Thursday 24th June 2021, 10:00 (BST)

Disposal and destruction of data and devices

  • How has COVID-19 affected e-waste and device disposal?
  • Defining responsible parties in your data or device destruction process
  • Can enterprises keep decommissioned devices in use without risking data exposure?

Hello. Hello, good morning, everybody. It's Thursday morning, 10 o'clock, and therefore it must be time for another time to talk. Good morning and welcome. My name is Geoff White. I'm your host for today's session. We are here live every Thursday morning at 10:00, every Tuesday afternoon at four when my co-host, Jenny Radcliffe takes the stage discussing all the key topics around cyber security and cyber crime at infosec. So welcome back to our existing viewers or previous viewers.

Hello. If you are new to help spread the word ATI's talks, we are discussing, as I say, all the key issues. We have a lot of fun here on a Thursday morning. So if you like it, if you're enjoying it, please do spread the word and invite others. Friends, family, probably not maybe colleagues. And welcome to all of you. There's a chat tab. I see people chatting in there. Feel free to put your comments in.

Feel free to get in touch with us. Helping us put in points, put in comments. There's also the Q&A tab there so you can put in your questions and I will put them to our panel, who this morning are going to be talking about data and device destruction, something I think is really interesting and has a lot to unpack in this. We have a fantastic panel as ever before I get to them that we should, I think, take a second as the cybersecurity community to to commemorate the quazi life.

And they said a death recently of John McAfee, who has been found dead in a Spanish prison. He was awaiting extradition, I believe, to the US on tax affairs. Whether you whatever your view on John McAfee, good or bad, usually not indifferent, he at least made the information security world slightly exciting and slightly crazy to so rest in peace. John McAfee, we've also got, by the way, a tight market talk to give away, which I'm going to give away this morning to whoever comes out with the best meme on device destruction.

I've been looking through some GIFs and some means, and there were some crackers out there. So if you if you direct us to one and if it tickles my fancy, then you get a free time. But yes, listen onto our panel, who, as I say, are going to be discussing this. We've got a nice mix of people from different industries. We have got Adrian Monk, who is data protection officer at Equifax, the Internet, to chat to them about data destruction, and Elena Vukuzenzele, who is group data protection officer at UVA Medical Group, as a it's going to be joining us later on for a panel discussion we've got.

In the meanwhile, though, our first guest on this is Fraser Brown, who is global head of I.T. at a company called Blue Dog, who for me needs no introduction. But for folks who aren't dealing with lock down in the way that I'm dealing with it for, you might need to give us the give us the lowdown on Blue Dog, what the company does, and also how how big it is where you are now based because you're global head of I.T..

So, yes. Morning, Jeff. Morning, everyone. Yeah, go ahead of it. I think previously it was the head of I.T. rule I came in and replaced. But given the way that Rudaw has expanded over the years, we've got a presence in North America. We've got a presence in Australia and Central Europe as well. So I was actually on a call with the CEO of Australia this morning chatting about what he's up to and what we need to do to to help out.

But clearly, from from my point of view in mine, it covers everything from the bars to production and the warehousing, getting the beers out the door, and then also the kind of more straightforward stuff the laptops and desktops set up for HQ staff and our cyber security into the bargain. So, yeah, lots lots of things to do. And quite a massive.

Yeah, that's interesting cause I mean, a lot of the guest we have on Unties Talk are what you might call pure play cybersecurity or pure play data protection type people. So it seems I think we sort of have to have to remember during this conversation, particularly with you, that you're a wee bit stretches far wider than just stuff. And just cybersecurity. Security mentioned that the territories, again, the Bulldogs, Bulldogs expanding into South Australia and I guess the other area.

So we're North America. So we've got a brewery in Ohio. And I've been doing a lot there in terms of expanding out our capability across the US and then in Europe, through Central Europe. We've got a presence in France and Germany. And I think we kind of talk about looking at kind of landmark sites that we're looking to open up. So certainly in America can at a site on the strip in Las Vegas, which is doing so and never a dull moment, never kind of a boring a boring day in the office, if you like.

