How Solopreneurs and Startups can Prevent Data Breaches
Cybersavvy solopreneurs know that they are responsible for any issues related to cybersecurity and data protection concerning their business. Digital nomads, who travel frequently, need to be particularly cautious about preventing data breaches that are a result of a lost or stolen device. Beyond prevention, however, there is the tone that you set for your business as well. As the head of cybersecurity in your business, you play a key role in developing your brand image as one that meets service standards of privacy that users would choose over your competitors.
For makers and startups in general, it is vital to reflect this in their brand, since makers and startups who seek funding need to be able demonstrate that they meet the necessary cybersecurity and privacy standards to investors.
Unfortunately, the topics of cybersecurity and data protection are anything but straightforward and easy to comprehend – the legal details on privacy, especially when it comes to the General Data Protection Regulation (GDPR) are written in legal jargon that is difficult to understand. This creates an environment where solopreneurs and makers are constantly concerned about not meeting these regulations and getting into legal trouble.
So how can solopreneurs and makers ensure that both their data and their client’s data are safe and secure?
Introducing: The Cybersavviness Checklist
Today, solopreneurs and makers are facing an increasing number of challenges in ensuring the safety of their business, including a shortage of resources, even though the requirements for safety are almost equal to that of a larger enterprise. As a Data Protection Officer, I have first-hand experience with the complexity of the compliance landscape and specifically the requirements of the GDPR, which concerns any business that processes the personal data of European citizens, irrespective of where they are located. My education as a cyberanthropologist has also made me aware of the behaviour of both makers and users in the cyberspace and how it poses a threat to not only themselves, but their networks and users as well.
While working on the ebook Your Cyberpower: How to Safeguard Your Remote Business I had the opportunity to join the Vienna Makers Group moderated by Sebastien Vercammen. There we came up with the idea of generating a checklist as people, and business owners in particular, love checklists. They greatly assist with time management, can simplify complex tasks, instill discipline and good habits, are an efficient way to complete repetitive tasks, and help reduce anxiety. The ten checkpoints of the checklist we are building cover some essential aspects of cybersecurity and privacy, discussed in more depth in the book.
With my background in anthropology, we applied best practice ethnographic research methods to the making of digital products to develop a checklist to guard clients against these threats. In other words, we took traditional field research methods such as interviews, semi-structured interviews, focus groups and participant observation and translated them to the digital space with a mix of small and big data as in surveys, landing pages, online interviews and analytics.
First, we set up a landing page to gauge interest in addition to sending a survey to our early adopters to understand the needs of makers and solopreneurs as well as their level of expertise of the subject matter. Our initial findings were that our audience is particularly interested in learning more about how they can improve their data protection, cybersecurity and on-the-road safety.
We then drafted a few checkpoints and conducted semi-structured interviews to verify our initial findings from the survey and that the checklist was effective. After conducting a few interviews with early adopters, we found that users want an action plan to follow-up on the key learning, so we are including a three-day action plan (one hands-on action per day) with links to best solutions so that they can immediately start making their business cybersavvy.
This is the full package that we are aiming to deliver to clients:
Taking Those First Steps Towards Compliance and Safety
After seeing many makers and solopreneurs hit a stumbling block with regards to their cybersecurity, my goal was to raise awareness for the potential risks and threats posed to these businesses, including data breaches. I also wanted to provide a simple and easy head start for these business owners to become more cybersavvy and take those first steps towards compliance. As users become increasingly conscious about how their data is handled and investors demand makers and startups demonstrate compliance, becoming cybersavvy will become a winning strategy for these startups and entrepreneurs.
Want to sign up receive a free checklist for your business? Sign up to add your name to our waiting list today!
Get the ebook: Your Cyberpower. How to Safeguard Your Remote Business.
Towards the end of 2018, the Marriott hotel announced it had been hit by a data breach that affected 500 million people and included the passport numbers of several million people. The fear was that criminals could easily use customer’s personal data, which included Social Security numbers, to open fraudulent accounts and access customer’s bank accounts.
Although most data breaches aren’t of the magnitude of the Marriott breach, many smaller breaches do happen with regularly frequency – which is why you as a digital nomad or solopreneur must be prepared. So how can you best protect your business against a data breach, no matter what the size?
Cybersecurity and Privacy: The Two Critical Components of Cybercapacity
First, you and your team must understand the critical components of cybercapacity -- cybersecurity and privacy. Think of cybersecurity as putting up bars across a window to add security (but not necessarily privacy), whereas data protection is more similar to putting up a window to ensure privacy – but not necessarily protection. After you and your team properly examine the different aspects of cybercapacity and what they mean to you, you’ll be able plan a cybersecurity strategy and fit it in with business continuity and compliance measures.
