GDPR (EU data protection) from an HR perspective

The GDPR will replace the mixed blend of 28 different EU Member States’ laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonisation throughout the EU.   Its main objectives are threefold:

1. The GDPR increases the rights for individuals.
2. It strengthens the obligations for companies.
3. The GDPR dramatically increases fines in case of non-compliance, up to €20m(£17m) – or up to 4% of total
worldwide annual turnover.

What important changes should be on your HR team’s radar?

1             Consent – Under GDPR an employee’s consent remains a legitimate basis for processing his or her personal data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable” Further it is important that the employee is able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that the employee’s consent must take, it is highly unlikely that blanket data protection consent clauses in contracts of employment and policies will suffice.

2            Subject Access Requests – The right of employees to request information about the personal data processed by the employer remains broadly the same. However, under GDPR the starting position will be that the employer must respond to a request without undue delay. The current 40 days will be replaced by 30 days. The £10 fee some companies levy for making the request will be abolished.

3             New (and enhanced) Rights – GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with a suite of so-called “delete it, freeze it, correct it rights” which are aimed at giving them more control ( in certain circumstances) over how their personal data is processed.

4              Data Breach Notification – In the UK employers must notify personal data breaches to the Information Commissioner’s Office (ICO) with 72 hours of becoming aware of it.  The term ‘personal data breach’ covers a plethora of common workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It is important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.

5             Routine CRB Checks – Enhanced DBS checks will still be permitted, however if employers adopt a routine policy of conducting DBS checks on all employees regardless of role and whether or not there is an English legal requirement to that effect, this may be unlawful under the GDPR.  Although standard and enhanced DBS (Disclosure and Barring Service) checks will still be permitted under GDPR, employers (as it currently stands) will not be able to conduct routine basic DBS checks on all employees (unless their role requires them to be security cleared).

GDPR has already started to appear in CJEU’s (Court of Justice European Union) soft case law (AG Opinion in Manni)
The recent judgment of the CJEU in Case C-398/15 Manni (9 March 2017) brings a couple of significant points to the EU data protection case law:

• The court clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist;
• The court clarifies that the individual has the right to object to the processing of that data, based on his/her particular circumstances and on justified grounds.

Organisations should be checking that all their HR staff are fully engaged on GDPR to ensure there is a comprehensive grasp of the responsibilities and actions required ahead of implementation.  How ready is your HR department?   Let us know.

 

 

Bot technology offers a new era in seamless business support

Conversational apps and services, such as Apple’s Siri and Microsoft’s Cortana have managed to find a way into peoples’ everyday lives as a way of finding answers to questions, quickly.

These conversational apps, also called ‘Bots’ which are a form of Artificial Intelligence (AI), are not limited to just answering questions, but can, using ‘natural conversation’ enable users to interact with services (be it ordering a pizza without looking at a traditional menu, or providing technical support to an employee’s PC issue).

Bots can be interacted with by either voice or text and can come in the form of a website, an app, or integration into existing services such as:  Skype for Business; Facebook Messenger; Cortana; Microsoft Teams and more. Bots can be accessed via a wide range of devices from smart phones to laptops and even devices without screens.

So why should businesses consider developing their own Bots?

The advantages of Bots to a business should be obvious – without the need of a dedicated and extensive support desk to handle queries for your own website, app or service, you could bake in support for bots inside your own website, app or service.  This way users would have access to the same support tools using natural conversation, without leaving the screen that requires assistance.

Bots can work well on their own, but they work even better with the help of humans when they hit the limit of their coded knowledge.   Bots are primarily programme driven but are inevitably only be as good as they are designed and coded by humans.  The Bot experience is intended to be seamless to the user, even if the Bot’s script has reached its end and it needs to interface to get guidance from a service desk.  The user talking to the Bot just enjoys a single trafficked conversation without seeing any splits.

The disadvantages at the start of the Bot technology process was in the creation period as building a coding system from scratch to handle conversational queries and integrate across known and used services was a monumental task. The good news however is that a lot of this work has now been done and is being made available as a foundation to consumers to build their own Bots. Microsoft is currently taking the lead in this area with its own Bot Framework, currently in preview.

Bots are no longer reserved by the technical giants of the world.  With the tools to create Bots having been developed and distributed, this makes Bots accessible to a wide array of devices and services. We will soon see a lot more Bots out in the wild from a wide variety of businesses and tech hobbyists. This influx in Bots could impact the technical landscape in a similar way that mobile Apps achieved when their tools became readily available – like with the original arrival of Apps in 2008 for Apple with the iPhone 3G.  So those who can make a strong brand early on will see stronger success as the platform evolves over time – and Bots could become a regular feature as part of the service desk toolkit for IT Managed Service Providers in future.

