| Home | About | Insights | 0
  • Your Shopping cart is empty.

Martin de Bruin

Profile page

About martindebruin

  • Email: martin.debruin@deslyon.com
  • Nice Name: martindebruin
  • Website:
  • Registered On :2018-11-14 12:18:41
  • Logged in as: martindebruin

martindebruin Posts

des lyon blog vendor contracts

With the recent ruling by the Courts of Justice for the European Union (CJEU) that website operators who install Facebook “Like” buttons means that Facebook are a joint controller with the website operator*, this post looks more closely at the contractual relationship between website operators and 3rd party technology solutions that collect personal information from an operator’s website, with a few tips for both brands and 3rd parties so as to help foster a trustworthy (and compliant) user experience.


For those still wondering why this ruling is so important, if you – the website operator (such as an e-commerce brand/retailer, or a publisher/news site) – have a Facebook “Like” button on your website (for example either on a news story or a product page) and a user clicks on that “Like” button, then that user’s personal information is being sent to Facebook who then have control of that user’s personal information and can determine what happens with that user’s information (such as inform that user’s friends via their news feed that the user clicked “Like” on a product or news content). There is also the capability of Facebook collecting all of that user’s “Like” activity in order to create a profile of him/her and then serve targeted ads or content (and possibly sell that users profile to other advertisers who are looking for a similar profile to serve their ads to). All of this is possible from what seems like an innocent act of appreciation for a product or news story that was published on the website operator site (the e-commerce brand/publisher/news site) who (as soon as the user interacts with any tracking or plugin) has no control as to what happens with that users information.


The CJEU ruling is also significant in that it doesn’t just apply to Facebook. The website operator is ultimately accountable for any Advertising /Marketing technology tracking and/or social media plug-in that is deployed on its website (that collects personal information) that collects personal information – either on its own right (such as IP address) or if overlaid with other data (for example “click reference/id”+”source”+”device id”+”location”+”products viewed”+”other websites visited” + “order ID”) on an electronic device (such as desktop, mobile/handheld or any other form of device) through:

  • Sponsored Search Engine (Pay Per Click) listings
  • Content Ads (for example – like those “Sponsored Links” that you often see on news/media sites)
  • Product Listings Adverts on Search Engine Shopping channels and comparison shopping engines/sites
  • Affiliate Marketing & influencer (blogger) marketing ads and text links
  • Social Media sharing
  • Display advertising
  • Behavioural Targeting & Re-targeting adverts


Using an advertising agency doesn’t shield you from responsibility

Even if a website operator outsources their marketing/advertising activity to an agency, and allows that agency complete free reign in how they achieve commercial & marketing objectives, it is the responsibility of the website operator to know what information has been collected about a user from those marketing channels, and what subsequent processing takes place with that users information so as to inform the user of who that website operator is working with that collects data.


How can website operators ensure they’re working towards compliance? 

Before commencing the relationship with any 3rd party vendor, whether that be for marketing/advertising technology solutions/social plugins or agency management for marketing strategy & activity, there needs to be a written agreement in place that defines the boundaries and where responsibility begins and ends in accordance with Article 26 (Joint Controllers) of the official GDPR text, and include the rights of the website operator within these agreements. The agreement (also known as a “controller:controller” agreement) needs to include the contact details of the joint controller, purposes of the joint controllers’ processing, categories of data being processed, details of where that data will be transferred to (if outside of the EEA – and safeguards being applied), how long that data will be kept for, and a description of the technical & organisational measures taken by that joint controller.


What else does the website operator need to do?

The website operator also needs to fully inform users in accordance with the lawfulness, fairness and transparency principle (as per Article 5) of the tracking/social media plugins on their site that will collect their data if they interact with (click on or “Like”) them. The website operator will need to list exactly what data is collected, the purposes for which it collected and processed, and include the contact details of the social media/3rd party tracking/plugin provider/agency for any queries or to obtain access to their information (as per the users’ rights to information, access, rectification, erasure, restrict use, or not to be subject to automated decision making such as profiling, the right to object, or to have their moved/ported to another provider/competitor as stated in Articles 12-22).