And it's interesting. Take on the US is an impressive thing. Well, potentially impressive to make sure you can make it work because it's a it's a real big beer microbrewery culture out there. It's going to be interesting.

Yeah. I mean, it's interesting. The different beer tastes same for Australia. So, you know, I think if you think about our punk IPA kind of being our kind of mainstream kind of beer in Australia, I think we call it punk. So a slightly different taste on palette that the folks down, down under have so kind of change things to to meet the local demand and interesting stuff we should also address. I mean, the Buddha has been in the news recently for Nontax Non-stop since I was a letter of complaint by various ex employees alleging that from the outside kind of very high pressure, potentially bullying behaviour within the company.

I mean, just for yourself, what's been your impression of the firm since you since you because you've been not so long since January?

Yeah. So I joined in January. So my experience of things is clearly different to those that work perhaps here a few years ago or have been in the organisation a much longer time than I have. So, yes, we absolutely run out and we talk about time and talk here. So it is like a week. We do move really quickly, but certainly it's not something that I've experienced in terms of I think that there's talk about bullying, as you've said there.

So it's not something that I have seen first hand. And clearly I think James will come out and kind of held his hands up and say, look, I've made some mistakes in the past and obviously we want to try and address the historical, I guess, concerns which were raised as part of the open letter and then also looking at what that means for staff internally as well. So, again, a recognition that perhaps we've moved really quickly, but then forgotten some of the kind of people, elements or such things that exit interviews and, you know, kind of standard stuff that you might expect in a different organisation.

So looking at all of that and then, you know, again, we're going to do an independent review on on on the culture and on ports. They are open to the external folks that have kind of raised and voiced their concerns on social media. So it's the right thing to do. And I think also we've kind of recognised that, you know, we do talk about the speed that we move and we are quite lean in terms of our kind of team structure.

So, again, we've already seen some moves in that space already. And I'm glad to say that it's certainly my area that will be increasing the headcount to kind of help with that. So I'll probably be posting some some drop rules after this later today, which is great news for me.

You know, it's interesting that because the other thing that's interesting is a company like Blue Dog, you know, out on social media, got a big social media presence, has got this kind of young, sort of funky branding. Is there a sort of cybersecurity effect of something like this where something hits the news? It's not cybersecurity related, but then on high alert thinking, well, people might actually take a pop at a digitally in some way they might try and spammers or detox or something like that.

Is there a sort of alarm bell goes off to say, hang on a minute, to watch out for that?

I mean, I think from my perspective, when I joined the alarm bell was already ringing from the point of view of what we were very vocal on social media. There's been some kind of PR kind of stunts, if you like, where I think there was one where James was on the back of a horse kind of lampooning Vladimir Putin. So, you know, if they're state actors play, then you can quite clearly see why they might be a little bit hacked off by that and pardon the pun, wanting to hack us.

So, yeah, I mean, that's that's been there since I started. And actually, it was kind of interesting in terms of the timing of the social media storm, if you like, that kind of kicked off was that we were looking at a company who kind of look across social media and look across know the chatter, which is there's a data miners, the company that were involved that we talking about because they can actually see if things are kind of bubbling away, not just from a brand point of view, but also from a cybersecurity perspective.

So they can see what's being talked about on the Web and things like that as well. Just to give you that head's up ahead of potentially passing a cybersecurity attack of the past. So it was quite fortuitous timing in some respects. And it's obviously a horrible position that folks have felt that they've needed to talk and bring to the attention of the wider community. But I guess selfishly, from a cybersecurity point of view, it probably helps a little bit in terms of my discussions with folks internally about what we should be doing to, I guess, get on the front foot from a cybersecurity point of view.

But it also covers of staff safety and bronze front kind of protection as well.

