce detection to minutes.

An MDR solution also allows businesses to develop a reference security architecture that facilitates the safeguarding of on-premise and legacy systems, SaaS solutions and cloud-based infrastructure applications. It also helps security teams to protect against and respond effectively to emerging security and user identity threats, while reducing the dwell time of any breaches.

The best forms of MDR utilise Extended Detection and Response (XDR) technologies, which allow detection and response across endpoint; network; web and email; cloud, and importantly identity, along with a service wrap that goes above and beyond the capabilities of the technology. This means all users, assets and data remain protected, regardless of where the attack comes from.

Similarly, by opting for a solution that leverages existing investments in Microsoft 365 licensing, organisations can consolidate security suppliers and reduce security technology budgets, whilst increasing security coverage and visibility. Security Orchestration Automated Response (SOAR) solutions such as Microsoft Sentinel can also dramatically improve the efficiency of implementing an early warning system.

Look beyond technology

While technology plays a critical role in an effective cyber security strategy, it alone does not provide the solution. Business leaders must also consider the organisation’s processes and people. If organisations don’t have the right processes or people in place to manage new technologies, it can be easy to revert to old habits.

Many organisations opt for a hybrid Security Operations Centre (SOC) to underpin their MDR strategy, which combines the cyber skills of in-house engineers, cyber security teams and an MSSP to create a single facility. MSSPs fill in the gaps in defences while upskilling in-house teams to stay on top of changing threats and technologies. This approach can also free in-house staff to drive projects and internal improvements while the MSSP takes the lead on high value incidents.

>See also: How to boost internal cyber security training

Staying one step ahead

If the goal is to improve cyber security whilst meeting your organisational goals, then regulations will only ever go so far in tackling the issue. Attacks will continue to plague all sectors and proper detection, response and remediation will be what makes the difference between those that make the news and those that don’t.

To improve cyber resilience, organisations need to implement a well-considered strategy centred around MDR. One that not only adheres to regulatory requirements but also improves an organisation’s overall security posture. This will lift organisations beyond the basic need to remain compliant with emerging regulations and instead transform them to better battle emerging cyber threats.

Often, this will entail an entire rethink of technology, processes and people. However, crucially, the transformation itself is never the end goal. Making sure the organisation has the right processes or people in place to manage the new technologies beyond project completion is critical. For businesses that lack their own dedicated and highly trained security response team, managed security services in conjunction with automation proves to be a compelling proposition.

Related:

What Liz Truss’s cabinet can learn from the EU Cyber Resilience Act proposal — Jeff Watkins, CPTO of xDesign, discusses what UK government legislation under Liz Truss’s cabinet can take from the EU Cyber Resilience Act proposal.

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

The post Why cyber security strategy must be more than a regulatory tick-box exercise appeared first on Information Age.

With the Data Protection and Digital Information Bill currently being reviewed in Parliament, Netwrix vice-president of research and development Michael Paye explains how businesses can amply prepare

Parliament is considering a Data Protection and Digital Information Bill designed to update and simplify the UK’s data protection framework. In particular, the bill includes several changes to data and user tracking requirements for UK organisations.

UK businesses must now review their current internal data and security practices, to comply with the legislation or risk substantial reputational and financial consequences. They should keep in mind that as they are updating their controls and processes, they will be more vulnerable to cyber threats, since significant changes can expose or create weaknesses that attackers can exploit.

This article details several steps that organisations can take to ensure a smooth transition in meeting the new standards imposed by the bill.

Clearly define compliance roles

First, it is vital to assess the job roles associated with compliance throughout the organisation, including legal, IT, security, and other business teams. The goal is to ensure that the responsibilities of each role are clearly defined and that they align within the criteria specified in the bill. This step will help the organisation implement a consistent and complete approach to new data processes across the business.

Prioritise changes to data processing and management

Although an organisation’s current data management practices may be in compliance with GDPR standards, they may not satisfy the requirements of the new UK bill. Accordingly, organisations need to identify which data processing and management workflows are likely to be affected by the new regulation, and key stakeholders and senior-level management will need to prioritise the adjustments those processes.

Reviewing these processes offers an additional benefit, since it presents an opportunity to identify and mitigate any inefficiencies or vulnerabilities in them. A data discovery and classification solution can help organisations identify regulated data and ensure it is handled and secured appropriately.

Assess and revise compliance practices

Third, organisations should assess whether their existing compliance practices meet the new requirements. They should view this as a chance to assess their cyber security status and mitigate any gaps to improve security as well as compliance. After all, the risks of a data breach extend far beyond fines for compliance failures — a successful cyber attack or data breach can result in customer distrust; penalties from contractors and partners; revenue losses; payouts to threat actors, and much more.

Prepare for questions from customers

Finally, businesses should also be prepared for customer queries about what to expect from the bill, and whether and how it will affect the organisation’s services. Consider establishing an official statement concerning the coming legislation as soon as possible, and making it available to both internal employees and customers. Doing so will help ensure consistent messaging and communication across the business.

Conclusion

Enactment of the proposed Data Protection and Digital Information Bill should not be seen as a hinderance for UK organisations, but as a chance for them improve the management and security of their critical data. By complying with the requirements of this bill, businesses can improve their data processes, get a faster return on investment (ROI) for a data discovery and classification solution, and help leadership make more informed long-term technology decisions.

Related:

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

Tech leader profile: how the CMA uses data to protect us — The CMA is the consumer champion when it comes to digital. Yet its work also extends to tech business mergers, investigating algorithms and, increasingly, how Web 3.0 will affect all of us.

The post How businesses can prepare for the Data Protection and Digital Information Bill appeared first on Information Age.

In the same way that the financial crisis created a more financially astute public, data security breaches, privacy stories and scandals are making people more aware of their data privacy rights – and more concerned about how companies and the government use their data.

Data breaches affect all organisations. Those that have been hit by major breaches in the last five years range from tech corporations such as Facebook (April 2019) and Alibaba (November 2019), to hotel chain Marriott International (September 2018) and airlines British Airways (September 2018) and EasyJet (May 2020)

But data breaches are more widespread than many realise. Indeed, organisations that think they have not had a breach may not be looking in the right place.

>See also: Brave new world: Will the Internet of Things be a privacy nightmare or consumer paradise?

Data is often described as the oil of the 21st century, with personal data about people being central to many business processes, and to new technologies that drive the way we work and live in the modern information age.

At the same time, organisations are facing increasing challenges and legal obstacles when using personal data, with complex legal rules that also vary from one country to another.

Boards of directors, CEOs and general counsel have started to realise that data breaches and irresponsible uses of data can jeopardise customer trust, destroy reputations, affect their share price, lead to fines and even result in senior executives losing their jobs.

What does a data privacy officer do?

It would be a mistake to assume that the role of a data privacy officer (DPO) is limited to data security.

While the detailed responsibilities of a DPO will vary from one company to another, the key focus of a DPO is to oversee data privacy compliance and manage data protection risk for the organisation.

This is not just about legal compliance with data privacy laws and breach prevention. A DPO can actually help companies assess new business opportunities that utilise data assets.