The website operator will have to obtain a lawful basis for the advertising/marketing technology provider and/or agency collecting and processing that data also have to obtain explicit, unambiguous, freely given and informed Consent from the user in order for the website operator and joint controller to collect and process that information. Legitimate Interest will not suffice as a Legitimate Interest Assessment proves quite clearly that the benefit to the user is outweighed by the commercial interests of the website operator.


Ignoring these requirements when it comes to Joint Controller or Controller:Processor agreements could leave the website operator completely exposed to the maximum financial penalty or possibly be faced with a stop order (which could be even worse than the fine for most organisations). It is vital that those 3rd party contracts are reviewed and updated to reflect Data Protection Laws and Regulations. 


Of course – if the 3rd party is acting only on the strict instruction of the website operator then that would be a “Controller:Processor” relationship and that requires a differently worded agreement but still requires the processor to have adequate security measures, policies and processes in place to protect user data if it of a personal nature.


For further information and guidance on 3rd party Contracts (Controller:Controller, Controller:Proessor, and Processor:Processor), email info@deslyon.com today.


(*ref: http://curia.europa.eu/juris/document/document.jsf;jsessionid=A06E0AB5DBF21253C4907DDCE5A5DDDB?text=&docid=216555&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=7104636)



Photo: https://pixabay.com/es/photos/cadena-articulada-apretón-de-manos-2853046/ 

deslyon blog post travel tips

It’s that time of year when people are packing those flip flops and shorts to enjoy their summer holidays or simply take time out of the office.


If you’re going abroad – depending on where you go – there are data protection laws that you have to comply with when collecting or processing (i.e. accessing) personal data that is used in a commercial capacity (i.e. customer, employee or business partner emails for example). You don’t know who is monitoring the internet access in the location that you are in. If you’re taking paper documents with you then how do you know who has access to your hotel room? What controls are in place to prevent access to personal information that is on a portable device that you’ve left in your hotel room whilst you were out on the beach?


If you’re checking emails and need to respond to one that cannot wait until you return or is labelled “urgent”, and you’re using free wifi access, then this poses a significant risk as these networks can be particularly vulnerable.


Even if you’re not checking emails and you use your device for work and personal use, and you happen to be browsing websites when a pop-up appears on your screen (and you don’t recognise the language but feel compelled to click the green button or tick the box) this could lead to malware being installed that could lay dormant for days or weeks and then when you’re back home could activate the malware so that it now affects your home network or even the company network and possibly grant unrestricted access to the hacker.


Techniques such as “Phishing” are becoming increasingly common and even more sophisticated, so if you’re asked by customs or a government official to hand over your device for examination, it is likely that they will require access to the device and its contents before they approve your entry to their country.


So, what can you do to prevent a situation from occurring that might lead to a compromise of personal data whilst you’re on the beach supping that 6th/7th/8th(maybe you’ve lost count) Pina Colada?  Here’s a few tips to help you get started:


  1. The obvious advice is don’t take work devices with you if you don’t need to.
  2. If you do have to take the device, make sure that any information relating to work or personal data of employees, customers, business partners is removed from the device (you can uninstall work applications and email accounts and re-install when you return).
  3. Do not open files or attachments from people you don’t know and do not click on links in emails from unknown senders.
  4. If you have to have personal information and records that include personal information on your device whilst on holiday, make sure you complete a full backup and leave it somewhere safe (in the office perhaps?) before your leave, in case the data is lost during your vacation.
  5. Depending on the level of sophistication of your IT infrastructure, you may want to run your device in a virtual environment whilst you’re on holiday, as that will ensure that any issues or viruses are contained within the virtual environment.
  6. A password management policy should already be in place within your organisation but if it isn’t then it is worth changing your passwords for when you’re on holiday, and changing them back when you return (or even better – change to new unused password).
  7. If you don’t need to have your Bluetooth or wi-fi on, then turn it off!