Yeah, and thanks, by the way, Scott is glad I asked a question on your behalf there and. Thanks for your me, you're the only data destruction meme candidate at the moment there might be coming your way and nobody else gets involved. That's interesting. And so let's let's stay with that, because, as you said, it's a fairly new company, Budokan. It's running fairly lean in terms of cybersecurity stuff, policies, particularly on data destruction.

And so just knowing where your data is, you know, you've come from a finance background where there were more entrenched, you know, traditional, like long in the tooth. So how has it been joining the company and how how easy is it to sort of find space in people's schedules, say, look, we need to talk about cybersecurity, we need to get these things right?

Yeah, in many ways, it's probably a bit of a greenfield site. So it's quite exciting for me to come in and kind of go, what do we have by way of policy? And I suppose policies were dirty words within Bredeweg. I think we we get this little book and we all join in. It's like being more brutal. I mean, there is a there's a pigeon there that says we don't really do policies. And I kind of say straight off the bat that.

Unfortunately, we will need to do policies from their perspective because, you know, we can't have a cyber security set up and posture if we're not kind of adhering to some policies and making staff aware of what they should be working and how we deal with things like data destruction and things like that. So that was one of the first things I kind of talked about and get buy in from the chief operating officer, say, you know, what your fine phrase or you can crack on and do that.

And then again, part of what I needed to do was raise the visibility of cybersecurity and do what we've kind of worked on and in an organisation, which is. Pretty cool, I mean, you know, sometimes it can be a bit more remote and people don't like what we do or the way we do it, we can be quite brash and look at the world. But equally, there's that kind of sense of we. We make beer and we make gin and rum and vodka and we try and do things in a kind of environmentally friendly way and a lot of good stuff.

And so the view is that why would anyone want to attack us for that reason? But we're we're making beer, but we're we're trying to make money at the same time as any business does. So. So clearly, it's not just about being a cool company. And, you know, we're talking about the social media elements there, which perhaps make us a target in some respects as well. So there was a whole piece around trying to change that mindset.

So doing that without scaring the living daylights out of folk, I kind of brought it to life a bit with regards to examples of cyber attacks that have impacted Breuer's. So most interviewers would be kind of pretty pretty good example that I raised to them, but also not just the kind of big behemoth, because I kind of talked about some of the smaller brewers being hit by ransomware and things like that. I'm talking about impacts that we've heard on some of these cases in terms of the impact of production, not inability to actually produce the beer and what that meant in terms of the recovery time lines, because I think one of the moves to them about six months and they were still trying to get through some of the scope of the problem and getting things back on an even keel.

So bringing that to life and say it can happen to us, that can happen is happening within our industry, really kind of brought it to life. A bit more interesting stuff.

Let's move on specifically to to the destruction. So, I mean, pre-empting, that is the question of do you know where the data is, what you've got and where it is? How have you found that? How we tackle that challenge?

Yeah. And again, it probably harks back a little bit to the kind of the lack of policies and procedures when I came in. And we had to move quite quickly to kind of, I guess, close the gap of the things that we're missing. So from from our perspective, obviously, with GDP coming coming out the tracks a few few years back now, but there was already some work on the other element would be around where people were storing their data.

So, again, because of that lack of policy in that direction around where you can actually we should be storing your data that kind of step back and not worry and worry beads for me around. Are we storing stuff on our laptops where we should be storing it and, you know, on one drive or other kind of shared drive infrastructure. So we're getting that trying to get that message out of where the data should be. So we're kind of undoing some historical not necessarily wrongs, but probably just poor practise that we kind of have to deal with and encouraging folks to do that.

So that's probably part of the challenge of changing people's, I guess, the way that they operate on a daily basis and saving their files and dealing with it like that. And then other element of understanding where the data is, is that we kind of move to that kind of cloud first strategy. So trying to move away from where the server s as well. So, again, we kind of knew a lot more of the data is that's really interesting.

You've got a different on prem problem on premises, problematic to a lot because a lot of organisations it's a legacy thing is that we had a lot of stuff on premises because of the legacy stuff we to put in the cloud for you guys. You know, we started with on because it was, you know, two or three people with laptops and that was why you stole the data. So, yeah, you've got a similar challenge. Interesting. Interesting.