Now, armed with your new cybersecurity strategy for your business, picture the following scenario: You as a digital nomad have just spent a day in a new location. You’ve taken a well-deserved day off, relaxing in a fantastic beach place. In the evening you come back from a networking event to discover with horror that you can’t find your laptop – it was either lost or stolen, and as such, you’re looking at the strong possibility of a data breach of your users as well.
Are you prepared for what to do in the event your laptop is lost or stolen? Better yet, do you know how to set up your business to defend against data breaches and other cybercrimes before they even occur?
"What I most appreciated about 'Your Cyberpower: How to Safeguard Your Remote Business'
was its clarity, simplicity, and pragmatism. I have known for some time now that I need to do
more to safeguard my business. With this ebook I get a sense of where to start and
how to carry on, step by step.”
Phoebe, solopreneur, currently based in Vienna, Austria
Sign up to receive our ebook “Your Cyberpower: How to Safeguard Your Remote Business” and you’ll learn:
We’ve already delivered the ebook via email to those early adopters who completed our questionnaire. The public version of the ebook will be available to everyone in April.
Want to be alerted as to when the ebook is available? Sign up here to get on our waiting list today.
Many thanks to those who have completed the survey and who have signed up to receive the Cyberconnecting ebook How to safeguard your remote business. Based on your feedback requests there will be an additional resource, with information below.
The ebook How to safeguard your remote business is a hands-on guide to cybersavviness tailored to nomad or solopreneur needs. It:
From the 100 survey responses we have received so far, we have learnt the following:
Cybersecurity and privacy matters
A significant group of you feels up-to-date with protecting your devices and digital services (44%); some of you have implemented a few measures but are struggling to understand the ever-changing threat landscape (28%); and the other 28% feel overwhelmed and would find a starter kit helpful.
The majority of you (48%) is uncertain what privacy and compliance entails and would find hands-on advice helpful. 33% of you have started implementing some measures, but found the whole thing confusing. Only 19% seems to be fully compliant.
People also inquired into the possibility of working with checklists in order to ensure that they are on track with data protection and cybersecurity. Based on this feedback we are developing a set of checklists for your convenience. We are also working on including personalised action reports, which will provide you with hands-on guidance to keep your business safe and to help you build a trusting relationship with your clients.
With a view to your feedback the first checklist focuses on working remotely, covering the most essential data protection and cyber security points when you are on the road - easy and simple.
In addition, we are sourcing solutions and services in order to help you keep safe when working remotely and to meet clients’ expectations with regard to data protection and cybersecurity.
All the learning from the checklist we will incorporate in the ebook, now due out by April 2019.
We really appreciate having you on board. If you want to be alerted as to when the ebook is available, sign up here: Get on the waiting list
As you may have already experienced, nomads and solopreneurs wear many hats. As opposed to an employed worker, responsible for just one task or function, the exciting part of your work is that you are in charge of a number of roles, which allow you to shape the business with your own individual style. These might include tasks such as: developing your offering and running the operations, hiring expert help, feeding the marketing channels, setting up the necessary IT infrastructure, securing the finance, and finally, safeguarding your business.
Safeguarding your business – security and privacy – is one of the most challenging aspects for many nomads and solopreneurs. And to be perfectly blunt, for many of you the prospect of dealing with cybersecurity is so boring it presents you with a direct path to Yawnville.
Your Role as the Head of Cybersecurity in Your Business
As you start to learn more about how to safeguard your business, you keep hearing about web attacks and data breaches. Although you’re aware that these attacks might very well affect your business eventually, you’re also sure that you can be successful in safeguarding your business. The problem is you’re not exactly sure where to start. You’re aware that you have to adhere to certain cybersecurity and privacy standards; however, you don’t know what exactly applies to your specific circumstances and what you have to do. The ever-changing threat landscape and the complexity of privacy regulations are simply overwhelming.
Ultimately, you are liable for making your business compliant with the most recent industry standards. To succeed in your role of head of cybersecurity, you’ll need to ask yourself a few questions to gauge how fluent you are in compliance.
Understandably, for many of you this gives you a free trip to Yawnville.
Nevertheless, it is essential for you to be able to answer these questions not only to safeguard your business form cyberattacks and prevent paying fines for failing to meet compliance, but also in order to build a trusting relationship with your users and clients.
The Solution for Nomads and Solopreneur
At this point, you may be asking yourself how you can go about becoming successful in your role as head of cybersecurity in your business. To answer any concerns you have, I’ve written an ebook that will soon be published covering the most important topics on cybersecurity, privacy, and indemnity.