Typically, the DPO’s will revolve around ensuring the company complies with data privacy laws, uses data protection as a business enabler, addresses data privacy requirements early on in new technologies, and manages reputational risk that can arise from data protection mistakes.

Why is the DPO role so important?

As companies search for new ways to understand their customers, manage their businesses and monetise their data assets, a DPO can play a central role to help realise these opportunities, including the safeguarding of existing data assets and enhancing and protecting corporate reputation. Unfortunately, the reverse is also true, and failure to focus on data privacy issues and allocate resources can have catastrophic consequences.

Why do businesses need a DPO?

The DPO’s tools of the trade generally fall into three buckets: policies and processes; people; and technology. Policies are the rule book; they describe the company’s approach to data protection, and set out the guidelines and rules that staff are expected to follow. Processes include specific tools that help the company, and the DPO, to identify and calibrate privacy risk.

People are key in implementing the company’s data privacy rule book. Training and awareness-raising are essential to implementing a privacy programme and building a corporate privacy culture.

>See also: The digital age is killing privacy – but does anybody actually care?

Staff need to know what the baseline legal requirements are, what the company’s approach is, and why the company thinks data protection is important. The DPO plays a key role in raising awareness and rolling out training.

Technology refers to systems and automated controls. The DPO needs to work with companies’ IT and information security functions to ensure that systems operate in a privacy-compliant way, and that data security is ensured.

Sourced from Bridget Treacy, partner at Hunton & Williams

Related:

Data encryption: what can enterprises learn from consumer tech? — Siamak Nazari, CEO of Nebulon, discusses the data encryption lessons that enterprises can learn from consumer tech.

High-tech legislation through self-regulation — Denas Grybauskas, head of legal at Oxylabs, discusses the important role that self-regulation can play in high-tech legislation.

The post Why a data privacy officer should be your company’s next hire appeared first on Information Age.

In an era of mass personalisation and technological innovation, organisations increasingly need to make consideration of the way they use consumer data a part of their organisational culture.

Since the GDPR’s inception back in May 2018, there have been some encouraging findings (as I have discussed before) indicating that consumers are increasingly willing to share their data in exchange for personalised services and improved experiences. In addition, marketers are more confident about their reputation in the eyes of consumers.

However, there is still a long way to go to improve consumer trust in marketing and highlight how data can be used as a force for good. Recent Adobe research reveals that over 75 per cent of UK consumers are concerned about how companies use their data.

What’s more, an ICO report found that when consumers were asked if they trust brands with their data, little over a quarter (28 per cent) agreed. This proportion must be much larger if businesses are to truly thrive in the digital age.

With technologies such as machine learning having a transformative impact on business, there is little doubt that, as they continue to evolve, the data sets they rely on will be key to a competitive advantage.

What does data utopia look like?

Now, more than ever, the issue of data and how it’s controlled is at the forefront of the national agenda, as large-scale data breaches hit the headlines on a near weekly basis – the likes of Marriott, BA and Equifax to name a few. Read here

As we navigate through the data revolution, there is a growing requirement for businesses to not only reassure consumers that they have the infrastructure in place to protect their data, but also consider the ethical implications of the decisions they make with people’s data.

We must stop playing ‘catch up’ with technology

The Data & Marketing Association (DMA), as well as many other organisations, have found that responsible and innovative data use can build consumer trust, promote sustainable relationships and a willingness to share insights – creating better opportunities for both the business and the customer.

Transparency and governance over customer data use have become business-critical issues and if organisations are to increase digital users’ engagement and support, in order to continue benefiting from free-flowing access to customer data, regulation must stop being treated as a last resort measure.

‘Data hoarding’, substandard data protection protocols and overly complex data privacy and cookie notices could start to alienate consumers if we don’t get to the root of the problem and change organisational culture.

Issues around the value of data and ownership continue to come under immense scrutiny, and so transparency over how data is handled and safeguards protecting privacy are integral factors in ensuring ‘data-savvy’ consumers agree to share this data with organisations.

SMBs are not fully aware of their GDPR obligations – but many consumers are

Something that has come to light, is that transparency does not necessarily mean clarity.

The GDPR has led to increased scrutiny surrounding data privacy statements and cookies. Although it is clear that many businesses and users do not understand what this means to them.

How have companies adapted to the GDPR?

Mark Thompson, global privacy lead at KPMG, discusses how companies of various sizes have adapted to the GDPR. Read here

According to a consumer privacy survey conducted by Cisco, 83 per cent of ‘privacy actives’ read privacy policies (‘privacy actives’ comprise 32 per cent of the total respondents). These are defined as users who care about their personal data, they care about the data of other members of society, and they want more control over how their data is being used. Of this group, 80 per cent also said they are willing to act to protect it.

Based on the survey, privacy actives tend to be younger, more affluent, and shop more online — a segment of the population that is especially attractive to most companies.

Among these respondents, nearly half (48 per cent) indicated they had already switched companies or providers because of their data policies or data sharing practices.

The survey also found that the average UK consumer also demonstrates the highest awareness of the GDPR out of all the countries surveyed.

The notion of consent isn’t without its complications. Typical privacy policies stating, “By using this site, you agree to our updated Privacy Policy and Terms of Use,” can be unclear to the average reader. A detailed privacy policy or terms of use page may be well-intentioned but deciphering through it all is extremely time-consuming and often confusing.

Rather alarmingly, 38 per cent of small to medium-sized businesses (SMBs) believe that the GDPR does not apply to customer data they may come into contact with, according to DMA’s ‘SMBs and GDPR’ data.

In addition, a near-fifth of SMBs (18 per cent) feel the impact of the GDPR has been negative, which is around four times the number seen in previous research of the entire data and marketing industry, including large organisations and multinationals.

The issue that many businesses and governments are having is that technology moves at a much more unpredictable and rapid rate than any legislature can. This is having a significant impact on many businesses, especially those who do not have the time, finance and resources to become experts in this field.

There are also ongoing questions surrounding the level of transparency organisations must display to consumers – without overburdening them with information, that still needs to be addressed.

We also must ensure a balance is struck for information sharing to make it effective and productive for consumers and businesses.

Consumers must have clarity when it comes to organisations communicating why data is needed, where it is being used and what this is telling the business about their personal preferences.

Building a responsible, innovative and effective data culture

Create a new belief system within your organisation and sustainable future for your business by promoting responsible, innovative marketing as a driver for growth.

Place value on the individual, whether that be a customer or an employee. We can go some way to achieving this by humanising the way we process and manage data.

Machine learning, artificial intelligence (AI) and algorithms are not perfect. To this end, it is essential that humans and machines work together, utilising our respective strengths.

Fighting AI bias and where it comes from

Cognizant’s Poornima Ramaswamy considers fighting AI bias. “We must teach AI to reject bias,” she says. Read here

For example, modern diagnostic processes for breast cancer incorporate a hybrid concept. Diagnostic systems will help narrow down ‘at risk’ tissue for human consultants to then focus their attention.