OK, I'm going to bring in all of the panellists on this. I think it would be good to broaden out the debate. I'm going to welcome Elena Katseli, who is data protection officer at UT America, and Adriana Ong, who's data protection officer at Equifax. Welcome to you both. Elena, can I come to you first, you America group for people who don't know it. What's what do you guys do? How big is the organisation?

Good morning, sir. Good morning, everybody. And you know, America is a group of private clinics and diagnostic centres which has which operates all over Greece. So as you understand, the vast majority of all of the data that we possess, it's hard to fathom. How does data is especially good because data according to the FBI and the sensitivity, which is very sensitive. So we have from paper for my medical records and the medical equipment, such as sitting scans and MRI's and their physical equipment that can store health data.

So we have to be able to process the. They stop us safely.

Mm hmm. And as you say, very sensitive data for patients, but also you legal and regulatory point of view, class is very sensitive as well. As you know, I don't think Equifax needs an introduction, I think, to most people who have encountered it at some stage. And how long have you been there? Do you post data the the big Equifax hack of when it was twenty seventeen, I think it was.

Hey, morning Jeff. I Equifax in twenty eighteen indeed. After they both breach of twenty seventeen. So Equifax is the main credit reference agencies and we hope and process the financial information for most of the UK adult population.

Yeah. Massive. A massive organisation is sitting on quite a lot of again sensitive data for you. Presumably financial data is in that as well.

Yes, the type of data we hold includes data that we receive from our clients, such as the lenders, utility providers, telcos, as well as lateral information, CCJ information so white wide, the aim and objective of having these data is to help out clients and to help the financial ecosystem provide credit information and make assessments of individuals.

No good, so can we stay with you on that, because obviously the hack was massive news and within Equifax, I presume it had a lot of repercussions in terms of finding out what your data is and taking care of the destruction of it. What impact did that event have then on Equifax? What happened in the aftermath that you saw of that?

Sure. So the in the immediate aftermath was we appointed a global chief security officer. And one big change we made was that he reported directly to the CEO. And since then we have had in the past three years a lot of technology and security transformation programme. The investment in this programme has come up to one point five billion U.S. dollars. So I work in security and privacy for a number of years. One challenge I have is that I'm sure you would agree phrase phrase Eleni's, that we would always need to try and evangelise and sell security and secure buy in.

So one advantage I had was when I joined twenty eight in the business, understood security and they understood the importance of it and having the right level of investment.

Yeah, you are.

So committed myself, though accidentally, so, yeah, I was going to say never, never let a crisis go to waste, I guess is the idea. But in terms of of getting rid of data, was there a sense in Equifax. Well, hang on. Which is hanging on to too much of this stuff, should we just get rid of, so to speak?

Yeah. So we had a programme. We had a programme. We call it a data devaluation. The two drivers were not just because of the breach, but because we wanted to migrate to the cloud. We migrated to Google Cloud in twenty nineteen. So for the for the past two years we have actually minimised or deleted in the UK business. Forty four billion records and there are a lot of reasons to do this. I mentioned migration to the other reasons include termination of contracts with the suppliers.

There's a risk the combination decommissioning of systems. But the big one is internal housekeeping. I think for phrase you talk about the need to understand what you have. So we that's not a trivial exercise, really. So we had a programme of work to try and discover what data we have. I think that that is the starting point. Until you get a view and visibility of what you hope, you can really progress and decide what what should we keep, what should we delete?

That was quite educational and revealing. And we then had a plan to delete and minimise quite a lot of data and death things on the periphery, such as we can have the best retention schedules. Right, with the data we hold. But things outside rates, for example, with the backups that we use our social service provider. So how long are they holding it? So we spoke to them and say, look, we would not like to have a more aggressive plan in terms of storage, storage of data.

So we had it for quite long, but we've brought it down to two months. And the other aspect is also your third party. So that's the key focus. Quite a lot of due diligence when you went on bought new service providers. But sometimes the less focus is given to when suppliers or service providers roll off the contracts. What should you expect of them with the data that you have and trusted Ms.

