Beyond the Net Privacy

A Free and Open Course on Data Protection in the Post-GDPR World

Last year, we published “The Dawn of New Digital Rights for Finnish Citizens,” about the launch of the New Digital Rights MOOC, a collaboration between Open Knowledge Finland and the Internet Society’s Finland Chapter. Raoul Plommer wrote, “The aim of the project is to make citizens more aware of their digital rights, initially focusing on explaining GDPR (General Data Protection Regulation) and MyData…through a MOOC platform and series of workshops that create content and train people and organizations to use it.” Plommer has written an update on the project:

We have come a long way from the beginning of last year, when we were given funding for the project from Internet Society’s Beyond the Net Funding Programme, and Eurooppatiedotus, which is a sub-organization of the Finnish Foreign Ministry.

It took us several months to agree on what is essential to know about the General Data Protection Regulation (GDPR) and how we would present it to the general public. It was also challenging to get all the content done without actually paying everyone for all their hard work. Both of our funders had a strict limit on how much money could be spent on salaries (15% and 30%). On the other hand, they both allowed paying companies and outsourcing work to people outside the organization, which made the progress unnecessarily tricky, but at least possible.

Here’s what we’ve done:

  1. Seven workshops on creating content, including a larger workshop day after the GDPR day on the 25th of May, with 23 people making data requests to different organizations.
  2. So far, two training workshops, of which one was for students in Tampere, and another for pensioners’ IT-trainers in Helsinki. In the latter, they even wrote a blog about the session.
    We’re still trying to confirm the date for a third training session for Boy Scouts in February, and hopefully will be able to set the date for it next week.
  3. We’ve received a decent amount of coverage in the media:
    Helsingin Sanomat (the biggest newspaper in Finland)
    MTV Uutiset
    GDPR Today
    We’re also waiting on another Finnish reporter to go through our course material and write a story about his experience – hopefully it’ll happen soon!
  4. Had the launch event on the 15th of January in Eurooppasali.
  5. We’ve had 2/4 of the introductory/feedback webinars, which take place on Tuesdays, at 16 UTC.
  6. I applied for a session to present our project at RightsCon 2019 and hopefully we’ll get accepted!

I also want people to be aware that the license for the whole project is Creative Commons 4.0, which essentially means that we want people to do anything they want with the material, without asking for a separate permission to do so, even for commercial purposes.

Most of all, we want as many people as possible to know their rights and how to exercise them. This is really for all of our benefit.

Do you have a great idea to make your community better via the Internet? Apply for a Beyond the Net grant, which funds projects up to $30,000 USD, and follow Beyond the Net on Twitter!

This post was first published at digirights.infowhere you can find more photos from the project.

Internet Governance Privacy Public Policy

GDPR: Going Beyond Borders

Today, the EU General Data Protection Regulation – or GDPR – comes into effect amid a great deal of anticipation and build-up. For the past few years, companies and policy makers around the world have been preparing for this legislation to come into force. It introduces higher and stricter privacy requirements and heavy fines for noncompliance. The interesting, yet challenging, part of the GDPR is that it applies to all organizations processing the personal data of subjects within the European Union, regardless of their location.

In this sense, the GDPR is an ambitious effort that seeks to fill a gap in the field of Internet privacy. Implementation by organizations around the world has not been easy as the statute is complex and, in many ways, difficult to enforce. This has been particularly so for small and medium enterprises (SMEs) and startups as the costs of ensuring compliance are considerable.

At the Internet Society, we are pleased to see privacy becoming a priority, not just a “nice to have.” As an organization with a global community, operating all over the world, we are among those who have been preparing for the GDPR. Doing privacy well is not easy, but it’s something we care about and believe everyone should have, no matter where they are.

Europe’s intention to create a much stronger and more robust privacy framework has been quite clear all along. For the past few years, Europe has hinted that its understanding of the right of privacy is not only different from many of its counterparts, but also one of its key priorities. The 2002 ePrivacy Directive, the 2014 landmark ECJ decision on the Right to be Forgotten, the 2017 ePrivacy Regulation proposal, and now the GDPR are all clear examples of a region determined to provide strong privacy protections.