In addition, when these new technologies are driven by inaccurate data insights and incorrect user profiling techniques, it could lead to the customer losing out on opportunities or even infringing on their consumer rights.

If we elevate the human component of information sharing, we can help change peoples’ perceptions of data. Data managed by humans for humans, aided by machine intelligence.

Taking this one step further, we should start promoting data as a force for good. Governed by principals, ethics and a framework that places the customer at its core.

What can we do to achieve this?

To keep pace with technology and the proliferation of data, organisations can use an ethical framework as guidance of how they should interact with their customers, going above and beyond the demands of the GDPR and any future legislation.

There are multiple codes of conduct already available, including the DMA Code, the Advertising Association‘s Supplier Code of Conduct, and the ICO’s upcoming Direct Marketing code of practice.

Privacy by design advocates call for privacy to be considered across all business practices. This concept is an example of embedding data values into organisational culture – for example, by taking human values into account from a strategy’s inception, all the way through to implementation.

Successful human-machine collaboration needs a collaborative culture

Stuart Templeton, head of UK at Slack, advocates a collaborative culture in the workplace when it comes to human-machine collaboration. Read here

A great number of organisations, think tanks and policy forums are joining the DMA in shaping the legislative conversation, too. Also, in parliament itself, all-party parliamentary groups (APPGs) and parliamentary committees will play a crucial help to get the right stakeholders into a room to work towards this end.

The APPG on Data Analytics, chaired by Daniel Zeichner MP, discusses, among other things, what data and tech means to the data and marketing industry, and wider society. Similarly, the DCMS Committee looks to take on one of the largest tasks in the digital age – defining what is and isn’t a ‘harm’ in the online space.

Government must work alongside the data and marketing industry – as well the leading tech organisations like Google, Amazon, Facebook and Apple – to ensure the value of data is universal, not subjective to an individual company’s policies.

This will help build on the principles of the GDPR and ensure that transparency doesn’t become a burden – we need to give clarity to consumers when we communicate with them.

We must become more people-centric and change organisational culture, as an industry, to build consumer trust and strive for better business outcomes.

Organisations that rely on technology to innovate or wait for legislation to dictate their business practices, could lose that competitive edge that comes with a proactive, customer-driven approach: privacy by design – building better outcomes for your business, and most importantly, your customers.

Related:

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

Tech leader profile: how the CMA uses data to protect us — The CMA is the consumer champion when it comes to digital. Yet its work also extends to tech business mergers, investigating algorithms and, increasingly, how Web 3.0 will affect all of us.

The post The role of organisational culture in data privacy and transparency appeared first on Information Age.

First AML research has found that over half (57 per cent) of UK financial services professionals are only ‘somewhat confident’ in their anti-money laundering procedures

The survey conducted by anti-money laundering experts First AML found that 52 per cent of respondents cited an instance of money laundering in the last year, with 23 per cent identifying more than one case.

Though anti-money laundering is moving up the company agenda at almost three quarters (73 per cent) of financial services companies, an array of external risks are proving challenging in the sector, namely:

• the crisis in Ukraine and people trafficking (64 per cent);
• the increased focus on customer transparency and ethical customer onboarding (62 per cent);
• the increased risk of fines (51 per cent).

Many financial services companies were also found to be facing process and compliance challenges.

The top two anti-money laundering weaknesses were identified as document collection for individuals and companies — such as passports and share registers (27 per cent), and staff training on the latest requirements (29 per cent).

Intensifying the battle against money laundering is the expected recession, concerns around which are leading to almost a quarter (23 per cent) of respondents considering cutting AML compliance budgets.

When asked for their reasons to take AML compliance seriously, the growth of unethical business practices was cited the most (32 per cent) followed by abhorrent crimes (e.g. people or drug trafficking, arms dealing, and terrorism funding), at 26 per cent.

“Robust document collection processes and being up to date with the latest anti-money laundering regulations are essential for compliance in this area. So it’s shocking that AML budgets are being cut,” said Simon Luke, UK country manager at First AML.

“Without the right processes in place, companies are not only at risk of fines, but also of letting dirty money pass through their organisations.

“Although financial services companies need to protect margins and ensure that they are maximising returns for investors, it’s surprising that this comes at the expense of doing the right thing.

“When respondents were asked their biggest challenges around working in the financial services sector, ‘keeping up with regulations’ was the highest at 61 per cent. Businesses are under a lot of pressure, but cutting anti-money laundering budgets isn’t the answer.”

200 financial services professionals across the UK were surveyed by First AML for its study.

Related:

Bank IT compliance: how financial services can stay compliant with regulations — Exploring strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards.

Using AI to fight money laundering — Martin Rehak, founder and CEO of Resistant AI, discusses how artificial intelligence (AI) can lend itself towards the fight against money laundering.

The post Full confidence in anti-money laundering procedures yet to be reached appeared first on Information Age.

Most consumers are unaware of how they are being manipulated when they buy things online, whether that’s skewed results on search or opaque pricing. The CMA is the consumer champion when it comes to digital. Yet its work also extends to tech business mergers, investigating algorithms and, increasingly, how Web 3.0 will affect all of us.

Stefan Hunt joined the Competition and Markets Authority (CMA) as chief data and technology insight officer back in 2018 to better understand the impact that data, machine learning and other algorithms have on markets and people.

His DaTA team of nearly 50 data scientists and engineers help the competition and consumer regulator decide when tech firms are treating digital customers unfairly. It’s not an organisation without teeth: last October Facebook was fined £51m for breaching an order imposed by the CMA during its investigation into Facebook’s purchase of Giphy.

Information Age sat down with Stefan to better understand how the CMA uses data when it comes to investigating market distortion, whether it’s skewed results on search, or a planned merger such as the one between chip manufacturer ARM and Nvidia (subsequently called off) actually hurts the market, and manipulating consumers when it comes to digital advertising and pricing.

What is the role of the CMA chief data officer? And why was the data team set up back in 2018?

Our CEO and the executive team appreciated how firms had a much better grip on technology than the CMA did. This was an area we needed to improve.

Our first area of expertise is dealing with consumer challenges in digital markets. Right now we’re dealing with Google on their Google privacy sandbox, which is how they’re getting rid of third-party cookies. Another one is our fake and misleading online reviews case. Or maybe it might be a merger case.

Ultimately, there’s going to be a bunch of remedies or undertakings are going to get quite specific and quite technical. At the start of a case, it’s just trying to understand how firms operate internally. It’s really useful to have people with a data and technology background to know what questions to ask. And that just enables the CMA to deal better with challenges in markets.

So these are all dealing with challenges in markets. Oftentimes, firms may or may not want us to get involved, but we think there’s a problem in the market. And we think we need to solve that problem.

So your north star is, is the consumer and how the consumer is impacted?

Yes. Now that can often be through competition.

Could you describe the different functions of the CMA’s DaTA unit?

There are actually five things that the team does.