Yeah, it's a really good point, as you say, a lot of attention paid when they come in the door, maybe when they when they go out of the door is actually it's interesting that I went to I went to one of the arms fairs a while ago, the day it's what's called an arms for. It's a defence conference, but they call it the arms fire and the scanners going in. So massively huge queues to go through the scanners.

Worryingly, as a journalist, I was taken past the scanners. I don't know why they trust journalists more than they trust. There were people with three star general waiting, so were queuing for the scanners and I walked past them. But to see somebody in the conference sort of said, look, don't scan anyone on the way out. Your place is full of weapons. You would have thought scanning people in the way I was going to go anyway.

Slight diversion. I don't I want to stay on this data discovery thing with you. I mean, you describe a situation with our paper records as well as digital records stuff presumably in the cloud and on premises. How that must be a challenge to discover where all of your data is in all its different forms. Right.

Of course, this is the major challenge for us to discover and create the data inventory and being able to implement all the security measures that we would like to implement in in this form of processing. And because the issue that is a form of processing and you have to be sure that you have the safe measures in place, especially for health data.

So presumably you already have processing of that data. So you hold of that data, but you're already processing it, presumably the function. Yeah, yeah. Just in terms of specifically in health data, what are the rules, you know, around about destruction of a specific order on health?

And then you have to only not only take the measures, but you have you have to be able to prove that you you follow them and you have to prove that the data protection authorities as well. So the more sensitive your brother is, the more thorough the measures should be. And the if when you delete data, you have to make sure that there is no chance of further further processing of the data that you remove from your systems. So any some the the issue that the security of electronic data processing in December 2017 and this is the European Union Agency for Network Information Security, and it's categorised the processing screen in all lowest-level, medium risk and high risk level and and propose some measures for or in other places, things including.

And so although for low risk measures and the suggested measures was the software overwriting of software based over, I think, of the media for the high risk processing. A Annisa proposes that some hardware measures should be also implemented for physical records, and these suggest that they will be deleted at the premises of the controller.

OK, that's I mean, that sounds fair. That sounds fairly clear from from NSA. And I think there's a link in the chat to that as well. I want to stay with you, Eleanor, in terms of your suppliers and who they give the data to, because obviously you may share the data with them. They may share it onwards and so on. How far down the chain do you have to go? How do you solve that problem of somebody who shared it with sharing it with somebody else?

And first of all, in order to share some data with third parties, your processionals, you have to have a writing agreement in place. You have to bind them to to follow specific technical organisation organisational measures. But you want them to to implement because you have to have supervision over the the processing. They do so usually in the processing agreements, we ask them to not share the data with other. We give them a written permission, and even in the event that we give them the written permission, they say are our possessions are still liable against us for any processing done by their subprocesses.

Interesting. So, yeah, so you've got, I imagine, the way you've described it, imagine your world has got a lot of people, a lot of paperwork and a lot of logging of I emailed this person there and that was their response to keep a track of all the questions. We've had a question come in from Paul McCallum, which I'm going to ask you, first of all. But the other panellists, there's an interesting one in the last 18 months have been a lot of new laptops and phones for joiner's movers and levers for small and medium enterprises.

There's a lot of expensive kit to the panellists feel that decommission devices can be reused safely, or will this policy suffice? Were you able to use phones and laptops with someone like me?

Yeah, it's an interesting question. I guess from our perspective, it depended where we were in the lifecycle on renewing. So, for example, if it was an iPhone that was coming back and it depended on what model it was and whether it was actually something which we couldn't reuse, also, it was a kind of a health and safety thing of how well can we clean it. So if it's utterly manque, then can we can we put that in the current climate because of it?

