| Home | About | Insights | 0
  • Your Shopping cart is empty.

Martin de Bruin

Profile page

About martindebruin

  • Email: martin.debruin@deslyon.com
  • Nice Name: martindebruin
  • Website:
  • Registered On :2018-11-14 12:18:41
  • Logged in as: martindebruin

martindebruin Posts

With recent news surrounding major Mergers & Acquisitions within the digital industry, questions will be raised around what due diligence is being applied to ensure legal obligations around the collection and processing of personal (sometimes sensitive) data under the acquirer.

There may be many legal and compliance aspects which need to be factored in as well as new controls which the acquirer has to put in place as a result of their new acquisition.

Industry Codes of Conduct such as PCI DSS become a subject matter for consideration where the business transacts online via credit card payments. If the new acquisition means that the acquirer enters into a new industry such as Health (and the acquirer has historically been within say – consumer electronics), then regulations relating to health and other sensitive information have form part of the privacy strategy moving forward, and possibly data relating to children.

Geographically, there may be a number of challenges that present themselves. For example, say a US company acquires a business in Europe, then it has to implement appropriate measures and governance that is relevant to each of the local markets, the cultural norms, as well as local regulations. If that seems challenging, then it gets even more interesting when one discovers that the General Data Protection Regulation is adapted differently depending on each EU market.

For example, in the UK, the UK Data Protection Act 2018 states that there are further exemptions (that are not included within the official GDPR text) when responding to a Data Subject Access Request. In Germany, there are amendments to the official text with regards to processing Special Categories of Data, amongst other variations. InSpain, Article 37 (designation of a Data Protection Officer – DPO) carries further obligations than what is in the official text, and there is an additional function for the DPO, in that the DPO may intervene in case of a complaint against a controller or processor with a supervisory authority and communicate to the complainant the organisations resolution within 2 months of the receipt of such complaint (before the complaint is submitted to the supervisory authority *source: iapp.org).

What if your company is divesting a business?

Again, a relevant question given that there are real-world examples of this actually taking place. When divesting a business, there may well be risks associated with the data that is being released, and therefore a thorough assessment of the infrastructure of all, or any part of the entity being divested prior to event must be undertaken to ensure that unauthorised access of any personal information/data is prevented as part of the divestiture process (unless there are specific exceptions – in which case they need to be documented).

It is worth remembering that an organisation can be exposed to unnecessary corporate risk by acquiring companies with differing regulatory obligations. A privacy checklist is a useful tool to help ensure this process is carried out effectively.

For further information on how mergers, acquisitions or divestitures could affect your organisation, feel free to contact us at info@deslyon.com.


Following the news that a security researcher discovered millions of unsecured Facebook user information on an Amazon server that had been stored by a 3rd party Application called Cultura Colectiva, this news story raises questions as to how 3rd party developers and Applications providers are vetted by Facebook, as well as what obligations Facebook instil upon 3rd parties when it comes to the confidentiality of its members’ information.

Cultura Colectiva describe themselves as “a digital platform that inspires audiences through content created with data and technology…. The largest digital platform in Mexico and Latin America with significant reach in Argentina, Chile, Columbia, and Spain” – which of course is in the EU, meaning that Cultura Colectiva are subject to the EU GDPR not only due to their reach extending into an EU territory, but it is also highly likely that EU data subjects access and interact with their app and their website from a number of destinations around the world. Cultura Colectiva then sent that data for storage into a remotely managed services provider (aka the Cloud) and failed to protect that data by leaving it unsecured.

Under the EU GDPR, an entity has 72 hours to report a data breach to a supervisory authority. If that data is likely to harm or affect the rights & freedoms of data subjects then that entity is legally required to inform that data subject without delay, yet it took several months for any action to be taken once the breach was discovered by a security researcher (the breach was initially flagged on the 1st February and it took 3 weeks for someone from Amazon to respond saying that they were “looking into the situation” and the data was finally removed on April 3rd– by Facebook, not by Cultura Colectiva – source: https://www.bloomberg.com/news/articles/2019-04-03/amazon-cloud-storage-dilemma-exposed-in-facebook-s-latest-leak).

It is worth remembering that when data is sent into the cloud, you are at the mercy of that 3rd party’s security controls and systems.

If that data has been sent into the cloud by a 3rd party (Cultura Colectiva are a 3rd party who stored the data on a server provided by a 3rd party- Amazon) who hasn’t taken appropriate security measures to ensure that the data is protected or secured, that is highly likely to lead to complete loss of control of that data, which could lead to catastrophic circumstances if the data is of a personal nature. What’s more is that the initial collector of that data is – as data controller – ultimately responsible for allowing that data to be accessed by a 3rd party. Therefore it is vital that contracts and agreements reflect the responsibilities where there are “joint-controllers” (Article 26 of the EU GDPR).

It is also vital that data subjects are aware of how their data will be processed and what protections are in place with partners of that 3rdparty, so that individuals can provide explicit, freely given, affirmative authorisation for their data to be used in the exact way as described by the controller.

Therefore an update of privacy notice(s) and internal policies that take into account in local laws and regulations of members/customers/users of that company needs to be actioned. For example, if your company HQ is in Mexico, and you are collecting EU data subject data and are processing it by storing it remotely in the US then you are bound not only by Mexican Data Protection Laws but also the Data Protection Laws of the US and the EU, as well as the local laws of the users’ nationality.


GDPR Privacy by Design & Default

Should Privacy by Design be mandatory?

Privacy by design and default (PBDD) may prove to be far more useful in the world of privacy and data protection than it is considered now. Under article 25 of the GDPR a controller is required to implement PBDD by appropriate technical and organisational measures – but is that enough?