The content is specifically tailored for the needs of nomads and solopreneurs, with guidelines on necessary actions for owners of a landing page, a website, email lists for marketing activities, or anyone who runs a platform or uses a content management system. The ebook simply helps you free time to focus on what you do best.
There is still time to include your personal feedback in the ebook. Simply take the survey below (10 questions, max. 6 min., open until November 19) and your responses will be considered for the final content of the book. By completing the survey, you can sign up for the free version of the ebook, which will be available by the end of the year.
Keep in mind that the solopreneurs who are not just compliant, but have truly embedded cybersecurity and privacy in their daily business culture, are the ones who win the business.
Don`t neglect your friends, share this right away.
If you are like a lot of digital nomads and globally oriented solopreneurs out there, you may be surprised to learn how many hours you are successful in concentrating on focused tasks at work. An analysis of 225 million hours of work time, from students to software developers and larger organisations who works with information (i.e. writer, developer, designer or manager) has an actual productivity of 12.5 hours a week. That’s almost 28 hours of non-productive time! Unfortunately, there exists a huge gap between the number of hours workers believe that they are productive versus the actual hours that they are productive. And even though these statistics refer to all types of workers, it should be noted that nomads and solopreneurs don’t spend nearly as much time in meetings as their employee counterparts, but do spend a significant amount of time on administrative and organisational tasks.
What are the challenges both digital nomads and solopreneurs face when trying to maximise their work productivity, and more importantly, what are some best practices they can employ to make the most out of their workday? This post will offer a few suggestions.
Overcoming the Optimism Bias
Most people are overly optimistic when deciding how many tasks they can complete in a day. They neglect to take into consideration the amount of planning, communication and distractions that are part and parcel of any task. Psychologists have actually coined this thinking the Planning Fallacy, which affects every type of planning from vacations to real estate projects. Programmers in particular have a similar law, Hofstadter’s law, which states that people have great difficultly accurately measuring the amount of time it takes to finish complex tasks.
There are a few ways to overcome this optimism bias. First, digital nomads and solopreneurs must take tasks and break them down into smaller tasks, estimating how much time each smaller task will take. For example, if your goal for the week is to finish writing an ebook about digital personalisation in ecommerce for a client that will be 5,000 words, you should consider first how long research and the completion of an outline will take. To make your work even more productive, have a plan in place for when there is a distraction or a setback. For instance, if the research for your ebook takes twice as long as you thought, you’ll need to eliminate a meeting discussing the project. Researchers have found that having a plan in place for completing projects ahead of time discourages procrastination and inspires them to get started as soon as possible.
Eliminate Distractions and Put a System in Place
Beyond being too optimistic, many workers don’t maximise their work hours. Emails, phone calls, text messages, and chats with co-workers are only a few of the many distractions digital nomads and solopreneurs will face on any given day. It can take a lot of concentration and willpower to fully eliminate these distractions and focus on the task at hand.
In response to this dilemma many workers face, the Pomodoro Technique was developed as a time management method, which has workers, focus for a full, uninterrupted 25 minutes on any given task. Any thoughts of future or additional tasks should be written down quickly on a piece of paper, allowing the worker to continue on the task at hand. After the Pomodoro session is completed, the worker takes a break; after 4 sessions a longer break is encouraged. The exercise can increase the time spent focused on tasks, allowing you to complete more during a Pomodoro and a more accurate estimate of how long future tasks will take.
Here are a few additional tips for maximising productivity:
Measuring Productivity to Achieve and Surpass Your Goal
If you want to increase your work productivity, start tracking how you organise your week digitally or on paper. Do this for 3-4 weeks; the result will be a real eye-opener. From the time that you have tracked, decide what tasks you would need to accomplish in order to be productive in those 12.5 hours of actual productive work hours. Make sure you are realistic about what you can achieve in that timeframe, scheduling time for tasks such as networking, travel time, administrative duties, and of course taking care of your overall well-being.
Once you review your goals, start tracking again and do you best to achieve those goals. And when you do, be sure to celebrate your success!
Note: This is Part 2 of a 3-part series about the opportunities and challenges digital nomads have in the Future of Work.
As a nomad you want to develop a workplace culture that is conducive to cybersecurity and privacy – in short, you are responsible for establishing your nomad cybercapacity.
But what is nomad cybercapacity and why is it important to your business? As a nomad or remote worker, how will you ensure that you and your client’s data is secure as you work on platforms and tools managed in the cloud? And what are some behaviours that you can start to put into practice to improve your cybercapacity while at the same time strengthening your brand and digital identity?