Martin de Bruin, CEO suggests that you do not leave your device unattended at any time:

“Whilst the lure of another cocktail as you’re sat by the pool or sea running on ice-cubes and are in urgent need of a refill might seem appealing, keep your device with you! Also, if you lose your device or if it’s stolen you will need to report it immediately to your employer and company Data Protection Officer, stating exactly which customers’ information was accessible on the device and/or employees or business partners personal data as well. It may require a notification to the Information Commissioner’s Office or even to the users whose data has been affected.”

For further information or advice on how to creating and implementing appropriate policies around information security and data protection or device management for your organisation, contact info@deslyon.com today.

blog post etc fine facebook $5bn (FFS!)

In a week that has seen more “intents” than a field in Glastonbury, the latest and greatest fine to-date was just announced as the US Federal Trade Commission approved a $5bn fine to Facebook as a result of the 2018 Cambridge Analytica scandal (source: https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html)


The Facebook–Cambridge Analytica data scandal was a major political scandal in early 2018 when it was revealed that Cambridge Analytica had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes. The method used was via an application under the guise of a “personality quiz” called “thisisyourdigitallife”, and data was collected not only from users who took part in the quiz, but also from friends of those users – all without the consent of either the user nor of course their friends. It is alleged that around 87milion users were affected by the scandal.


The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users. The agency was concerned that Facebook had violated the terms of a 2011 agreement, where Facebook agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public (source: https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep). The settlement required Facebook to give users very clear notifications when their data was being shared with third parties.


The settlement will now be reviewed by the Department of Justice (reports say), but the message being sent out by both the US and UK regulators (the latter intending to issue a £183.3m and £99m fine to British Airways and Marriott International Inc respectively) is that infringement of data subjects privacy (or by being in breach of data protection laws), will be treated with the utmost severity in terms of punishment for ignorance and systematic abuse of peoples’ personal information or by neglecting information security principles around Confidentiality, Integrity & Availability of personal data.


Of course, in addition to this, the UK Information Commissioner’s Office is also looking into the digital advertising industry – in particular behavioural advertising, retargeting and Real-Time-Bidding Auctions (of which big tech firms have a significant commercial interest in) so it is highly likely that this will not be the last time we see familiar faces and household names in the news for being in breach of Data Protection Regulations & Privacy laws for not obtaining users’ consent.


There will also likely be cases brought to the attention of regulators where companies fail to implement the appropriate technical and organisational measures, such as having an appropriate information security policy or not deploying the required training for their staff.


Martin de Bruin, CEO of Deslyon says:


This week we’re starting to see the consequences of failure to comply with Data Protection laws and Privacy regulations. Companies feel that they can take a laissez-faire approach when it comes to their obligations whilst we have constantly disagreed with their consensus. Now it is clear to see that doing nothing or skipping over data protection/privacy obligations is no longer an option.


News outlets report that Facebook declined to comment, however, if you are looking for guidance and advice on how to comply with Data Protection regulations and privacy laws for your organisation, contact info@deslyon.com.



Image source: https://www.flickr.com/photos/stockcatalog/26406050097/in/album-72157695350251185/

blog 2 out of 3 hotel websites leak data

With the recent announcement the UK Commissioner’s Office is intending to issue a fine of more than £99 million to Marriott Hotels group, a recent study by Symantec* shows some of the serious consequences that can result from unauthorised access, such as unauthorised cancellations, and access to personally identifiable information including name, postal address and passport numbers.


The study involved testing multiple websites, including more than 1,500 hotels in 54 countries, and found that 67% of these sites are inadvertently leaking booking reference codes to 3rdparty sites such as advertisers and analytics companies (even though all of the sites had a “privacy policy” but none of them mentioned this behaviour explicitly.


Types of personal information leaked included data such as:

  • Full name
  • Email address
  • Postal address
  • Mobile phone number
  • Last 4 digits of credit card, card type and expiration date
  • Passport Number


It is suggested that the cause of these leaks could stem from confirmation emails sent to the customer, which includes a link to the booking, allowing the user to go straight to their reservation without having to login.