 

Lots to shout about at Microsoft’s Autumn NY Windows 10 event

microsoft_surface_book

This week Microsoft held its Windows 10 device event showcasing their latest and greatest for both consumers and enterprise.

• The event kick started with their entertainment platform Xbox, with Windows 10 coming to Xbox One later this year. It brings improved user experience, performance and the ability to run their previous generation of software which has been their most requested feature since launch.

• Next was a new HoloLens demo: the presenter used a new hand held controller whilst wearing the device and battled augmented reality robots live on stage. Visually this was very impressive for an untethered device (ie. Not connected to a PC).  After this the development kit was announced for Q1 2016 with a price tag of $3000.

• The focus then was on fitness with the unveiling of Microsoft Band 2. The new band features a sleeker design with curved screen and new Barometer which measures elevation for more accurate “caloric burn” readings.

• Multiple Microsoft phone announcements followed with the Lumia 550, 950 and 950XL. The two 950’s were the real attention grabbers and feature high performance with liquid cooling and twin antenna for greater connectivity.  Continuum (connecting Windows 10 phone to keyboard and screen through a dock + mouse to use as a PC.  USB memory sticks and hard drives can also be used and in this mode the interface looks and feels like any other PC, at the same time the phone can still be used as a phone.

• From phones to tablets, Surface was next. The Surface Pro 4 us announced with a larger screen, without increasing the size of the device, thanks to smaller bezels. The new Surface is also thinner, more powerful and with better battery life.  Also included is a more advanced stylus with 1-year battery and a new improved, but still optional keyboard with bigger trackpad, separated keys and a fingerprint scanner. These new accessories can also be used with last year’s Surface Pro 3.

• Next Microsoft borrowed the Apple “one more thing..” to announced a new product entirely called the Surface Book. This device is a premium laptop, which you can also rip the screen off to use as a tablet. The base also contains additional computing and graphic processing adding up to 2x the performance of a Mac Book Pro.

All in all, Microsoft announced a lot this week in New York and won the attention and rare applause of their sceptical industry audience . Microsoft is now selling a very compelling ecosystem of not just software and services but also hardware tailored to both. It has a tremendous battle ahead with its rivals, but they have certainly put their best foot forwards to bring genuine intrigue and excitement which was arguably lacking from many recent tech events by Microsoft, Google and Apple.

Blackberry announces privacy focused Android phone

BlackBerry-Priv

Blackberry’s much rumoured android venture has finally become official with the announcement of the companies first Google powered smart phone called the Priv due to be released later this year.

Priv stands for privacy which has been the cornerstone of BlackBerry’s business over the last 20 years.

Both the phone and the strategy announcement of a non-BlackBerry OS phone came out from a simple press release from the company after many rumours and substantial leaks showing much of the device. The announcement also confirmed that BlackBerry is not yet cancelling development of its own BlackBerry OS but will be developing both Android and BlackBerry OS handsets in the future to give consumer the choice of which they prefer.

The dual development approach however may not be a long term strategy and it is very possible that this time next year BlackBerry, if their Android phones are more successful than their own developed counterparts, could announce plans to drop their own OS in favour of providing additional development resources into their Android security layer that will be their unique selling point going forwards.

Many have been calling doom and gloom for the Canadian company and its easy to see why with BlackBerry currently holding less than 1% of the smart phone market, however with the Priv and future business and security focused smart phones they could start to carve back a market from both corporate users and smart phone fans that still long for the days of durable, long lasting battery phones with a physical keyboard but don’t want to compromise with an unsupported OS that won’t run the many applications the modern mobile user would want to use.

BlackBerry going Android could actually provide a breath of fresh air from smartphone slabs that mostly all look and act the same today.

Microsoft gives founder of Acompli the reigns to Outlook

microsoft_acompli

In December 2014 Microsoft acquired mobile software developer Acompli for $200 million who had developed very popular and critically acclaimed email clients for iOS and Android. Shortly after the purchase Microsoft rebranded these to “Outlook” keeping the functionality and compatibility to other mail providers that critics originally praised.

The rebranded Outlook app has also seen critical success under Microsoft and Microsoft own Windows 10 mobile app currently in development shows signs of its inspiration.

Microsoft announced this week that Javier Soltero the founder of Acompli has been officially but in charge of Outlook on all platforms, including the web, smart phone, tablets and most importantly PCs.

Before Microsoft purchase Acompli Javier was used to a team of less than 75 so being put in charge of one of Microsoft most used applications must be a daunting task.

With the great critical praise and innovative design shown thus far, Javier lead versions of Outlook in the future is definitely one to watch. We are likely to see mobile only features such as the focused inbox make the jump to desktops and we are likely to see new innovations that only make sense with the larger screen real estate on the PC.