We’ll delve into the answers to these questions in this post.
Secure your Brand with a Data and Privacy Strategy
In cybersecurity the human is the weakest link. Being aware of this fact, you’ll need to do everything you can to demonstrate digital competence as a nomad, which includes fostering inclusive customer relationships as well as reducing any outside risk.
That’s why it’s imperative that you develop strategies for managing personal online information and keeping it secure from online risks such as identity thieves. You’ll also want to develop enough cyber self-awareness to become resilient to attacks or data breaches. Remember that at the end of the day, your nomadic digital identity is dependent on you, your interactions, and your brand. This includes how your data and privacy strategies function with regards to customers as well as your day-to-day behaviour.
Bear in mind that an enterprise’s ultimate cybercapacity entails the following components:
A Digital Nomad's First Steps to Essential Cybercapacity
Obviously, you’re not a big enterprise, so you don’t have the challenge of setting free the mindset of an entire organisation. But as a brand of one, you are responsible for every single interaction between you and your clients, so you should be extra cautious about your online behaviour in your remote as you travel through airports and hotels throughout the world. Here are a few tips to get you started:
Note: This is Part 2 of a 3-part series about the opportunities and challenges digital nomads have in the Future of Work.
Don`t neglect your friends, share this right away.
Note: This is Part 1 of a 3-part series about the opportunities and challenges digital nomads have in the Future of Work.
For digital nomads, identity is not tied to a particular country, language, company or set of experiences. If your business is mobile and you are traveling across the globe, what, then, is your nomadic digital identity based on? How is it different from brand identity that traditional businesses use? Most importantly, how can you leverage your nomadic digital identity in the future of work?
Evolving from a Personality-based to Identity-based Approach
Many organisations use personality assessments to recognise, hire and motivate their workforce. Developed in the latter half of the 20th century, this personality-based approach is believed to be closely linked to an individual’s expected professional performance. Personalities are based on psychological and cognitive factors and regarded as permanent.
But what if, as we believe, identity not only describes who we are, but is constantly in motion. As a construct, it is made up of both non-changeable aspects as well as elements that develop as time goes on. Developed at the beginning of the digital era, an identity-based approach stems from the idea that people shape an organisation, and an individual’s identity is developed through social interaction and interpersonal relationships among other members of the organisation.
Key differences in the concepts of personality tools and identity creation:
A Digital Nomadic Brand of One
As a digital nomad, you are ultimately responsible for defining your identity and brand.
Unconstrained by management or the personality-based assessments of the human resources department, you control your digital nomadic identity. How then, can you shape and influence it to work in your favour?
Your nomadic digital identity is dependent on a number of factors:
As an individual with a multi-faceted identity, you might have both an identity as a painter as well as a very solid foundation and high appreciation of mathematics. While you would choose to emphasise your creative side at an art gallery, you’d emphasise your mathematical identity in conversations with anyone at an exhibit about meteorology and geophysics. That might very well affect your future clients and portfolio in the near future.
A significant advantage of this identity-based approach is its ability to recognise the individual’s entire self. As the highest level of Maslow’s hierarchy of needs, this type of self-actualisation would stimulate higher motivation in any worker and lead to greater productivity.
Focusing on Identity for the Future of Work
Digital nomads are expected to increase to 1 billion by 2035. As a digital nomad, the success of your business lies in your ability to focus, fine-tune and establish your unique nomadic brand.
Most importantly, with a strong, clear digital nomadic identity, you’ll be better prepared to tap into the ever-increasing market opportunities available in the newly transformed world of work, in addition to winning new clients and retaining them. From this introduction of the identity creation concept we will be giving deeper explanations in the upcoming articles, for you to
Meanwhile, our next blog post will focus on the amount of cybercapacity essential for digital nomads to work remotely.
Note: This is Part 1 of a 3-part series about the opportunities and challenges digital nomads have in the Future of Work.
By Priya E. Abraham
Note: This is a 3-part series about the opportunities and challenges digital nomads have in the Future of Work. This post is an introduction.
When I first saw Deloitte’s Millennial Survey for 2017 about millennials’ struggle for job security and flexibility, I thought about how much the job market has changed since the dawn of the Internet Revolution. As an early adopter of digital technology, I received my first email address in the early 90s at university. I needed approval from the head of the department – which was tricky as this senior professor didn’t really understand what an email address was. Only a year later, I had my own domain and a mobile phone, albeit that brick-size mobile phone was a far cry from the slender sleek ones we see today on the market.