Controllers are expected to consider data protection issues as part of the design and implementation of systems, IT, services, products and business practices. To integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle. To anticipate risks and privacy-invasive events before they occur.

Until there is a specific rule or tightening of regulation, organisations choose whether to actively take risk measures via PIA’s (Privacy Impact Assessments) and / or use privacy-enhancing technologies (PETs) organisations may not be protecting personal data sufficiently. Which means a lack of action could result in personal data being put at risk.

A 10 million euro (or 2% of global revenue) fine may be made if it is found that personal data was not protected; when a significant new service, policy or implementation affecting personal data was introduced, giving no real excuse for not introducing PBDD. Deslyon believes PBDD should be mandatory when it is clear personal data is at risk through an organisation making changes, potentially causing the organisation to be GDPR non-compliant and potentially in breach of the regulation.

It is understood that the UK ICO & EDPB (European Data Protection Board) is considering certificating PBDD (identifying certification criteria under articles 42 & 43 and EDPB approved certification mechanism draft guidelines). Until certification is in place that improves this situation for Privacy by design and default, Deslyon recommends all organisations processing personal data implement PBDD when making significant changes which includes personal data.

Organisations should ensure that personal data is automatically protected, specifically when major changes are made such as (say) replacing a HR system or developing new systems which include personal data. Where an organisation has a DPO (Data Protection Officer) it is likely they will ensure PBDD is carried out, where no DPO is employed, the security officer, GDPR specialist or similar representative will always benefit from practicing privacy by design and default.

Article by Phil Lyon, COO of Deslyon.
Phil Lyon, MBA, CISMP, ISO27001 Lead Auditor, GDPR Practitioner.
Contact info@deslyon.com to discuss how we can help your business.


Definition of a Data Breach: “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.” (source: ico.org.uk).

$2.1 trillion – the economic cost of data breaches globally

A study by Juniper research back in 2015 estimated that the economic cost of a data breach is set to quadruple to $2.1 trillion globally by 2019 (https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion).

Depending on the nature of the breach, and what data has been compromised, calculating the cost of a data breach in real terms can be quite a complex equation to create (and more often than not, estimations can fall considerably short of the final total). In fact, as reported by Tech Radar last year, since the announcement of the personal data breach by Equifax in September 2017 (announced 2 months after the actual breach occurred), in its SEC filing for Q118 results, the company had incurred a total of $242m of expenses related to the incident and incident and incremental IT and Data Security Costs, of which $68.7m was just in Q1 18*.

The costs of a data breach

  • Conducting an investigation into the cause of the breach (a task that may require resource outside of the organisation)
  • ascertaining the likely number of data subjects affected
  • Organising the response team and executing the incident response plan
  • PR and External communication strategy (customers, shareholders, suppliers/vendors, security)
  • Legal expenses as well as remediation measures (updating contracts, installing new security software, replacing physical security equipment, reimbursing customers and compensation)

There are also the after-effects to consider when counting the cost of a data breach. This may include, the effect on the share price and share performance in subsequent months (Equifax share price reached levels of approximately $140 between July and 6th September) has never recovered to those levels, in fact dropping to as low as $89 in just under a week post-announcement of the breach. Of course, customers will probably terminate their accounts and move to competitor offerings, and any new business will more than likely be qualified out very quickly.

In some cases, the cost of a single data breach or lawsuit may be large enough to shut down an organization and destroy a career, as numerous news article have reported (one example being https://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm’s-collapse/)

How can you prevent a Data Breach?

There are a number of measures which you can implement that will help to minimise the risk of being subject to a data breach. This includes (but not limited to) the following:

  • Encryption of data (both at Rest and in-motion)
  • Training of staff so that they’re aware of their obligations when it comes to Data Protection.
  • Updating policies (such as remote working, bring your own device, staff internet usage, USB/external device policy)
  • Penetration testing of systems
  • Information System Security Assessments
  • 3rdparty suppliers/vendor due diligence (and the ability to audit your partners)

Contact info@deslyon.com to discuss how we can help your business.



There is no doubt that the enforcement of the European General Data Protection Regulation on May 25th 2018 caused a seismic quake in the commercial world, as well as across government departments and not-for-profit organisations far and wide. But it doesn’t just apply to EU businesses. As stated on the Europa.eu website, “the law applies to:

  1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.*

So, if you’re (for example) a business with an office based in (say) Ireland, and you collect or process personal data for (let’s say) US citizens, then as your business has a premises in the EU (Ireland) then your business must protect the personal data of non-EU citizens in the same way as if they were EU citizens.

If you are a company who is solely based in the (let’s say – US) and you serve customers/users/audiences who are citizens of any EU country, then you must have appropriate safeguards and measures in place to protect the personal data of those customers/users/audiences.

Personal data is defined (in the official GDPR text as) “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

If you process personal data and one of the above scenarios apply to you, the regulation also states that you must appoint a Data Protection Officer if:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular or systematic monitoring of data subjects on a large scale, or
  3. the core activities of the controller or processor consist of processing on a large scale of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data, biometric data for the purpose of identifying a natural person, data concerning health or a natural person’s sex life/orientation). Incidentally, you are prohibited from processing such special categories of data unless you have received explicit consent from the data subject, or you can justify processing via another legal basis.

Processing, as defined under Article 4 of the GDPR, means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

The Regulation does not apply to companies who are based outside of the EU and only serves a non-eu customer/user/audience base. So, if you do not target your services to EU based individuals then the GDPR does not apply to you. However, there might be other Data Protection Laws that your business will be subject to.