All this has allowed Europe to achieve two things: first, provide some much-needed substance to the global debate on Internet privacy, which has long been a philosophical debate with few tangible results, and second, through the GDPR, Europe seeks to position itself as a de facto global regulator for privacy.

In the first case, what Europe has achieved is quite remarkable. For the many years of the commercial Internet, privacy outcomes have largely been left in the hands of companies that collect and use personal data, with the result that data collection and use has increased exponentially, often at the expense of users’ privacy. Recent disclosures from leading Internet companies suggest that society still hasn’t managed to strike the necessary balance between data protection and data monetization.

The GDPR seeks to change that by shifting the dynamics of personal data use towards users. It seeks to give them ultimate control over the processing of their data. For instance, the GDPR obligates companies to avoid the current practice of long, legalese, and unclear provisions hidden in the small print of their Terms of Reference. This will certainly change the dynamics of how privacy is presented and offered to users.

It is in the second point, however, where things start to become complicated.

By applying the GDPR to any organization around the world that collects personal data from any data subjects in the EU, Europe is setting itself up as the leading voice on Internet privacy globally. The question is, will Europe hold the limelight for long? Or will other countries and regions step up their own efforts to tackle privacy in the context of a global Internet?

There is also an element of extra-territoriality in the GDPR with the potential to have a “spill over” impact on larger Internet Governance considerations, including:

  • Setting a precedent where countries could start imposing national or regional legislation that has global impact;
  • Creating unintended clashes between different laws, which can result in unpredictability and lack of clarity, which could subsequently impede the roll out of global technology
  • Producing “regulatory competition,” the notion of state actors seeking to command the international Internet regulatory environment.

These trends will inevitably create fragmentation.

How this will play out is yet to be seen, but it is likely that this will have repercussions for the future of Internet Governance. At the Internet Society, we believe in a global, open, interoperable, and secure Internet. We also believe in inclusive Internet Governance that strives to accommodate the interests of all stakeholders globally.

As the GDPR comes into force, therefore, we should work collaboratively with all stakeholders towards a more coherent global privacy framework that incorporates compatible global approaches about privacy and personal data protection. One that, just like the GDPR, puts users at the center of control over their data, backed by a global consensus to ensure a more predictable, consistent and enforceable privacy ecosystem.

Read the Privacy policy brief.

Improving Technical Security Privacy

Podcast: Talking Data Privacy and GDPR with Todd M. Tolbert

Let’s raise the bar on data privacy and make the Internet safer.”  With the imminent arrival of the EU’s General Data Protection Regulation (GDPR), this was one of the points raised by Todd M. Tolbert, our Chief Administrative Officer, in an episode of the Non-Profit Tech Podcast published yesterday. Hosted by fusionSpan’s Justin Burniske, the 35-minute episode covered a wide range of topics, including:

  • the difference between data privacy and data protection
  • Todd’s thinking about the value the GDPR brings in terms of thinking about data
  • mistakes organizations make with regard to handling their data
  • resources for organizations to do more
  • how you can’t be liable for data that you don’t have in the first place
  • asking the question… do you really need to keep those 700 email addresses that no longer work?

And, of course, Todd being who he is, there were some Texan things mixed in to the conversation as well. I very much enjoyed the episode and found it a useful contribution to the ongoing privacy discussions that tomorrow’s GDPR deadline has generated.

Some of the resources Todd shared included:

I would also encourage you to view our articles and resources related to privacy.

You can listen to the podcast:

Download mp3

You can also visit the podcast page – or download it in your favorite podcast app.

FYI, as Todd as written previously, he’s been leading our efforts on GDPR compliance, and also serves as our Data Privacy Officer (DPO).

Building Trust Privacy

CONSENT: Privacy Is Key to Reinforcing Trust

To address mounting US user concerns, Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the Consumer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. (They have also introduced legislation to increase transparency and consumer privacy protection, though the text is not yet public.) While the Internet Society is weary of a reactionary regulatory trend and would rather see proactive anticipatory movement towards stronger privacy protections, we are supportive of legislation, like the CLOUD Act, that puts more control over how data is used in consumers’ hands, and moves towards a more user-centric Internet.

Currently, US users often have to go through an extensive and complicated process to opt out of data usage practices. Some may not even be aware that those options exist. Opt-out processes make data collection the “default” setting and weaken consumers’ ability to really consent to data handling practices.