As digital technology evolves, so too, do the traditional business models. These business models are even in many cases, failing, leaving digital nomads (workers who are mobile because of their ability to work online) the opportunity to reap the rewards.
These opportunities aren’t limited to full-time digital nomads either. Thanks to greater internet access and speed, co-working spaces, and a host of other tools available, traditional employees are able to enjoy a higher degree of flexibility in their working arrangement than ever before. Of millennials who are traditional full-time employees, 39% report having a highly flexible working environment, according to Deloitte. It might seem counter-intuitive, but this highly flexible working environment has been shown to be the key to greater productivity.
Although employees might feel that greater flexibility could lead to reduced performance, studies have shown that the opposite is true: Employees with greater flexibility have more accountability, which in turn leads them to being offered even more opportunities. In exchange for receiving more flexibility of their hours, employees tend to have more company loyalty: 45% said they were less likely to leave the organisation in the next two to five years. Last but perhaps most important, these employees reported better job performance due to higher levels of well-being, health and happiness (possibly due to higher levels of self-awareness and as a result of having more time to sleep and exercise).
Over 2/3 of millennials (both traditional and freelance) report a flexible working environment
Source: Deloitte Millennial Survey 2017
One of the biggest changes in the workforce in the last 10 years, according to Deloitte, is the acceleration of automation in many industries. Many roles such as receptionists, mail carriers, data entry, and tellers, for example, have already seen a significant decrease in the workforce due to their highly mechanical nature as well as the ability to automate these roles. As a result, employment in these sectors has decreased in general as well as in the alternative workforce. Freelancers and digital nomads in the alternative workforce, or gig economy, are more likely to be in specific industries in which they can continue to improve on their talents and specialise, namely, the arts, maintenance and construction. In addition, alternative workers can also be found in administrative roles, professional services, manufacturing, and project management.
While 40% of workers see automation as a threat to their jobs, others feel that it provides increased opportunities for creativity and learning new skills. Those with a more optimistic outlook even see automation as a way of gaining more influence within an organisation rather than less. Many even see automation as a way to increase productivity, economic growth, and create more jobs on the way to doing so.
There’s no doubt that the new gig economy is reshaping employee loyalty and commitment to organisations, which is in turn reshaping business models. But it’s also reshaping traditionally entrenched societal models, too. Pieter Thiels, a digital nomad expert and startup entrepreneur, estimates that there will be 1 billion digital nomads by 2035. That’s one in every 8 people. He predicts that with the growth of these digital nomads, there will be a big decline in marriage, home ownership, and ownership of almost any possessions besides a laptop and good travel bag.
As more and more workers contemplate the digital nomadic lifestyle, there are serious questions the digital nomad must ask:
These are the challenges we will address in our digital nomad series in the months ahead.
Note: This is a 3-part series about the opportunities and challenges digital nomads have in the Future of Work. This post is an introduction.
According to global IT consulting services company Avanade, organisations will increasingly move from on-premises to cloud over the next three years. Infrastructure as a Service (IaaS) will increase from its current rate of 14% of all enterprise cloud solutions to 30% while Platform as a Service (PaaS) will increase from 8% to 25%. At this point, migration to the cloud is so popular that Amazon's cloud business is now the fifth-largest business software provider in the world.
But for enterprises and organisations in highly regulated industries such as banking, the benefits and costs combined with the immense pressure by the industry to jump on the cloud bandwagon are outweighed by the security challenges involved in migrating their customer's private data to the cloud.
Another less-talked about but much greater challenge exists in my opinion, however, of mindset. Organisations migrating to the cloud have a tendency to focus on the technical with complete disregard for the culture of the organisation.
The Dark Side of the Cloud
Let's take a step back and review the traditional advantages of migration to the cloud: easy access to updates, scalability, significant reduction in time and cost, automatic downloads, and process optimisation. Not to mention the consequences involved if enterprises choose to remain 'on premise': higher cost, lack of agility, and being perceived as lacking innovation.
Then there’s the double-edged sword: in highly regulated industries, customers don’t trust organisations which move their data to the cloud. At the same time, agile customers demand fast and innovative services and don’t care if their data sits in the cloud or not.
How can the migration to the cloud satisfy both types of customer?
To answer this question, I would first pose the question: What do we mean when we talk about the importance of culture of an organisation? From my experience working with enterprises and startups, I would describe it as the human factor, a dynamic process created and recreated by interactions amongst and between employees and leaders and, specifically the trust between the different parties. Migrating to the cloud involves trust not only in interfacing data and employees but also trust between all of the employees within an organisation.