Martin de Bruin, CEO of Deslyon comments:

“Whilst this is incredibly distressing, it isn’t really a surprise. What if the customer entered the wrong email address, and the booking confirmation was sent to someone else? The can of worms that could have been opened if the email address was shared by a couple!”


The study goes on to state that this information – which can be passed through the email confirmation link by the browser – can also be visible to unauthorised 3rdparties well-known social networks, advertisement and search engines, and all it takes is a rogue employee to use the information collected for their own nefarious purposes for a major incident to occur, which could affect the rights and freedoms of that individual.


It is worth remembering Recital 30 of the EU GDPR which states that ‘Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them’.


“Accountability is the underlying principle under the EU GDPR yet still thousands of companies still seem to think that they avoid their obligations when it comes to privacy and Data Protection, whilst we continue to vehemently be of a different opinion. Companies who do not demonstrate compliance by taking the appropriate technical & organisational measures will be subject to fines and sanctions similar to what we’ve seen in the last 48hours.  Prevention really is better than trying to find a cure after you’ve suffered a breach.” Martin concludes.


If you are looking for guidance and advice on how you can take steps towards data protection compliance and privacy regulations, contact info@deslyon.com today.


(*source: https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data)

Photo by Krys Amon on Unsplash

blog post boardroom clip wings

The intention to fine a record amount to British Airways (as reported by the ICO* on Monday 9thJuly 2019) may have come as a shock to quite a few. However, these levels of fines and other significant penalties may start to become more familiar as more companies become exposed in their negligence of protecting personal information.


The 2018 Cyber Governance Health Check** report into the top FTSE 350 companies released by HM Government in March 2019 revealed some interesting findings, which should cause concern for boardrooms across all businesses that collect and process personal data – whether its customers, employees, or business partners/suppliers. The key findings from the report show that:


  • Less than two thirds (60%) of the FTSE 350 list of companies report that their appetite for risk (the extent and type of risk the business is willing to take) is agreed and written down. Therefore, for more than a third (40%) of businesses, there is a risk that not all staff members share the same vision as the board regarding the level and type of risk that they are willing to take.
  • 77% of FTSE 350 businesses do not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.


The report also states that only around 1 in 5 boards of FTSE 350 businesses have undertaken a crisis simulation on cyber risk in the last 12 months, which – when you take into consideration that in 2017, 70% of large companies (and 74% of SME’s) reported that they had suffered a cyber breach*** this suggests that we’ll see a lot more exposure of cyber weaknesses in what are perceived to be credible brands and organisations who lead the public to believe that they deliver exemplar business practice.

Martin De Bruin, CEO at Deslyon suggests a few tips to help boardrooms start and navigate their way through their privacy strategy:

“First and foremost, the Board (including the CEO) has to decide on the company’s mission when it comes to Data Protection & Privacy. Then they can develop their strategy in accordance with the mission and form the team to steer the strategy. The framework should be based on the organisation’s needs as there isn’t really a one-size-fits-all. More often than not, the biggest risk in any organisation comes from internal, so it is vital that training & awareness is steered by the top. Communication is essential if all employees are expected to follow the company’s lead.”

If the words of Elizabeth Denham, UK Information Commissioner didn’t read loud and clear before, then maybe the following quote from her will make boardrooms across the country take notice:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage, or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”


To discuss your compliance requirements or to understand your obligations when it comes to privacy and Data Protection, email info@deslyon.com without delay.

(*source: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-ico-announces-intention-to-fine-british-airways/)

(**source: https://www.gov.uk/government/publications/cyber-governance-health-check-2018) 

(***source: (https://www.export.gov/article?id=United-Kingdom-Cyber-Security)

Photo by Joshua Sortino on Unsplash


A little reading for the weekend.  Unless you’ve been partying on a yacht somewhere in the south of France this week, you’ve probably seen the report published by the Information Commissioner’s Office into adtech and real time bidding.  If you’re still too blurry-eyed to read the report, we’ve extracted some of the key “i-lights” from the report, not in any particular order:

“Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.”

“Transparency issues also exist for the ecosystem itself, given the opaque nature of the data supply chain.