So there were some considerations there. What we managed to do as part of some of the concern for the community and some of the local schools where they had to struggle with laptops was that if there was something which was. Usable, but not from the perspective of within the corporate environment. We we made sure we like them and actually sent them out, so we were actually able to reuse them within the community if we weren't able to reuse them within the organisation, if something was within warranty from a laptop point of view, it wasn't dirty in terms of what we were able to clean it sufficiently that someone would kind of, you know, turn their nose up at it and we were able to reuse those laptops.

It was interesting, though, to see that we kind of did build up a store of older laptops, which we could use, and we were kind of holding off with recycling those until such time as we got a larger volume of kit we could do in a bulk disposal. So we've kind of seen a kind of a real mix of abilities and reusing in terms of that. In terms of recycling, then. How confident are you about the Weiping?

Because, I mean, when I was at Channel four News, we did a whole story about buying second hand phones from SCIEX. I will name them because we named them in the piece and it was very, you know, the phones. We extracted quite a lot of very sensitive data and we didn't put this bit out there. But I actually managed to find there was some 15 year old school kids who, you know, we had a Facebook profile and so on, and we found out what he had been up to in his spare time and yet slightly embarrassing.

So but just the ability to realise, you know, are you are you confident that you can as things moved on since I did that piece, are you confident you can always I mean, the stuff that we're we're reusing, we're reusing internally, it gets us it's factory reset. I mean, in terms of the laptops as well, we're going to make sure that we wait for the stuff which we we're putting out for, you know what? It's it's not something we can we can reuse.

Again, the majority of that is getting shredded and destroyed. And we're getting the kind of the certifications and using the companies that have the certifications in that space. So, you know, as much as we can do that, that's kind of where we're going to with it. Is there a risk there that something slips through the net? Potentially, but I think it would be kind of kind of a smaller risk and I guess than perhaps it was a couple of years ago.

But it's something that we keep an eye on. And your conversations like this, it's interesting to hear other people's experiences of that and whether they've had any kind of problems in that space as well.

Well, Robert Sparks, I shall stay with you on this for a second. Robert Sparks is asked a question about this, and that is DOD level, whatever it is, still industry standard for data, I think. And also how how easy, if you found it, to find services that can do data. Weiping at a time when lots of people are probably trying to donate schools and so on.

I mean, I guess it depends. I mean, we look at things from the point of view of shredding and coding devices. The other element as well, which we started to look at over and above your kind of re compliance and things like that and compliance, actually, the environmental certifications as well. So, I mean, I'm kind of I'm kind of relaxed about where we're at in this space at the moment. But, yeah, I'm always open to looking at other potential methods and ways of doing things which hopefully the industry keeps moving forward on that basis.

Well, if we do, our viewers do. Please stick in the chat. If you got advice or experiences that you think you want to share with us, that would be good question from Anastasia's, which I'm going to ask you, Adrian, first, if that's okay. How are the data subjects and should all that data is deleted upon that request, which is interesting. Also, if I get in touch with Equifax and say, look, could you delete this data about me?

What how do you assure me? I suppose this office show that data aspects of this. So we hope and process data for the primary purpose of trying to work up your your credit scores. And in addition to that, we also have other services. So we have a legitimate purpose to continue to hold your financial data, financial information. We have indeed received requests from data subjects who are in there. Yes. All who has that that say place in my data.

So we have a statutory obligation to keep hold of these data and continue processing. So our our response is that we explain to them why we can't simply delete that. But we also. Support our clients on some other activities, and if it's not for the purpose of credit referencing, then we will delete the data and you will inform the date of the data subject that it has been deleted, one of which includes we have B2C products, consumers, data subjects can subscribe, sign up to a portal and get their credit scores and a number of other services online.

So if they would like to cease to have that relationship, then we will expunge the data from our system. So this is an interesting question. I think that's a broader point of the actual act of data deletion. It varies between owning on premise systems, so that can be more easily effected. You have some administrators that are trained to do that. So in Equifax, we have people, not everyone has permission to delete, only a finite number.

But when we talk about the cloud environment, that becomes very interesting. What is the meaning of it? So whenever we talk to our cloud provider. So please tell us what you mean when you say you delete, sometimes you still archive. So I think when they engage in a couple of ideas, it's important to understand what they are actually providing you when you say that please execute this mission.