The first thing we do is provide expert data and technology advice for different cases. So we mentioned the Google privacy sandbox and fake and misleading online reviews. Another really good example is the Meta/Giphy merger, where we’ve decided that there’s a number of really important ways that the market could be harmed. And that was a case where one of our talented data scientists got involved. And he really tried to understand how Giphy deals with data and Meta could use that data. Second thing that we do is data acquisition and data science. So we’re dealing with sort of getting in big data, handling it and doing analysis on it

Another good example is the digital advertising market study we published July 2020. In order to really understand what was going on in search, we got one week of all Google searches in the UK and one week’s worth of all searches on Bing, which is the second biggest search engine in the UK. And then we were able to match across Google and Bing and understand the kind of data advantages that Google had. And that was some really important cutting-edge analysis.

But the CMA wouldn’t have been able to do that without our data team. We’re also building any data we’re using repeatedly into data pipelines, so that we can actually do things more efficiently there. We’re doing some scraping as well. So that makes sure that we’re just really informed as an agency.

The third thing that we do is data-driven tool development. That’s in our internal digital transformation bucket. We built what we call our evidence submission portal for firms. When it comes to a merger case, where sometimes we might have to get millions of documents. For instance, in the ARM/Nvidia merger case, we took in seven million documents, for example. And we built something that automatically accept those documents, check they were all in the right format, that they haven’t been submitted incorrectly, and if they have, it rejects them. It used to take four days in a merger case just to upload documents in a merger case. We’ve got that down to one day.

The fourth thing is behavioural science. Our mobile ecosystems market study digital advertising used it a lot. But we also did a whole load of work on auto renewals and subscription traps, really understanding how inflation was being presented to consumers.

Our fifth and last thing is research horizon scanning and case pipeline development. We did a lot of work about algorithms for the Digital Regulation Cooperation Forum (DRCF). We also did an algorithms paper in January last year. And we just came out with a bunch of work on online choice architecture.

Those are the five things that we do.

How does this affect business? We’re building our capability in cases to really help the CMA better understand firms and asking more probing questions. We’re building up our capability to just be informed through data.

In terms of business sectors under most scrutiny, sell, sustainability is an issue, as has been the cost of living crisis.

What are the areas or issues that the CMA is most concerned about when it comes to data and digital? Is it privacy or is it data misuse?

One of the concerns for firms of all sizes – from larger firms through to smaller firms as well – are things that firms may be doing intentionally or otherwise, maybe leading consumers to make choices which aren’t in the consumers’ best interests. So that’s something where we’re thinking quite a bit about at the moment, especially in the context of the cost of living crisis. We’re looking at drip pricing. Anything we can do that will decrease what consumers are having to spend at the moment is obviously going to be a positive.

And I mentioned online choice architecture work, which is obviously digitally focused, sometimes at small firms.

We certainly have a watching brief on algorithms and ticket pricing algorithms and firms’ uses of algorithms. We pay quite a bit of attention to that. If we see things that we are sufficiently concerned about, we will take it forward.

You investigate data from big tech firms such as Google and Meta. Basically, you’re asking to poke around the crown jewels. How responsive or helpful are they or do they say, that’s none of your business?

We have quite strong information gathering powers. So they can’t just say no. Meta got a £50 million fine from us when they refused to do a bunch of things. Firms vary a lot in their strategies for regulatory engagement.

What challenges does Web 3.0 hold from a consumer champion point of view?

It’s not the case that Web 3.0 is just allowing everything to be completely decentralised.

One of the issues is with smart contracts and that only the parties to the contract actually see details of the contract, which could enhance cartels. The perception is that Web 3.0 is all about decentralisation but in fact centralisation tends to go in different areas. Let’s say, you’ve got a digital wallet. You’re almost certainly not going to be someone who holds a primary copy of the distributed ledger. You’re going to have your own digital wallet that needs to be protected. There’s a bunch of firms that provide that to you. But those firms that offer that digital wallet protection are quite concentrated.

Tech is so fast moving and changes so quickly. As a watchdog, aren’t you always playing catch up?

We are very focused on being very pro innovation. Large firms that buy up smaller companies may actually stifle innovation, which is going to bad for consumers.

Or when it comes to mergers, we ask what is the effect on innovation if we allow two firms to merge? As an agency, we can get involved in markets we can make innovation better. Not through innovating ourselves, but by making sure market structures exist.

Our mission ultimately is about making things work better for UK citizens and that’s a really motivating thing.

Do you think that consumers are aware of how their digital experience, whether it’s search or what they buy, can be manipulated?

No. Vague awareness but not when it comes to the individual purchasing decisions they make when buying online. Look, I’ve spent years understanding behavioural psychology, both professionally and in detail over the past 10 years plus I’ve been thinking about it more broadly for the past 25 years, and even I’m not fully aware of how I’m being manipulated online. Yes, people have a vague awareness, which contributes to a lack of trust in markets and a sense that firms push and pull the rug out from under them. That’s why we’re doing online choice architecture work. Our work is partly to help consumers have more faith in markets.

What’s the one thing the CMA would like to get across to CTOs, maybe not the Facebooks or Googles, but the next level down, the unicorns or the soonicorns?

We would really welcome engaging with you to the extent that we can in cases going forward.

More on governance, risk and compliance

How the regulation of big tech can affect your business – The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business

IT risk management best practices for organisations – Dan Matthews identifies the IT risk management best practices that CTOs must implement to keep the organisation properly protected

The best IT compliance tools for your business – Antony Savvas looks at some of the best IT compliance tools and methods that are suitable for all types of business

Bank IT compliance: how financial services can stay compliant with regulations – Financial services compliance is a big area. Antony Savvas looks at strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards

The post Tech leader profile: how the CMA uses data to protect us appeared first on Information Age.

Denas Grybauskas, head of legal at Oxylabs, discusses the important role that self-regulation can play in high-tech legislation

A quick glance over our technological, scientific, and productive history over the past few decades shows a trend towards increasing specialisation. Getting into an area and becoming a true expert in it takes considerably more time than it did several decades or centuries ago.

Business, while progressing slower towards the same trend, is still experiencing something similar. Explaining in-depth technical concepts with sufficient detail and nuance to a layman is becoming more troublesome. Machine learning is one such example – frequently used, but scarcely understood by people outside the technical world.

Unfortunately, legislators cannot be experts in every field, but there seems to be an implicit request that they be so. After all, how can we enact fair and just laws or even principles without a proper understanding of the topics at hand?

The challenge of technological progress

Practical applications of technological progress usually encompass several distinct things into one. Web scraping, for example, is reliant on a multitude of advancements in computing, starting from the obvious ones such as internet connection speeds and ending with slightly less evident ones such as proxies.

Fortunately, current iterations of web scraping are still relatively uncomplicated and can be, with some effort, explained to laymen. It is advancing at a restless pace, though, as machine learning and artificial intelligence solutions begin to be included in the process.

My issue isn’t that things are getting more complicated over time. My issue is that our ability to explain those things isn’t getting much better at the same time. As a result, technology is slowly “running away” from laymen. Some of those laymen are legislators.