For some market participants, these were at best not fully understood or at worst ignored.

“Data supply chain: In many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.”

Invisible Processing
“…’Invisible processing’ is an activity that carries inherent risk to rights and freedoms as it takes place with no or minimal user awareness. The ICO’s Article 35(4) list provides the following definition: ‘Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort (as provided by Article 14(5)(b).’ Our list clarifies that processing operations of this sort, combined with any of the criteria from the EDPB guidelines, require a DPIA. Similar examples appear on a number of the Article 35(4) lists prepared by other European data protection authorities”.

“What we found was an industry that understood it needed to make improvements to comply with the law.”

Europe global vendor list comprises over 450 organisations, each with their own privacy policy. Some of these will be in non-EU jurisdictions, meaning that international transfers of personal data are taking place.”

If you’re an investor of a company that is involved in the collection, processing, storage or trading of personal data as defined within the GDPR/DPA 18 then you may want to review whether your investment could survive a financial penalty – or even survive being instructed by the ICO to stop collecting and processing personal data, or if you’re thinking of acquiring a company that collects, processes, stores or trades in personal information, you may want to ensure that the appropriate due diligence has been carried out to ensure that you don’t end up paying more in the long run (see our blog post about M&A here: https://deslyon.com/2019/05/16/mergers-acquisitions-a-private-matter/).


It appears that with the decision to carry out an Industry Sweep, the ICO states: “Following continued engagement to obtain more information, we may undertake a further industry review in six months’ time.”  It is with almost certainty that the ICO won’t be brushing these issues under the carpet.

If you’re not familiar with the corrective powers bestowed upon the ICO, you may want to cast those blurry eyes over article 58(2) (d) and (f) in particular.

 All eyes really will be focused on the industry to see how it cleans up its act, which “Cannes” only be a good thing.  Chin-Chin!

(the full ICO report is available here: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf)

Deslyon cyber risk

A recent article by smeweb.com (http://www.smeweb.com/2019/06/18/beware-cyber-attack/) states that more than half of British firms have been the victim of a cyber-attack in 2019. It is highly likely that insurance will only part cover the costs of recovering back to Business as Usual, so how can insurance providers help their clients understand what it takes to ensure appropriate measures are being taken towards achieving compliance?

Businesses of all sizes, across almost every location in the world and in every business sector rely on technology and digital in order to perform its (even most basic) functions. However, whilst more and more businesses seek to maximise the opportunity that this “4th industrial revolution” brings, the threats to businesses are even greater and (through lack of awareness) even easier than in previous times.

Let’s add the level of accountability that sits at the top of the organisation into the mix, and we can quickly ascertain this as a defining time for organisations and ultimately those who do not adapt to these seismic changes will soon give way to those organisations that have the appropriate measures in place to defend their business when the situation arises.

A common misconception is that cyber insurance will cover organisations against data breaches or cyber attacks to the organisation. What these providers often leave within the small print for organisations to find out for themselves is that the insurer will state that organisation must have appropriate measures in situ in the first place before a payout will be considered.

The question is – who is providing the relevant checks and balances to those who underwrite such policies in order to help identify the risks and vulnerabilities that they should be checking with their customers prior to offering the policies?What intelligence can be drawn from previous incidents (not just for the organisation but also those linked to the business such as suppliers, vendors, business partners etc) to ensure that the right questions are being asked prior to a decision on a policy (and adequate excess fee/cover)?

Given the recent introduction of regulations and legislation – particularly around Data Protection – means that Cyber security is establishing itself firmly at the top of the agenda across most board rooms. This isn’t a surprise when you consider the amount of information that is being collected, processed and stored by organisations (as well as their supply chain) cross many internet entry points, and on a range of inter-connected devices (not just mobile phones & laptops but also smart meters, door bells, speakers, vehicles, televisions, games consoles to name but a few) and the fact the new regulations, legislation and industry compliance frameworks hold those at the top of the organisation ultimately accountable for non-compliance. Terms like “spear-phishing”, “SMiShing”,“Vishing”, “Malware”, “Ransomware” are now established terms that are discussed more frequently now than they were 10 (possibly even 5) years ago.