Yeah, because if if, for example, a sample hacker managed to get into the cloud environment and find the backed-up data that was staying, staying with you on that, I can understand why if somebody got a bad credit history or CCJ, they might want to come to you and say, look, could you delete that data about me? You know, if I'm somebody who doesn't have a bad credit history, can kind of I get the data deleted or do you still say, look, no, Jeff, we have a legitimate purpose to hang onto.

We have a legitimate purpose. We have a statutory obligation. So we are KeyCorp as part of the financial ecosystem. And on the contrary, Jeff, you've got a good credit rating. Then all the more you should allow that information to be passed on to lenders. So people just think that people buy things to mortgage lenders. But think about it. So if you would like to get a new iPhone, you go to the phone 020, they will likely go to one of the three credit reference agencies to try and see whether you will be able to repay repay this or the twenty four months.

Thirty six months if utility companies come to us. So it's actually in your interest if you got a good credit history to allow that to be portrayed to credit providers.

Yes, yes, of course. My credit history is fantastic. Lots of questions, lots of questions coming in. I'm going to try and get round to them as much as I can. But on this on this issue of data subjects getting in touch, how does it work for you guys? If I'm a patient in Greece and I want my data deleted, what do you do? How do you ensure the same applies to Highfather in Greece? They always is that you should maintain that Tharthar for 10 years if you are a diagnostic centre or 20 years if you are a clinic, a hospital or a public hospital.

So even even if only not the subjects asks which exercise their right to erasure, you have to tell them that I'm sorry, but we have the obligation to maintain them for X amount of time. And there are people that have us that have asked to delete their data, but we can't do it.

Yeah, yeah. Interesting. Danis, very interesting point about this as well, about the supply chain and how secure it all is when you've got here we go. How to how secure is the supply chain? If your data is in the cloud, does it really get destroyed as loads of balance machines are replaced and data is distributed by the service providers, the organisations that provide the services, never mind imaginary audits and checks? How can you be sure it's not like looking in a dodgy sector somewhere?

I mean, that's interesting one for you because your, as you say, starting to put stuff in the cloud is quite a good position for you because, you know, from the beginning you can have an awareness this and say, well, if we're going going to the cloud, you know, from the beginning, we want it set up in a particular way. You it's not one of the questions you asking it providers.

Yeah. I mean, we work very closely with them on this. I mean, I think from from our point of view, our biggest challenge has been our data spruill. So actually doing. All the data together and getting our arms around it is probably the biggest challenge, but we've been doing that with the cloud provider. So, you know, you're having the kind of conversations relatively up front with them around how things will be managed, how it will be sorted out from the point of view of archiving and backups.

And I guess it depends on your strategy, whether you're going to one cloud provider or multiple. Cloud providers and how you deal with backups there, and so, I mean, it's kind of an upfront conversation. I mean, I think clearly from a data protection point of view, there's a lot which still needs to happen. And the conversations which have to happen on a regular basis to kind of ensure that they're remembering it as we've kind of touched upon the top of the.

With the broadcast we were chatting about, a lot of people come in, they give us your service, and then they kind of go away and they sold it to you. But it is that constant conversation that we need to have with vendors and keeping them on point and making sure that they're remembering this stuff because it quite quickly forget, I think is one of the points was what happens if they're changing servers and things of that quite clearly has to be part of the conversation because ultimately the cloud is just someone else's server.

So it's an ongoing discussion.

And it's also interesting as well, as you say, the cloud providers presumably are quite interested in getting your business. And so if you don't know where your data is, they'll they'll help you find it and help you maybe with that challenge. There is also an interesting one, which I'm going to put to you, Adrian, because it kind of ties into what you were talking about earlier, how the panellists handle the return of data slash data Eskow or whatever, when contracts and how is that work.

So the sort of repatriation to you of the data?