As interesting as this is for the future of Outlook, it is as interesting for Microsoft itself, Microsoft is showing they recognise great, unique talent, even if from outside the company until recently and letting them lead large and established products that may otherwise face complacency. Of course with any leadership shift this does introduce new risks but taking the opportunity to crucial to grow in a hugely competitive field.

Google’s “ne m’oublie pas” hit by Europe’s desist and delist world ruling as “right to be forgotten” issue rumbles on

logo-cnil

France’s privacy regulator, the CNIL, has rejected Google’s request that the “right to be forgotten” ruling on their websites should only remain restricted to Europe domain names, vs applying to all Google websites worldwide.

The decision requires Google to close a loophole that enabled searchers to defeat a judgment by the Court of Justice of the European Union (CJEU) last year, whereupon they removed results from more localised sites such as google.fr, google.co.uk etc, but continued to display disputed links on google.com.   The French regulator stated Google’s various domain names were just “different paths to the same processing operation”, making it easy for users to circumvent the block.

As we widely reported in our blogs in May 2014, the CJEU recognised the right to be forgotten, thus allowing people to ask search engines not to display certain links if they requested, following a search on their name.

Based on the original Spanish ruling, the upshot from the Spanish court was not to erase the original searches, but make them far harder to find.  The desire and drive for data privacy was duly thrown into conflict with the arguments for freedom of speech and public interest.

It’s essentially one of the inevitabilities for society when citizens have access to such an incredibly powerful search tool at our fingertips, which today’s younger generation greedily take for granted.  It’s only a generation ago in pre Google days before 1998, when people would have had to resort to books and library articles to comb paper archives to get the information they wanted.  We move now at such lightning pace with technology that we must always be mindful about some of the downsides of this technology and fully maintain our corporate responsibilities surrounding data privacy, or pay the heavy penalties.

For a business a privacy breach might prompt a penalty of up to 5% of their global profits, however, in the EU regulation ring, there is a seemingly weak trust from the particular CNIL sword.  After four months, the French national threat is limited to “discussing appointing someone to report to its sanctions committee with a view of obtaining a ruling on this matter”.

With 500 million EU citizens, there is a mess of different legal regimes, making it hard for European businesses to work towards.  This is what the new EU Data Protection Regulations hopes to cure, if the EU stakeholders can agree the text.  It would certainly be a stimulant to Google if it knew it had one Euro privacy regulator to deal with and 5% of ITS turnover at stake if it broke the rules.  It seems a long way off, but organisations should consider data security and data protection as amongst their highest priorities looking ahead.

IBM launches Cloud Security Enforcer to counter risks from BYOD

IBM

The BYOD trend remains as strong as ever according to IBM’s recent security study.  Their research returned feedback indicating that over 30% of Fortune 1000 employees share and upload corporate data on third-party cloud apps, despite increasing awareness over the last few years of the risks of ‘shadow IT’.

The stubbornness and secrecy of Senate politician and presidential candidate Hilary Clinton in running dual public and private communications systems has certainly thrown the spotlight on cloud security risks – which affect the public sector as much as the private sector.  This has been a trigger for IBM to launch their new Cloud Security Enforcer (“CSE”).   Added to this, 25% of those surveyed link to cloud apps using a corporate log-in and password.

IBM’s new corporate protection device using their host IBM Cloud, aims to counter this by combining cloud identity management (“Identity-as-a-Service”), with the ability to discover any outside apps employees are using (including those on their mobile devices to make access more secure).

1.    CSE enables detection of unauthorised cloud app usage, followed by secure configuration of the apps as well as managing, viewing and directing how employees can use them.

2.    Can determine and enforce which data owned by an organisation can or cannot be shared by employees via specific third-party cloud apps.

3.    Security-focused connectors can connect employees to third-party cloud apps which include automatically assigned sophisticated passwords to help alleviate security breaches from human error.

4.    Finally CSE employs its global X-Force Exchange threat intelligence network to protect against employee-induced and cloud-based threats by analysing real-time threat data.  These involve scans of the internet and analysis of more than 20 billion global security events daily as a safeguard.

With connectors into Box’s cloud-based content management; a collaboration platform with Microsoft Office 365, Google Apps, Salesforce.com + other popular enterprise software, IBM’s broad view on seeking to secure and manage the wilder risks from cloud to business should resonate in the marketplace, though as of yet the price point for Cloud Security Enforcer has yet to be published, but it is certainly indicating of intelligent packing for enterprise organisations.  As long as users retain the freedom to use their personal devices without interference from their organisations and equally, that enterprise has the ability to securely ringfence company data, then the two can sit comfortably side by side and it’s a good package.