The CONSENT Act, however, would require “edge-providers” (defined by the Act as persons that provide a service over the Internet) to notify users when they subscribe, establish an account, purchase, or begin receiving service if their data will be collected. This would make significant gains for user trust, as it would increase transparency at the point when a user first engages with a service – to counter the approach that simply relies on “by using a service you agree to its (privacy) terms”. Of course, it’s not enough to merely notify users. Privacy policies and practices need to be communicated simply and clearly so that users fully understand what data will be collected.

The Act would also require edge-providers to obtain express consent from users before using, disclosing, or permitting access to any of the personal information collected. This is intended to address third-party or secondary uses of users’ personal data. It means that users would have to explicitly opt-in to having their data used. Again, while this is a positive move toward a more user-centric model, the information provided to users should be relevant, straightforward, concise, easy to understand, and delivered at the right time for users to make a meaningful decision.

The bill also includes a “take-it-or-leave-it” provision that would prohibit edge-providers from refusing service to users who do not consent to having their data used for other commercial purposes. Edge-providers would still be permitted to use data for internal purposes, as some data must be used and shared for platforms to function as intended. Sharing that same data with third parties, however, is not necessary to the functionality of the platforms. This provision would give consumers greater power to both protect their privacy and use digital services to their full function.

The Internet Society believes trust is fundamental to the Internet’s success, and, as we’ve said before, privacy is the key to reinforcing trust. It is clear that data collectors need to regain users’ confidence in the Internet by standing up for their privacy, accepting their responsibility to protect users’ privacy, and becoming more transparent about how and when users’ data is used.

Trust in digital platforms has been significantly shaken. Users are becoming more aware of the risk of potential exploitation of their data by platforms and online services. As a result, a worldwide discussion has ensued to identify mechanisms and ways for users to take more control over their data.

For instance, the General Data Protection Regulation (GDPR), which will come into effect at the end of the next month, is the European Union’s major effort to protect user privacy and data. The CONSENT Act, and other forward-looking privacy measures, would better harmonize US policy with a European privacy regime that has tipped the scales to give users more power over the way their information is used by online services. This would make a more user-centric Internet the global norm, ensuring that no matter where users live, they can expect high standards for their privacy, and control over the way their personal information is used.

While there is much to be done to ensure users in the US are as protected as those in Europe, the Internet Society is encouraged by the direction policy makers in the US are heading. The CONSENT Act, as well as proposed legislation from Senators Klobuchar and Kennedy, is a necessary first step to ensure that data collectors protect users’ private information and put the power of privacy and data handling in their hands. However, we encourage the Senators to also consider including accountability measures, including liability provisions, to ensure that services that collect, compile, and manipulate data are liable for the consequences of its abuse.

Additionally, many major digital platforms have shown that they are willing to work with lawmakers to protect consumer interests. Moving forward, we would encourage the Senators to work closely with civil society, the private sector, consumer groups, and academia to ensure that the final bill will effectively increase privacy and user trust without introducing unintended harms or barriers to innovation online. These bills would help consumers regain trust in the online services they use every day, and we hope the Senators will work together to create a bipartisan and comprehensive bill.

Read the Internet Society’s Policy Brief on Privacy.


About Internet Society

Updated Privacy Policy with minor clarifications

As we continue our work related to the upcoming General Data Protection Regulation (GDPR), we have published an updated Privacy Policy for all visitors to our websites. This version makes some minor clarifications to our previous Privacy Policy from August 2017.

We also published a Privacy Policy Frequently Asked Questions (FAQ) list with more details about how we comply with various provisions of the policy. If you have any questions about this, please contact me at

See also:

Beyond the Net

The Dawn of New Digital Rights for Finnish Citizens

I’m pleased to introduce our new project New Digital Rights MOOC (Massive Open Online Course), that will teach citizens about  their personal data rights through GDPR and MyData frameworks. It is funded by the Internet Society’s Beyond the Net Funding Programme and made possible with volunteers.

The project is a partnership between ISOC Finland Chapter and Open Knowledge Finland. Other NGO’s and associations like Electronic Frontier Finland, Faktabaari, and student organisations will be engaged.