Thanks, thanks for this question is always challenging both ways with our the suppliers and then downstream. I think what often happens is that we would expect our service providers to simply provide proof that the data has been securely deleted. I think that's the key way we for our processing purposes. We do not always require the data to be repatriated back to us. And in terms of just on a separate note around repatriation, we have an exercise to repatriate some data from our US back to the UK.

So that's a non-trivial exercise. The loss of consideration, for example, when data is come back, what you then do with the data that resides there, how long should should it be reciting that fall before it completely comes back? And how do you then get this into your your products and services? I think the approach is to just when is terminated. Make sure you get a proven certificate of secured destruction, which is interesting, so that the repatriation you're talking about, the data from the US, what's motivated that?

Because as I as far as I was aware, we'd reached the stage where the UK and the US had agreed we had equivalent data regimes, is the reason why it's being moved back from the US.

Right. So one reason for the 2017 breach which impacted the UK was that there are some UK consumers and citizens data in the US. So one of our commitments was to repatriate back interesting Social Security. That's why is one hundred and forty seven million I think in the US and those 15 million UK. But from the sounds of it, because those UK citizens people. But since data had ended up in the US. Yeah. Yeah. Interesting. Eleanor, can I ask this one to you?

Scott Wilson was asked a question of what constitutes proof of data destruction. Is is an email good enough? Do you need something a bit beefier and.

Well, actually, we complete the record of destruction when and when somebody asks to delete data and we and somebody else is saying the data with us and we ask for the third party, a record of destruction signed. And also because the and it is our data is sensitive. And sometimes we send somebody, an employee of our company from the art department to, um, to to say that to confirm that the the data had been deleted from the systems of the third party.

Interesting. Really interesting. Folks were getting close to being out of time, but things have been a very in discussion. I certainly learnt a lot about that. I hope you guys have to thank you for all your questions. Apologise to the ones that I didn't get to answer. All of our panellists linked in in the chat. He can get back to the chat and connect with them on LinkedIn. To do that, I want to thank our panellists, Fraser Brown, global head of it.

But I don't know if I can sell a data protection officer at New America group and of course, in the data protection officer at Equifax. Thanks to all of you. I'm just going to quickly check what our next topic is next week. Apologies. I usually have this ready to go. And I didn't this time. What we got Tuesday next week, international, too. Interesting a related topic, international transfers of data and infosec leaders briefing. My co-host, Jenny Radcliffe is going to be doing that next Tuesday at four.

So that's going to be really interesting. Just to round off my story about our Channel four news piece about destroying data. In the end, the end sequence of our piece was going to be the report of destroying a phone with a hammer, at which point we and I'm not kidding on this. We had to get health and safety advice from ITN about what you had wearing goggles and wearing gloves and the different risks that might result from hitting a phone with a hammer.

One of my more bizarre experiences as a TV producer for Channel four News. But listen, thanks for joining us to spread the word to get others involved in discussing all the key topics on today's talks. Thanks to our panellists. We'll see you next Tuesday and Thursday. Take it. Have a good weekend.

Thank you very much indeed.

Thank you.

Your host:

Geoff White

Investigative journalist Geoff White has covered technology for BBC News, Channel 4 News, Audible, Forbes online and many others.

An experienced public speaker, he has given keynote talks at some of the UK’s largest tech events, in addition to hosting conferences and chairing panels at venues ranging from London’s Chatham House think-tank to the Latitude music festival.

Guests:

Fraser Brown, Global Head of Information technology, Brewdog

Experienced senior technology professional, delivering global technology initiatives, transformation, and services across Finance, Life, Insurance, Energy Consultancy, and Marketing Industries.

Through result-driven performance, deliver strategic innovative solutions and services. Empowering colleagues to go that bit further by continually improving service offerings, to ultimately deliver a competitive edge for the business.

Elena Vrakatseli, Group Data Protection Officer, Euromedica Group SA
Adrian Leung, Data protection Officer, Equifax UK

© 2021, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd • Registered number: 05832927 • VAT registration number: 830519543

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]