A simple solution to the problem might seem apparent: have legislators seek counsel from experts and advisors for anything complicated. Legislators sometimes do this both at EU and US institutions. I celebrate such an approach, but by (partly) solving our current issue, it still raises a few questions.

One of them should be a question of the identity of the experts. There is certainly a risk that they might be representing only the positions and ideals of the largest corporations, which can sometimes resemble large bureaucracies.

The other issue, which I have already touched on and will continue expanding upon, is timeliness. Each consultation, meeting, and explanation takes time and money, slowing down an already, presumably, sluggish process even further.

Explaining complex topics and drafting suitable legislation takes time. For example, the famous EU General Data Protection Regulation (GDPR) took over four years to be adopted from the moment first preparative texts were proposed by the European Commission. It’s a process that cannot be rushed as the livelihood of uncountably many people depends on it. One piece of legislation can influence our understanding of justice for decades to come.

Slow and steady

I don’t contend with the necessity of having experts on hand. In fact, I think quite the opposite – it’s one of the most important features of the legislative process in the current year.

In Lithuania, numerous institutions take advice from businesses, CEOs, and experts. Such a process results in better — that is, less oppressive and more accurate — laws. We can’t deny, though, that it does slow down an already sluggish process. However, as long as the institutions truly listen to the advice of the said people that actually sit at the front lines of innovation, the slowness might be justified.

But the train of progress chugs on regardless. Naturally, new industries develop with technologies previously unseen, and these can get quite large before any legislation is enacted. I think you may know better than me about how much technology changed in, say, the last four years. In the end, a “lag” becomes apparent as businesses rush forwards while the law attempts to catch up.

Our industry is the perfect example of such an occurrence. No direct legislation on web scraping has been published. We can closely follow case law, but what are the judges to do?

In industries where no direct legislation exists, judges have to rely on a multitude of secondary factors, putting additional strain on them. In some cases, they might be left only with the general principles of law.

In web scraping, data protection laws, e.g. GDPR, became the go-to area for related cases. Many of them have been decided on the basis of these regulations and rightfully so. But scraping is much more than just data protection.

Case law, mostly from the US, has in turn been used as one of the fundamental parts that have directed the way for our current understanding of the legal intricacies of web scraping. Although, regretfully, that direction isn’t set in stone.

Yet, using such indirect laws and practices to regulate an industry, even with the best intentions, can lead to unsatisfying outcomes. A majority of the publicly accessible data is being held by specific companies, particularly social media websites.

Social media companies and other data giants will do everything in their power to protect the data they hold. Unfortunately, they might sometimes go too far when protecting personal data. Instead of truly empowering users with the ability to control their data, they sometimes might overuse data protection laws to keep it all for themselves.

Self-regulation

It would be fair, I think, to assume that most businesses will pursue what is in their best interests as long as it’s legal. There are more cases like web scraping, where industries, at least in part, exist outside of regulation (not necessarily against it) and rely on the goodwill of businesses.

Self-regulation, then, lies as the temporary solution to these issues while businesses wait for legislation to catch up. There have been remarkably successful cases of self-regulation such as the American Bar Association and The International Council for Ad Self-Regulation (ICAS).

High-tech industries, however, have not only the perfect opportunity for such an approach, but some benefits as well. A lot of developments in these sectors, web scraping included, can be used for the public good. They, however, are rarely used by the public, by governments, or by journalists due to the lack of regulation.

Companies, engaging in self-regulation, show goodwill towards the rest of the world. Actions like this show willingness to share the beneficial side of high-level technology while restricting possible misuse. Those who are interested in fairness in the proxy and web scraping industry should stay tuned to further action.

Related:

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

How the regulation of big tech can affect your business — The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business.

The post High-tech legislation through self-regulation appeared first on Information Age.

Antony Savvas looks at some of the best IT compliance tools and methods that are suitable for all types of business

Payments

Any organisation that takes debit or credit card payments from customers is responsible for safeguarding the sensitive data. “The reason being is that firms that process card payments are considered ‘in scope’ to comply with the PCI DSS [Payment Card Industry Data Security Standard], regardless of the size of the organisation or the volume of transactions processed,” says Geoff Forsyth, chief information security officer at PCI Pal, a secure payments systems specialist.

There is a lot of risk in an organisation’s contact centre, as call recordings, for instance, might be legally required to meet financial rules, but may contain payment card data which creates a security vulnerability.

A PCI-compliant solution is therefore essential. Customers should instead provide card data via their telephone keypad, which produces audio tones – Dual Tone Multi Frequency (DTMF). These are collected and suppressed prior to entering the contact centre, meaning no one in the organisation will hear or see the payment information, which is captured anonymously.

While the call is still recorded for compliance purposes, the card data itself is not recorded, meaning there’s no payment data to steal, even if a malicious perpetrator manages to break into the network. Instead, the information is passed to the payment provider for processing and no sensitive data is stored in the organisation’s IT environment.

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

GRC

In order to stay compliant, the key is to have effective communication across business lines and to keep appropriate documentation of your security and financial controls. It is best to find the most stringent standards applicable to your industry and begin to take steps to comply with those standards. That way, if new standards come into play, whether through expansion or acquisition, for instance, you are geared to comply with new requirements.

It is equally as important to have some sort of methodology for auditing and verifying that you have all the necessary controls in place.

“The only way to manage any sort of compliance program at scale is to leverage a governance, risk and compliance (GRC) tool, and I suggest IT compliance teams look for a tool that works well for their business, and not just buy features for the sake of having them,” says Lecio De Paula, VP for data protection at security awareness training firm KnowBe4. “Complexity is the enemy of scale, so it is important to look for simple tools that meet your exact business needs.”

GDPR

The General Data Protection Regulation (GDPR) drove strict data compliance regulations for businesses to follow, with various tools now available to help firms comply.

Richard Mabey, co-founder of business contract automation firm Juro, picked two key ones.

“Egnyte provides GDPR compliance by locating and securing the personally identifiable information of EU residents stored on-premise or in the cloud.

“And TrustArc enables organisations to plan and implement GDPR compliance,” says Mabey. “Key GDPR capabilities include monitoring, regulator-ready reporting, communicating compliance and demonstrating records of processing.”

Know your customer

“Know your customer [KYC] is the cornerstone of compliance, as it enables organisations to improve their ability to monitor transactions and investigate fraud or credit risk, and must be a key focus from the get-go,” says Delphine Masquelier, KYC solution manager at Quantexa, a data analytics company which provides solutions to the finance industry.

“The problem is that in many organisations too much of this is done in silos, leading to an abundance of incomprehensible data.”

To enable a more intelligent way of staying compliant and driving effective and efficient KYC processes, while staying in tight control of finances, businesses must use contextual methods of collecting and making sense of data.

Contextual decision intelligence (CDI) technology tackles how real risk often hides within indirect connections, and transactional behaviour with other entities and organisations in the network.

Process, technology and people

“With emerging unknown cyber threats posing a significant risk to operational resilience, companies should focus on three key areas in order to reduce risk, deliver an uninterrupted service to customers and stay compliant with regulations,” says Pete Bowers, COO at managed security services provider NormCyber.