It is more important now than at any time before to not only understand the cyber security strategy of an organisation, but to ensure that insurance providers are offering business solutions and guidance to help businesses understand how they can protect their organisation from such threats which can only benefit the providers and policy holders alike.

For more information and guidance on compliance controls and an assessment of your business, contact info@deslyon.com today.

Deslyon blog remote policies

Just 1 in 5 businesses have a Remote Working or Bring Your Own Device policy in place!

  • even though over 4 in 10 say that staff in their organisation regularly use a personal device such as a non-work laptop for business purposes!

The 2019 Cyber Security Breaches Survey for the DDCMS shows that whilst businesses  have taken considerable actions to improve their stance on cyber security, there are still areas that require significant development by implementing the appropriate policies.

Remote working isn’t a new concept. In fact, there’s an article posted by flexjobs.com about the history of working from home, which you can find on the following link: (https://www.flexjobs.com/blog/post/complete-history-of-working-from-home/),

However, what has changed significantly (in the last 10 years or so) has been the interconnectivity of devices that extend beyond a desktop computer or a laptop. In fact, since the launch of the i-phone in April 2007 (possibly even the Blackberry 5810 which launched even earlier in 2002), this led to fundamental change in the manner in which people perform their work duties, and the need for being based in the office.

Whilst there have been rapid advancements in technology that have increased the flexibility of remote working, what seems to have been left behind are the controls and policies set by the employer when it comes to the technical and physical security of devices when working from home or on the road.

This is an area that will likely come under further scrutiny since the EU GDPR and UK Data Protection Act 2018 came into force.

By having a company policy in place that covers your employees who work from home or remotely could significantly reduce the risk of any information on those devices being compromised.

Staff who use their personal mobiles for company use will often install applications and programmes that are probably not likely to be on the company “whitelist” of acceptable apps. Company staff may travel overseas – possibly to a different continent. The way in which they access the internet may require certain restrictions (i.e. they may not be permitted to use the hotel/coffee shop free wifi).

Martin De Bruin, CEO of Deslyon comments:

“You Just need to go to trade shows and industry events where you’ll see company representatives with laptops unattended, and sometimes even unlocked. How many stories do you hear where staff leave laptops in their cars and then the become the victim of a break-in? It doesn’t take long to work out what the consequences might be if company confidential information ends up in the hands of an opportunist.”

Of course if personal devices are being used in the work place, this can often mean that other family members use the same laptops/tablets/even home computers, so it is imperative that companies have a policy in place that covers the technical and physical security of information and assets, which staff understand and are aware of their responsibilities when it comes to their own devices, and the content within those devices.

For guidance on creating policies within your organisation or for more information about Deslyon services, contact info@deslyon.com

Deslyon blog Testing the Chain Reaction of Your Supply Line

Auditing your suppliers and ensuring that their business practices align with your own organisation’s compliance can be a daunting task – even for those with minimal supply chains. What if your supply partner is based in another country, or another continent? What if your supply partner requires you to go through bureaucratic hurdles and hoops so as to get them to fulfil your request? Where does one even start to question their suppliers?

The 2019 Cyber Security Breaches Survey shares a range of interesting comments from businesses as to why companies do not carry out supplier compliance requests. “Trust”, “lack of resources” and “lack of guidance/knowledge” seems to be the key takeaways as reasons for not carrying out checks and balances across the supply chains.  Typical responses include;

We just trust them. They’ve been in business for a long time They run huge events. They are world renowned and respected. We have faith based on that.


You don’t know what to ask. I would just trust that my suppliers wouldn’t breach anything. So, it would help to get some guidance.

These were just some of the responses to this question in the survey.  Below are a few tips to help organisations ask the right questions:

Tip 1: What Access Controls Are In Place?

How does your supplier prevent unauthorised access to information processed on your behalf, or exchanged between you and them? How do they audit access checks? What about Physical Access Controls? If they’re part of a larger organisation what controls are in place to prevent data being leaked to other units outside of what has been contracted?