For example, the challenges related to trust in the journey to the cloud might include:
Beyond the listed challenges, neglecting the necessary organisational transformation by not taking into consideration the mindset of the employees and management can cause massive delays, which in turn, result in an increase in cost and a huge risk to the reputation of the decision-makers.
Ensuring a Successful Journey with Change Enablement
How do you ensure your organisation's successful journey to the cloud? The answer lies in change enablement, which essentially, is enabling your enterprise, its employees and management, to adapt their work behaviour in order to adopt new ways of working.
Many bank employees have privately lamented to me: "But we aren't allowed to migrate to the cloud." The reason for this is a lack of change enablement within the organisation which starts well before adopting new technology to your enterprise. Change enablement continuously assists your organisation by constantly defining more efficient ways of working and in proving the value the migration will bring to your team.
For instance, if an organisation wanted to encourage the adoption of a new cloud service, it might first communicate the purpose and benefits of the cloud service to its employees and management through internal project marketing. It might then pursue training and further education with the people development team and only then develop an external communication strategy with the assistance of its marketing team. On the technical side, it would develop a Proof of Concept (PoC) which would outline the advantages of the migration to the technical team and gain buy-in from decision-makers.
To ensure success in adoption of any new cloud project, decision-makers must be organised and communicate their needs effectively with their team. Here is a quick preparation list for decision-makers to keep in mind when collaborating with the change specialist:
You can read more about how change management was an essential part of the journey to the cloud at Amazon Web Services.
Understanding the Impact of Cloudification on Processes
Remember that at the end of the day, the technical IT project is merely the vehicle of your digitalisation journey. Before delving into the technical details needed to pursue the migration, you should develop a Proof of Concept (PoC). PoCs are typically implemented in one business unit or in one geographic region to illustrate the advantages of the journey in a low-risk way, to learn from the experience, and to gain the necessary buy-in from decision-makers as well as disseminate the message across the organisation.
Think of it as a way to harvest low-hanging fruits after the implementation of the project.
Here are two examples of PoCs:
Migration of documents and records management
The documents and records management landscape currently has multiple on-site implementations due to high latency, limited bandwidth and scaling issues. As a result, it limits the cross-company information-sharing and communication and creates issues with data synchronisations and application integration. The goal of migration is the reduction of on-site implementations (in other words, they want to "go server-less") and to improve business continuity provided through hosting across geographies. The PoC would illustrate how this is accomplished by leveraging the Microsoft Azure cloud platform and its services.
Migration of the CRM database
A strategic business unit of a bank wants to improve the customer relationship management through better customer care to increase customer retention and improve performance. The PoC includes research, examination, selection and implementation of a database solution. The selection of the cloud must comply with the regulatory body applicable for the financial service industry.
The PoC should include documentation on the impact of current processes and tools, describe the interfaces between IT functions, the impact on operations, governance and sourcing, and define the billing and cost distribution model. Providers must also present documentation that meets the industry standards. In contrast, most providers' platform-driven business models only offer high-level hyperlinked pieces of information on compliance required by the decision-makers in the legal departments of enterprises for a thumb-up to migrate to the cloud. In the highly regulated financial services industry FSI, for example, the fragmented style of presentation of much needed legal details is insufficient.
Cybersecurity + Privacy = Cybercapacity
Chief Information Security Officers, or CISOs, have often disclosed to me that many employees are even unaware if the software they use is hosted in the cloud or on premise. That’s a concern that spans issues involved in cybersecurity and privacy.
Although cybersecurity does interface, integrate and eventually overlap with other areas, it is important to understand that these blurred lines often lead to misunderstandings and end up reducing the attention cybersecurity requires. For example, the raised attention of the GDPR coming into effect at the time of this writing coincides with people working on becoming GDPR-compliant. Many times, organisations assign the cybersecurity method of multi-factor authentication to the GDPR. We must keep in mind that cybersecurity isn’t the same as data protection, which is more concerned with privacy and how data is being used.
Migrating to the cloud requires that enterprises build capabilities to mitigate cyberrisk caused by human behaviour, as well as reducing opportunities for cybercriminals to exploit human weaknesses. Raised awareness of our own behaviours as well as our own superior cybersecurity and privacy should be an integral element of the workplace culture.
This includes a change in mindset on cybersecurity and on privacy – in essence the development of your organisation’s cybercapacity. You’ll need to analyse the skill gap, develop an employee training plan to meet this gap, and identify relevant skills for becoming cybercapable.
Transforming into a Cybercapable Organisation
Transformation of the workplace culture is vital for a successful journey to the cloud. It all starts with change enablement and empowering your employees to adopt new ways of working. Gaining buy-in from decision-makers through internal communications and a PoC is key. When your organisation is successful in empowering change in the culture, you’ll be able to enjoy the many benefits of cloud migration while minimising – if not fully eliminating – its dark side.