“Firstly, a combination of process certifications and best practices can prevent around 80 per cent of cyber attacks,” Bowers says.

Widely-used security certifications include ISO27001 and the UK National Cyber Security Centre’s two comprehensive certifications, Cyber Essentials and Cyber Essentials Plus, which focus on five key controls: firewalls, secure configuration, user access, malware protection and patch management.

“Secondly, investment in technology is key to minimising risk and increasing resilience, but simply investing in tools that feed security operation centres [SOCs] will not be enough without the capacity and skills required to manage these technologies,” says Bowers. If you can’t afford to operate a SOC, an alternative is to use an external one managed by experts.

Lastly, all technologies and processes are only as effective as the people who use them, says Bowers. In a 2021 UK government survey, it was revealed that of the businesses that had experienced a data breach, 83 per cent said it was due to a phishing attack.

With cyber criminals clearly preying on human error, it’s important that organisations regularly carry out cyber security awareness training and simulated phishing attempts among staff and track the effectiveness of their security controls.

ZTNA

Various zero trust network access (ZTNA) systems proactively make sure users only get access to the applications and parts of the network they actually need to do their jobs. So if malware does leak into the network, its damage can be restricted and better controlled.

ZTNA technology is primed to locate, manage and quarantine threats like ransomware, curtailing widespread damage to firms’ networks, servers and databases.

A zero trust approach assumes that every IT user, gadget and data packet on the network is a potential threat, and essentially interrogates them all before allowing them to pass through the network with the right credentials.

Through automation, orchestration and machine learning, ZTNA technology easily allows companies to provide user access tied to “micro-segmentation” – parts of the network, apps and databases portioned off to specific users. Such segmentation enables organisations to restrict lateral access through their networks, reduce the attack surface shown to attackers, and effectively quarantine threats like ransomware.

By doing this, firms can protect data in other parts of the network, and they will have more time to mitigate the malware that has already breached their systems.

By being able to demonstrate the efforts they have made to prevent or reduce the effect of data breaches through using ZTNA, organisations can help avoid large data breach fines.

Related:

How the regulation of big tech can affect your business — The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business.

Three steps to an effective data management and compliance strategy — Mark Jow, VP, technical services EMEA at Commvault, discusses how to establish a strategy that’s effective for data management and compliance.

Post-Brexit: how has data protection compliance changed? —
Freelance business and technology journalist Graham Jarvis explores how data protection compliance has changed post-Brexit.

The post The best IT compliance tools for your business appeared first on Information Age.

Financial services compliance is a big area. Antony Savvas looks at strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards

Payments

Prajit Nanu, CEO of B2B payments platform Nium, says it’s in everybody’s interest that payment transactions are as frictionless as possible, but many commonly used payment systems carry unnecessary layers of complexity, including when ensuring regulations and compliance.

He says automation can help to resolve lags arising from risk and compliance checks, which can be a time-consuming and labour-intensive process, particularly for those dealing with cross region, cross country checks. An automated payment platform appropriately integrated with other business software can perform these checks much more seamlessly.

Nanu says: “Digital tools, such as individualised transaction profiles, coupled with the output of machine learning processes, will be able to offer real-time solutions which significantly reduce the time required for risk and compliance checks, while still allowing effective identity verification and fraud detection checks.”

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

Standardisation

Leo Labeis, CEO at coding platform REGnosys, says: “Regulatory reporting has long been a challenge for financial institutions, as the sector has historically struggled with standardisation, meaning firms are often forced to contend with fragmented and ambiguous reporting requirements across jurisdictions – adding cost and risk.

“The delay to the rewrite of the US Commodity Futures Trading Commission [CFTC] from May to December 2022, itself following the delayed technical standards publication, illustrates just how much work is involved for firms to comply.”

Crucially, however, the new CFTC Rewrite deadline allows time for financial institutions to review their regulatory reporting practices and adopt more efficient processes to data management. Technology-driven initiatives, such as ISDA’s (International Swaps and Derivatives Association) Digital Regulatory Reporting (DRR), will play a central role in this transition, offering firms the chance to build an open source, standardised and machine-executable interpretation of the rules.

DRR should streamline post-trade operations and help firms adapt to upcoming regulatory deadlines.

Embedded

“Successful compliance must be embedded into sales and service processes, and this starts with a mindset that’s trained into your staff and ends with both automated and manual compliance checks, that protect the customer, the bank and support staff,” says Steve Morgan, global banking business lead at Pegasystems. “To embed compliance into any process, such as onboarding/KYC [know your customer], lending or transaction monitoring, requires technology that can, for example, run simple online checks for identification for account opening or tap into large volumes of data for fraud or sanctions checking.”

It also needs to be able to send any exceptions to someone for a human touch to intervene, providing them with all the relevant information to easily resolve and track. When regulations change, then processes need to adapt, and again technology plus training enablement should be easily adjusted.

“Not adapting fast and easy to regulatory change is where banks can slip up, drop into manual interventions and inadvertent non-compliant behaviours,” adds Morgan.

To keep pace with compliance regulatory change easily, banks should be leaning into low code workflow automation with predictive and adaptive models, so that compliance is easily integrated.

As-a-service

A “regulation as-a-service” approach will become the new normal, to the “relief” of banks and financial institutions, as they will no longer need to deal with managing software implementation, says Pedro Porfirio, global head of treasury and capital markets at financial software provider Finastra.

Currently, many banking and treasury management systems, and the regulatory reporting solutions that sit alongside them, are working as independent data silos, making it difficult to consolidate data. APIs and data lakes, on the other hand, provide a single access point to multiple sources of data, providing visibility front-to-back to reduce risk and ensure compliance, through real-time reporting.

Porfirio says financial institutions will share all relevant data securely through the cloud with selected ecosystem partners, for processing in “full compliance” with regulations across all relevant jurisdictions.

Know your customer, anti-money laundering (AML) and sanction-screening requirements are all examples of services that can be provided in this way, he says, as well as “risk as-a-service” type offerings for handling the necessary risk calculations in relation to the industry’s Fundamental Review of the Trading Book (FRTB).

“Enhanced data management lies at the heart of regulation as-a-service. The use of artificial intelligence and machine learning, supported by cloud and digitalisation, will connect to this readily available data, and will be key in ensuring compliance, helping to spot suspicious behaviour, potential fraud or other areas of risk,” Porfirio says.

Secure Storage

“Banks need to be very careful about the types of cloud solutions they choose to adopt, and one way to stay compliant is to adopt private cloud storage solutions that are deployed entirely within the organisation firewall, and enable firms to comply with data residency requirements,” says Aron Brand, CTO of data storage firm CTERA. “Cloud solutions should also be required to use at-rest data encryption, and must integrate with the bank’s existing security infrastructure, including key management solutions utilising the KMIP protocol.”

In addition to data residency and encryption, banks need to consider other security factors when choosing a private cloud storage solution. It must provide granular controls over who has access to what data, and the auditing and logging capabilities should be comprehensive. Some modern storage solutions also offer AI assistant behavioural-based alerting, that can detect threats before damage is done, and data classification tools that detect sensitive and regulated data, eliminating excessive data access.