Tip 2: Assessing Data Protection obligations.

What Data Protection Laws apply to the supplier who you are working with? What other laws does your supplier have to comply with in order to operate their business function?

 Tip 3: Documenting any Accreditations/standards that the supplier conforms to.

For example, are the information security policies & procedures that your supplier conforms to in accordance to Information Security Management Systems as defined in ISO27001? (If so – when were they last audited?)

Tip 4: Revisiting your existing contract and wording.

Does it include specific Responsibilities and Service Level Agreements that the supplier will adhere to in the event of a security breach/compromise that affects information between them and your organisation?

Tip 5: Hiring & Training of Staff.

Is there a need for your supplier to carry out the same checks and balances as your organisation does with internal staff if those members of staff are working as your outsourced representative?


Of course, these are just a few suggestions and are designed to spark the conversation within your organisation. What also needs to be taken into consideration is how the organisation monitors its supply chain.

Martin De Bruin, CEO of Deslyon comments

The challenge faced by many organisations is that with new laws, regulations and an ever-changing compliance landscape, appropriate resource and expertise is needed  in order to ask the right questions. For example, Accountability under the EU GDPR means that organisations must  implement appropriate technical & organisation measures in order to fulfil their governance obligations.

To discuss how Deslyon can help your business deploy the appropriate technical & organisation measures, email info@deslyon.com.


Adapting to a volatile regulatory environment is the top priority in 2019, with just 4 in 10 Privacy Executives confident about adapting to new regulations, according to a study by Gartner (https://www.gartner.com/en/newsroom/press-releases/2019-04-23-gartner-says-just-four-in-10-privacy-executives-are-confident-about-adapting-to-new-regulations).

Other key priorities stated in the study also highlight that establishing a Privacy Strategy to Support Digital Transformation, Implementing an effective 3rdparty Risk Management Programme, Strengthen Consumer Trust and Brand Loyalty, and Identifying Metrics to Measure Privacy Programme Effectiveness completing the top 5 priorities listed in the Gartner survey.

  • Adapting to a volatile regulatory environment isn’t only a challenge, but the study also highlights that there are significant gaps between desired objectives and where executives currently view their organisation’s progress.
  • The study also goes on to state that most executives lack confidence in their existing plan around a strategy to support digital transformation at their organisations, and the challenge of formalising information governance remains a key concern amongst privacy executives.

Whilst Gartner gives some recommendations such as “designing an information governance framework that focuses on formal structures, and more on business purpose… accounting for privacy risk in cross-functional strategic planning exercises”, we at Deslyon expand on this by recommending that organisations should structure their privacy team once the privacy strategy is developed, but this can only be developed once the organisation has created a mission statement or vision for their privacy management (a key factor that lays the foundations for the rest of the privacy programme).

When defining the scope of a privacy programme, the organisation must understand the global perspective for which their organisation operates within. What are the local laws, what is the local culture, and what are the personal expectations within the country that your organisation operates/serves customers in? Only then can you customise your privacy approach from both a global and a local perspective.

Organisations can research various established frameworks as inspiration for their own model. It may be the case that no one particular solution mitigates all privacy risk, so it is vital that the right resource, knowledge and expertise is applied to help the organisation in reaching its objective (as set out in its mission statement).

Of course, in order to assess whether the framework is operating successfully it is important to implement performance measurement tools, for which the organisation will be able to assess its performance against pre-determined metrics. If chosen correctly, these metrics will provide key insights as to how the privacy framework is delivering in line with organisational objectives, as well as deliver key findings as to where improvements are required.

Developing a privacy strategy and framework can be both complex and challenging. Of course, it doesn’t stop there, as organisations need to continually monitor Legal/Compliance factors to ensure that the organisation keeps up-to-date on both global and local regulation, but the qualified expertise delivered by the team here at Deslyon, we can help you navigate through the twists, turns and bumps in the road – even if you haven’t set out on your journey towards compliance yet.

Contact info@deslyon.com to find out more.