Image: Pixabay CC0 Creative Commons by Atlantios
Learn from a tech startup the steps you need to take to protect your customers’ privacy and your brand reputation. Understand how you, too, can exceed customer expectations beyond the tick-box compliance.
Any organisation required to implement General Data Protection Regulation (GDPR) is presented with a number of duties and obligations they must fulfil for compliance.
Here are the selected key duties:
For practical relevance, I share my hands-on expertise from Leftshift One, a tech start-up specialising in the development and implementation of digital assistants. I had the distinct pleasure of working with Leftshift One in implementing the GDPR measures, and in this post, I share some of the insights I gained via an interview with Leftshift One.
Leftshift's technology, among other technologies on the Gartner Hype Cycle for Emerging Technologies 2017, enjoys an unprecedented popularity, particularly, in customer engagement (first level customer support). This is especially true when the use cases can be monetised, quality of the language recognition is high, and the user experience is positive.
Leftshift One’s unique approach features a rule-based language model for speech recognition, which allows them to operate in an ecosystem (on premise or private cloud). Most impressively, they managed to develop this for the German language, whose syntax is much more complex than English.
To gain more insight about the company and its approach to GDPR compliance, I asked Leftshift One for their insights.
Priya: What are Leftshift One's primary focus?
Leftshift One: Our primary focus is on linguistic dependency analysis; machine learning is secondary. I would add that we also focus on the business value for the client or use case. For example, a digital tourism assistant should not be used for processing pizza orders. Our Generic Artificial Intelligence Application (G.A.I.A.) can be employed instead on the internal system of the customer, i.e. on-premise, to create digital assistants. These digital assistants are customisable to meet the specific needs of the customer.
The advantage in G.A.I.A. is not only savings of energy and resources, but also in the software or the Smart Digital Ecosystem. At Leftshift One, we refrain from using external service providers such as Google, Microsoft, Facebook, etc., (i.e. NLP, NLG or Build-a-Bot service providers). As a result, we can guarantee data security even in a private cloud operation. This combination of data security and our own NLP service (what we call ATLAS) allows us to offer the customer an on-premise solution, which by default is GDPR-compliant.
Priya: Obviously, this is a great starting point to leverage Article 25 Data protection by design and default as the startup simply does not rely on the use of big data.
Leftshift One: Yes, exactly.
Ensuring Data Protection by Design and Default
Priya: Let's talk about privacy by design, the guiding principle of the GDPR. Data privacy for individuals should be the default action and should be designed into all organisational and technology processes from the ground up.
How have Leftshift One implemented Data protection by design and default?
Leftshift One: We were already preoccupied with this topic before development of the solution. The principles of the GDPR are not new; they have too often been ignored. We knew that a GDPR-compliant solution was urgently needed in this area for the European market. That's why we decided to provide our customers with a solution that complies with these principles. Our clients are both software integrators who create digital assistants for their clients as well as customers who need a digital assistant directly from us.
Since the machine-learning approach requires a lot of data (what many refer to as big data) to deliver a high-quality result, we are now working on finding an alternative solution. We knew there had to be a solution that did not need endless amounts of customer data. By combining our machine learning approach with an artificial neural network and linguistic dependency analysis, we were able to achieve high-quality results for our clients and customers. This smart approach to technology is cost and energy efficient, affordable and customisable.
In addition, we encrypt any communication between assistant and customer or save data encrypted, without exception. The data is used exclusively by the algorithms - we ourselves have no knowledge of the content.
Since we have committed ourselves to data protection even before the development of our software solution, we are pursuing the concept of Data Protection by Design and Default.
Providing for the Security of Personal Data
Priya: Arguably, the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR. Especially since it applies to all companies processing the personal data of data subjects residing in the Union, regardless of whether the company’s location is in the European Union. For this reason, it is essential that organisations must understand the concept of personal data. If you collect, store, or use any of the following: name address, localisation, online identifier, health information, income, or cultural information, then you have to abide by the rules.
The GDPR requires you to maintain records of the type of data you hold, where it came from and with whom you share it, all of which requires documentation.
How do Leftshift One provide for the security of personal data?
Leftshift One: Again, we chose the Data Protection by Design and by Default approach. As we already mentioned, we encrypt our data and have no knowledge of its content. Only the algorithm of our Cognitive Language Understanding Service, ATLAS, knows the content. However, a categorisation of the collected data must be made and documented. The Cognitive Language Understanding Service, ATLAS, processes the text even after the conversion of Speech2Text and categorises it automatically.