Automation

“Intelligent automation [IA] has become vital for not only future competitiveness and differentiation in financial services, but also for maintaining compliance,” says Brian Halpin, SVP at AI software firm Blue Prism, and the former head of automation at HSBC. “By automating compliance processes, which typically include time-sensitive and intricate tasks, you can limit costly human error and also free up crucial staff time to be used on more fulfilling roles.”

Halpin says automation technologies support digital ecosystems that can “re-shape” how financial services are discovered, assessed, purchased and delivered. He cites one example. One of Europe’s oldest and largest banks, serving more than 10 million customers in multiple countries, realised major gains in service quality, speed-to-market and customer experience from its IA deployments.

More than 300 acquisitions had led to a complicated operating environment with no core banking system. IA enabled the bank to manage operations across legacy estates, using a combination of APIs and software bots to bridge systems and alleviate problems. The bank reckons it has achieved a 150 per cent improvement in overall efficiency from its automation and expects additional gains from process improvements in 2022.

Customer vulnerability

Organisations providing financial services to consumers are required by law to have a special protocol for identifying and interacting with vulnerable customers. Failure to do so can result in substantial penalties as well as reputational loss.

Darren Rushworth is president of NICE International, the international division of the UK National Institute for Health and Care Excellence. He says: “What’s startling is how many of us are classified as vulnerable. The Financial Conduct Authority classifies 27.7 million adults – 53 per cent of the UK population – as having some vulnerability, including poor health, low financial resilience and low capability. And just because someone is not deemed vulnerable today, it doesn’t mean they may not be tomorrow.”

Contact centres rely on their agents to identify vulnerable customers based on training. But it is difficult to determine the subtle clues of vulnerability because many consumers are not willing to admit or are even unaware they classify as vulnerable.

Artificial Intelligence when correctly implemented in a financial services provider’s contact centre can interpret consumer behaviour and can consistently and accurately identify vulnerable customers during interactions, without manual effort. Machine learning identifies these behavioural patterns in the data that would be inaccessible to humans.

“This results in organisations being able to comply with FCA regulations and deliver exceptional customer care,” says Rushworth.

Related:

How the regulation of big tech can affect your business — The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business.

How financial services companies are gaining value from cloud adoption — Ben Walker, partner and founder at Airwalk Reply, and Matt Mould, partner at Storm Reply, spoke to Information Age about how financial service organisations are gaining value from cloud adoption.

The role of data analytics in Fintech — This article will explore the role of data analytics in Fintech operations, as the disruptive innovation space continues to grow.

The post Bank IT compliance: how financial services can stay compliant with regulations appeared first on Information Age.

Dan Matthews identifies the IT risk management best practices that CTOs must implement to keep the organisation properly protected

IT risk comes in many forms, from the generic to the specific, known and unknown. It is present in internal operations and in the ambitions of malign forces acting beyond national borders. With so much consider, how can you manage IT risk without impinging operational efficiency?

First, decision-makers must accept that IT risk is business risk, requiring a holistic strategy, and should not be left to tech departments to sort out, according to Tarquin Folliss, director of corporate affairs at Reliance acsn.

“Organisations fail to mitigate IT risk when they consider it in isolation and view it as a purely technical issue. IT departments are not security experts, yet many organisations hold their IT departments responsible for IT security.”

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

When we talk about risk, what we really mean is each organisation’s unique set of vulnerabilities. These loopholes are monitored, generically and specifically, by bad actors who would exploit them for financial or political gain, or occasionally just for clout.

The first step, then, is to understand centres of risk within your organisation. These evolve with tech advances and behavioural change, for example with the transition to hybrid working brought on by the Covid-19 pandemic.

“This has presented new challenges with expanded networks beyond the traditional office environment: no physical barriers or access controls, reduced VPN effectiveness, more endpoints and a greater attack surface to monitor,” says Folliss.

“Remote working distorts an IT security team’s ability to manage and control the network and introduces new threats and vulnerabilities – and thus new risk.”

So your analysis can’t be a one-off, rather a continuous, rigorous, and honest programme of testing and assessment that gets to the heart of an organisation’s DNA, says Pascal Geenens, director of threat intelligence at Radware.

“This involves having people think like an attacker and test existing security controls against known vulnerabilities and attacks,” he says. “Given the dynamic nature of the infrastructure and the continuously changing threat landscape, a one-off red teaming or pen-testing exercise is not adequate. It should be a practice that is continuous, integrated in the existing controls, closely measured and reported on by management.”

This should be accompanied by organisation-wide cultural change that emphasises everyone’s role in maintaining integrity. Corporate-level spotlighting of data privacy and security, supported by non-tech executives at the top of the business, reduces the risk of head-slapping mistakes.

“Fostering a cyber security culture can present a stronger front against IT risks than any single policy or procedure, and will outlast individual turnover and isolated incidents,” says Erfan Shadabi, cyber security expert at comforte AG.

“Organisations can and should create a cyber security culture by weaving it through procedures and practices, engaging employees on the shared risk and the shared rewards and maintaining an active internal conversation.”

Incorporating software

Another pillar in the construction of a robust security set-up is incorporating software that protects against viruses, spyware and ransomware. This could be as simple as selecting operating systems with security built-in or restricting devices so that can only run software from an approved enterprise app catalogue.

Here, your mission is complicated by personal or dual-use devices, particularly in hybrid or home-working scenarios, in which case anti-virus software may become part of your plans. In either case, evaluating your risk surface and covering weaknesses is a must.

“Not only do security tools significantly increase our resilience against cyber threats, they also free up our security teams to focus on the equally critical organisational dimension of compliant data processing,” says Scott Richardson, chief security officer at Crayon Group.

Zero days

But, even with the most rigorous controls, no organisation is invulnerable to digital threats, and a comprehensive security strategy must include protocols for what to do when a breach occurs.

So called “zero days” – in which flaws are discovered by the IT team after the fact – are common, and bad actors are always looking for weak points to exploit before they are patched. It gives criminals a window of opportunity to freeze infrastructure for blackmail and extortion.

According to Geenens, organisations must respond to this unpleasant reality by rehearsing attacks through simulation, ensuring you can act efficiently and adequately in the event of a real breach.

He adds: “Visibility, in terms of logging and tracing, will allow an organisation to assess the damage and what or who was impacted by the breach. It will also allow an organisation to have greater confidence that all sources and compromised devices were remediated, and no further risk is lingering inside.

“In the case of ransomware attacks, having a good test recovery plan is a minimal requirement. Even in the case of paying off the attackers, parts of the servers and data might not be recoverable. You should not trust in the reversibility of the malicious actors’ actions.”

How to prevent a cyber event

Risk is something businesses – like individuals – must accept and live with.

Folliss believes that, in the absence of total security, organisations should focus on becoming resilient, with an emphasis on discovery, awareness, planning and preparation.