The aim of the project is to make citizens more aware of their digital rights, initially focusing on explaining GDPR (General Data Protection Regulation) and MyData. The solution is to educate people through a MOOC-platform and series of workshops that create content and train people and organizations to use it.

MyData is the biggest part of our work in Open Knowledge Finland at the moment and we have made a whole conference around this Nordic model of personal data management. It is very much entwined with the changes in the GDPR and we felt that while we made people aware of relevant changes in the European data protection, MyData could be explained in parallel to the GDPR, in a separate, cross-referenced module.

As of now, there will not be a better time to make GDPR understandable than the very year it will be enforced. We have started the work already and will be done just seven months after it is enforced.

For our project to get funding from the Internet Society, we needed to support their mission, which is “to promote the open development, evolution, and the use of the Internet for the benefit of all people throughout the world”.

Our project is administered as openly as possible. All our project documents are accessible by anyone at our project folder. The MOOC itself will be open to everyone as well and the content can be used however people see fit. For the internet to evolve into the right direction and to benefit more-and-more people, we need to have citizens who understand their digital rights. That’s exactly what this project aims to do. The constituents of elected governments need to know their rights to elect people who respect those rights.

We have created a project page on Open Knowledge Finland’s website that has information on participating and following what exactly is happening right now.

Do you have a great idea to make your community better via the Internet? Apply for a Beyond the Net grant, which funds projects up to $30,000 USD, and follow Beyond the Net on Twitter!

Improving Technical Security Shaping the Internet's Future

Future Thinking: Cyrating on Cyber Threats

Last year, the Internet Society unveiled the 2017 Global Internet Report: Paths to Our Digital Future. The interactive report identifies the drivers affecting tomorrow’s Internet and their impact on Media & Society, Digital Divides, and Personal Rights & Freedoms. In February 2018, we interviewed two stakeholders – Cyrating, a cybersecurity ratings agency, and Niel Harper, Senior Manager, Next Generation Leaders at the Internet Society – to hear their different perspectives on the forces shaping the Internet’s future.

Cyrating is the first cybersecurity ratings agency anchored in Europe, and helps forward-thinking organizations maximize their cybersecurity performance and investments. It identifies potential for improvement, benchmarks it against industry best practices, and provides standardized cybersecurity metrics. We spoke to François Gratiolet, one of Cyrating’s founders, about the future of a secure and trusted Internet.

(You can read Niel Harper’s interview here).

The Internet Society: Experts predict an increase of frequency and impact of cyberattacks. What form are they likely to take in the next three to five years?

François Gratiolet: We believe cyberattacks will intensify in the next three to five years; targeting both Internet users and the Internet’s underlying infrastructure. User attacks will move from phishing to social media, with users increasingly being exposed through their mobile devices. While the use of IDs such as digital certificates and biometry might reinforce security in some regards, it will simultaneously introduce new targets for cyberattacks. And as the adoption of blockchain technology and cryptocurrencies will become a new norm, we also expect more cyberattacks on virtual currencies’ platforms. Because physical and digital worlds become increasingly entwined, IoT and utility infrastructure will similarly become more attractive targets for cyberattacks. Attacks on national telecommunications infrastructure, for example, can endanger economies in developed and developing countries alike.

In parallel, organisations’ boards, consumers and citizens are also becoming increasingly aware of the potential danger and risk of data breaches, botnets, denial of service attacks, and malware. Similarly, organisations’ obligation to keep stakeholders informed about breaches is also becoming more concrete as a result of codifications like the General Data Protection Regulation (GDPR) and the European NIS directive, which comes into effect in May 2018. GDPR harmonizes data protection in Europe, and imposes new duties for organisations offering goods or services to the EU. The obligation to notify stakeholders (investors, customers, partners and insurers) of data breaches compels organisations to be ever more responsible and transparent in terms of cybersecurity and to demand strict cybersecurity safeguards from their chain of suppliers.

What needs to be done to address cyber threats, put users in control of their data, and increase accountability for data handlers?