The integration code shows which data is processed and to which category it belongs. This means that we automatically know with each conversation what data is processed without knowing the content.
Of course, this is only possible if you both rely on a rule-based translation concept and make this connection.
Guarding the Rights of EU Customers
Priya: The GDPR enhances the rights of data subjects in the EU. The GDPR includes individual rights: to be informed; to have the right of access; to have the right to rectification; to have the right to erasure; to have the right to restrict processing; to have the right to data portability; and the right to object; and the right not to be subject to automated decision-making including profiling.
This means that your EU customers have the right to request access to and erasure of their information. In addition, you need to provide them with easier access to personal data, with clear and easily understandable information on processing. Making this information available gives your customers insight into how their information is used.
You will have to report data breaches to regulatory authorities within 72 hours, and in high-risk scenarios, to follow this reporting by notifying the individuals whose data may have been compromised. All data must have appropriate technical and procedural measures to ensure a level of security appropriate to the risk that it carries.
The conditions for consent have been strengthened. Under the GDPR the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Consent has strict requirements, including the fact that it can be withdrawn at any time.
How do Leftshift One guard the rights of EU customers?
Leftshift One: We need to differentiate between two types of personal data. The ATLAS service stores the data in an encrypted form and after each conversation the personal data of the session are deleted or are deemed irrelevant, i.e. the result of the digital assistant. Data is discarded or not stored. We do not store personal data in the system. Leftshift One are not interested in the data since we do not need it for processing.
Certain business cases, however, may require encrypted personal data to be stored. Let's take recommendation marketing, for example. In this case, the digital assistant asks the end user for permission.
Here's an example: The customer orders a pizza. ATLAS only translates the instructions. ATLAS now informs the service provider, who organises the order of the pizza, (i.e. the customer's request). The service provider himself has the personal data to initiate an order. John Doe, with his place of residence, credit card information, etc., is not necessary for the service fulfilment in the ecosystem.
However, if there is an explicit need to store personal data in order to automatically make recommendations, for example, the data will be stored in an encrypted form after the end user has given their consent. This personal data stored can be requested, corrected or deleted by the end user. Storing data, encrypting it and ensuring it is accessible requires a lot of effort but we do it because we value data security.
For both partners and customers who use our digital ecosystem, we rely on an established partner or expert for knowledge management, process management and CRM: Atlassian Confluence and Jira. Our solution is GDPR-ready by default and in compliance with the standards.
Demonstrating Compliance and Accountability
Priya: As entrepreneurs, you should expect regulators to potentially exercise their powers to access data and premises. They should also be able to demonstrate compliance with the GDPR principles relating to personal data. Mechanisms to assist with providing this proof include carrying out Data Protection Impact Assessments (DPIAs) and adhering to codes of conduct.
As explained earlier, the GDPR makes privacy by design and default an express legal requirement. It makes DPIAs (formerly known as Privacy Impact Assessment or PIAs) mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
How do Leftshift One demonstrate accountability and compliance?
Leftshift One: The HG3 startup hub, where Leftshift One is located, includes diverse experts from the tax, business consulting, legal and other industries. This startup hub has been Leftshift One's partner since its inception and also supports the company in matters of data protection.
In addition to checklists of data protection, we have implemented another proof already in the development process. These are user stories which contain not only the description of the functionality but also acceptance criteria, test cases or non-functional criteria. We now have an area for specifying data protection criteria for each user story. These criteria are reviewed twice in total.
The first review will take place as part of the "Definition of Ready (DoR) Review" before a user story is implemented. This is when the development team examines whether it can be implemented in compliance with data protection or what is necessary to ensure data privacy compliance during implementation.
The second review will be done as part of the "Definition of Done (DoD) Review" after the functionality has already been implemented. It ensures compliance with data protection requirements.
As a result, the risks related to the GDPR have already been identified and mitigated during the development phase.
Success Factors at a Glance
Leftshift One successfully leverage a holistic approach to creating a culture of privacy that goes far beyond the compliance requirements that many companies pursue. This approach is an integral part of a network of specialists essential to the creation and establishment of a culture of privacy. Together, we have developed an innovative, GDPR-compliant technology and have applied continuous feedback loops along the entire value chain beyond agile software development. In addition, we have voluntarily appointed a Data Protection Officer to represent them on privacy issues.
Leftshift One have seized the golden opportunity to build valuable and trust-based relationships with their clients through increased privacy, during this challenging growth phase.
Digital transformation advisor | Privacy expert | Cyber anthropologist | Author