“Events or incidents, by their nature, occur outside an organisation’s control, in the physical world as well as cyber space,” he explains.

“But a cyber event has a velocity and scope far greater than a physical event. How rapidly and effectively an organisation responds to a cyber event is critical to minimising the impact. That only comes through preparation.”

He recommends organisations tick-off the basic steps outlined by the National Cyber Security Centre (NCSC). These are seemingly obvious, but Folliss says he’s surprised how many organisations don’t adhere to them:

• Have a robust password management policy in place and enforce it.
• Manage patches efficiently.
• Back up your data, preferably ‘air-gapped’ from your network.
• Manage access and, where practical, initiate multi-factor authentication.
• Plan for an incident, test it and practice it.

To this list, Geenens adds visibility through logging, measurability of security controls, and incorporating automation, where possible, to keep up with the continuously evolving threat landscape.

By keeping these points ticked off, you can prevent your organisation from becoming the sort of low-hanging fruit all criminals love to exploit – and thereby shield your business from the worst the cyber underworld will throw at it.

Written by Dan Matthews, freelance business journalist

Related:

Bank IT compliance: how financial services can stay compliant with regulations — Financial services compliance is a big area. Antony Savvas looks at strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards.

Considering security risks from third parties in the supply chain — Simon Eyre, chief information security officer at Drawbridge, discusses how organisations can mitigate security risks brought by third parties in the supply chain.

Operational resilience is much more than cyber security — Adrian Overall, CEO of CloudStratex, discusses the facets of operational resilience that organisations need to take into account.

The post IT risk management best practices for organisations appeared first on Information Age.

The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business

“Civil servants do their best to consider all implications, but there is always something they haven’t thought about,” Sue Turner OBE, AI and data governance and ethics specialist, told me.

“The fear is that companies will proactively over-censor themselves for fear of being censored by the regulator,” Jacquie Hughes, media policy and regulatory specialist, said.

The issue relates to two pieces of pending regulation, the Online Safety Bill (originally called the Online Harms Bill) in the UK and The Digital Services Act in the EU. The two bills will have repercussions for businesses and business owners who might consider that their business is as far removed from big tech as you can get.

Furthermore, as has been the case with GDPR, the impact of these two pieces of pending legislation will reach far beyond the continent of Europe. GDPR has been followed by a spat of regulations worldwide, such as the California Consumer Privacy Act (CCPA), the pending Personal Data Protection Bill in India, and LGBD in Brazil.

When GDPR came out, many specialists in the area argued it was primarily aimed at the regulation of big tech, but its impact on businesses, small and large, is there for all to see.

A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.

Legal but harmful

The most controversial area of the Online Safety Bill is ‘legal but harmful.’ The Bill requires companies to take on a duty of care with online content; and could result in heavy fines for companies or even criminal prosecution for its managers that fail to meet the requirements. But it creates ambiguity. Companies will be required to monitor and, if necessary, censor content that is legal but deemed harmful.

“Legal but harmful is the battleground. It’s why the joint committee which put forward recommendations for amending the Bill suggested getting rid of it and just sticking to clearly defined ‘illegal’ harms,” Hughes said.

“It leaves too much ambiguity and too much to judgement by individual companies,” she added.

Turner opined that the Bill might “put people off being creative.” She explained by giving an example of a company that was keen to interact with its community, encouraged more diverse views, and wanted discussion from which it could learn. In short, it wanted to do the things that most regulators, shareholders and the public would approve.

But the company became concerned that it might fall foul of the Online Safety Bill.

“There is the issue of legal but harmful. So how do you set up your guard rails?” asked Turner. She said: “This company is running away from it.

“And that is worrying as we want companies to have more diverse views.”

Why legal but harmful

This begs the question, precisely why is the government promoting legal but harmful and there is the thorny area of risk.

Clause 59 of the Bill is telling; it refers to “risk assessment duties for content that is legal but harmful.”

In other words, companies are being asked to apply a risk approach to their online safety, but this is riddled with ambiguity.

Hughes explained: “The government was keen to keep it in because it wanted to deal with the whole plethora of so-called harms.”

She warns that companies will remove content in advance rather than risk a fine afterwards.

She said: “Ofcom will have to consider lots of things such as volume of complaints, degree of harm, measures the company took to mitigate the harm whether they had good compliance measures, etcetera in place. But it’s not ideal. It is huge ambiguity.”

She added, somewhat pithily: “Judging psychological harm is just a minefield.”

Two levels

The core issue here is another law, not a law defined by an Act of Parliament or Congress, but rather something more akin to a law of human nature or maybe of nature — the law of unintended consequences.

Regulators are trying to do the right thing; the Internet is becoming dangerous, but practice and theory are often quite different.

Turner warns of two levels of effect.

• Actual regulation stopping you from doing something you might otherwise have done.
• Opportunities lost; you might have thought of a creative use of AI, for example, a new way of running your business, but you don’t in case of what might happen.

She said: “There are a lot of good things with the Online Safety Bill, but medium-sized companies or non-specialists may lack core skills and might struggle to comply.”

So, lack of technical skills, at a time of well-publicised labour shortages, might be a key constraint, especially in the digital economy. Furthermore, these technical skills are not lacking in the big techs.

Regulation might be designed with big tech corporations in mind, but it might be the big techs with in-house expertise who can better manage regulations and understand and quantify the risk.

What’s next

But the pending bills on online safety and digital services might be just the beginning.

Turner speculates that we might see regulations requiring the auditing of AI algorithmic systems, an area the UK government is already considering.

She said: “We have all got used to being audited on our financial position; it is second nature, but we may have to do this on how we use technology in our business; not just internally, but with suppliers.”

These are precisely the areas that big techs are better equipped to deal with.

The bite

Hughes warned that the Online Harms Bill “bites on every business using the Internet – and adds regulation to the space where it didn’t exist before. It makes every company responsible for the risks its service represents and makes lots of new activities unlawful.”

The Joint Committee on the Online Harms Bill says: “We recommend the Bill is restructured. It should set out its core objectives clearly at the beginning.”

Hughes said: “The government has deviated from the recommendations by still including ‘legal but harmful’ in the Bill.” The joint committee recommends removing that.

“Many companies have already taken pre-emptive action in advance of this Bill.

“Remember, it’s part of a package of regulations of businesses using the Internet that didn’t exist before, including setting up the digital marketing unit at the CMA, the children’s code, and all the ‘stuff’ coming out of Europe.

“Any business will no longer be able to use the Internet without consideration of these regulations.

“It’s trying to bring the online world in line with the offline world.”

Related:

Bank IT compliance: how financial services can stay compliant with regulations — Exploring strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards.

Global AI regulation? Possibly, and it’s starting in the EU — Lori Witzel, director of research for analytics and data management at TIBCO Software, explores the possible impact of the proposed EU legislation for AI on businesses.

What regulation means for digital interoperability — Following the recent introduction of the EU Digital Markets Act, Dominic Wellington, director of market intelligence at MongoDB, considers what regulation means for interoperability.

The post How the regulation of big tech can affect your business appeared first on Information Age.