Organisations need to understand their enemies’ tactics and techniques and should be better prepared for dealing with cyber threats. At the same time, they need to understand their own information systems better, including how to monitor them continuously. This requires organisations to appropriately train all employees on dealing with cyber threats: from senior executives to IT operations. For that, organisations will need to work as a team and to share threat intelligence information. As data handlers and organisations will become hyper accountable with new regulations, they will need to ensure security by design of all digital products, including data breach notifications and remediation, suppliers’ security, etc. It will also be important for them to learn to demonstrate the effectiveness of the controls in place to protect their organisation, its systems, and the data it has to deal with.

Where users are concerned, there is a significant need to improve users’ own understanding and control of their data. Education and raising awareness is critical to ensure that users can handle their data securely. The tipping point will be to enforce the rules, especially new European regulations.

We believe security rating services like those offered by Cyrating will help organisations to improve their cybersecurity effectiveness and that of their suppliers or partners, introducing more transparency and trust to their overall business ecosystem, and contributing to enhanced resiliency overall. Such rating systems must be based on specific criteria and cybersecurity best practices, and must respect widely shared standards. These practices are crucial for the benefit of our economy, our society, and the safety of all.

How do you see insurance policies and companies evolving to cater for cybersecurity risks in the future?

The overall cyber insurance market will continue to grow at a great pace, with organisations realizing that, regardless of their current security processes, security can never be 100% guaranteed. All organisations therefore have to mitigate potential financial damage that is bound to arise from cybersecurity incidents. To fully equip themselves in the face of a cybersecurity tsunami, organisations will recognize and include cyber insurance as a key component of their risk management strategy. We predict that cyber insurance will, in the future, be a prerequisite in business relationships. With such growing adoption, reinsurance companies will have to prevent the “black swan” risk.

Cyber insurance does not remove the need for businesses to manage their risk from cyberattacks, however. A challenge is to effectively remediate cyber risks for a large volume of digital assets. A cultural shift towards the adoption of more cyber hygiene measures is arguably needed. This is why we advocate for a return to the fundamentals of cybersecurity with the enforcement of standards such as the establishment of SPF (Sender Policy Framework), which is designed to limit email usurpation, or the DNSSEC (Domain Name System Security Extensions) protocol to protect Internet domain names.

What are your fears for the future of the Internet?

We fear that security issues of the Internet will not be tackled in a consistent, technical, legal, and political way. Security Internet protocols such as DNSSEC or encryption will need to be fully embraced so that the lnternet users will have more confidence in the online activities that are increasingly becoming a part of our lives at work, home, and school. Cooperation and information sharing among end user organizations, providers and countries will be key to fight against cybercrime. We also fear pervasive and mass surveillance from large and dominant corporations as well as the end of the net neutrality. It will endanger the Internet as we know it, along with our digital economies.

What are your hopes for the future of the Internet?

We hope that cybersecurity will no longer be ignored in digital products and services design, but will become central to everything that an organization does, and be embedded in all processes and business operations. Thus, we hope that all the players in the value chain (e.g. operating systems and hardware makers, ISPs, registrars, SaaS providers) will offer top cybersecurity and that end-users’ organizations will buy and rely on them.

What do you think the future of the Internet looks like? Explore the 2017 Global Internet Report: Paths to Our Digital Future to see how the Internet might transform cybersecurity across the globe, then choose a path to help shape tomorrow.

The views and opinions expressed in this article are those of the interviewee and do not necessarily reflect the official position of the Internet Society.
Photo: Founders François Gratiolet, Christophe Ternat, and Charles d’Aumale, courtesy of Cyrating

Building Trust Privacy Reports

The Future of Online Privacy and Personal Data Protection in Africa

African experts are gathered for two days (19-20 February 2018) in Addis Ababa, Ethiopia to contribute to the development of the African Privacy and Personal Data Protection Guidelines. The meeting, facilitated by the African Union Commission (AUC) and supported by Internet Society, explored the future of privacy and data protection and provided some practical suggestions that African states can consider in implementing the Malabo convention provisions related to online privacy. The guidelines are aimed at empowering citizens, as well as establishing legal certainty for stakeholders through clear and uniform personal data protection rules for the region.

The expert meeting comes amidst growing concern across the world on the need to prepare for the EU General Data Protection Regulation (GDPR), which will be enforced on 25 May 2018. The expert meeting is rather focused on creating general principles for African member states in developing good practices now and in the future. The project, a partnership of the AUC and the Internet Society, comes as a follow up to the recommendations of the Africa Infrastructure Security Guidelines, developed in 2017 to assist speed up their adoption and subsequent ratification of the Malabo Convention.

Both the Heads of States Summit in January 2018 and Specialized Technical Committee Ministerial meeting endorsed the development of these guidelines as a way to strengthen the capacity of African states to deal with emerging issues in the digital space.

The African privacy and data protection landscape is still nascent with only 16 of the 55 countries having adopted comprehensive privacy laws regulating the collection and use of personal information (C Fichet, 2015). The African Union Convention on Cyber Security and Personal Data Protection  is considered an important first step aimed at creating a uniform system of data processing and determining a common set of rules to govern cross-border transfer of personal data at the continental (African) level to avoid divergent regulatory approaches between the Member States of the African Union. Now that a continental framework is in place, there is a need for more detailed best practice guidelines on personal data protection to assist countries in the process of domesticating the Malabo Convention into the national laws.

Building Trust

The Cyber Incident Tsunami – Time to Get Ready

In advance of Data Privacy & Protection Day, the Online Trust Alliance, an Internet Society initiative, just released the Cyber Incident & Breach Trends Report (press release here), a look back at the cyber incident trends in 2017 and what can be done to address them. This report marks the tenth year OTA has provided guidance in this area, and while the specifics have certainly changed over time, the core principles have not.

Originally we just looked at the number of reported breaches, but last year we broadened the definition to “cyber incidents,” which includes ransomware infections, business email compromise (BEC), distributed denial-of-service (DDoS) attacks and infiltrations caused by connected devices. This broader definition paints a more realistic picture of the threats and associated impact facing organizations today.

This year we found that the number of cyber incidents nearly doubled to 159,700 globally, and given that most incidents are not reported, this number could easily exceed 350,000. This is more than 30 times the number of breaches alone, so provides a very different perspective on the threat landscape. As in previous years we also assessed the “avoidability” of breaches by analyzing their cause and found that 93% were avoidable, consistent with our previous findings. While the rise in the number of incidents was primarily driven by a doubling in ransomware infections, there was growth in all facets, indicating that organizations must take a comprehensive view of their defenses.

So, what were the major trends seen in 2017 and what can be done about them? The report provides more context and detail, but here is a summary of the key findings:

  • Rise in Ransom-Based Attacks. This attack vector far outweighs the others, at least in terms of numbers. Ransom-based attacks can come in the form of ransomware entering the organization through malvertising and malicious email, but also via the threat of a DDoS attack if ransom is not paid. There are a variety of best practices to help block such attacks, but one new suggestion is to be prepared in case a ransom payment is deemed necessary by setting up a cryptocurrency wallet ahead of time.
  • Patching Pace is Critical. While the Equifax breach was probably the most public example of the impact of slow patching, lack of timely patching is the cause of many breaches and incidents. Recent news about vulnerabilities in some of the most foundational system elements – KRACK, BlueBorne, Spectre and Meltdown – makes timely patching more critical than ever. Organizations need to take a disciplined approach here, including provision for vulnerability reporting, and test and deploy patches as quickly as possible.
  • Closely Monitor Cloud Conversion. The transition to third-party, cloud-based services continues for organizations of all sizes, and while it has advantages in convenience and efficiency, it also introduces new risks since your data is now in someone else’s hands. This risk can be offset via thorough auditing of cloud providers, contractual commitments related to security processes and extra diligence regarding configuration (publicly accessible AWS S3 containers, anyone?)
  • User-Enabled Attacks. With all the technology, it’s easy to forget that users are the most important gatekeepers to your systems and data. Equipping them to make good decisions and instilling a culture of security (whether via training or technology tools), providing an extra ring of defense (through mechanisms such as multi-factor authentication and limiting access levels appropriate to the role) and monitoring systems for anomalous behavior can go a long way toward securing your systems.
  • Increase in IoT Devices. There’s a lot of buzz in this area, and use of IoT devices is expected to triple in the next several years, but the “shadow” element of this trend – presence of consumer-grade connected devices such as smart TVs or even employees’ wearables – doesn’t get much attention. These devices need to be viewed as a threat vector, and as such, steps need to be taken to reduce their risk. This includes items such as research into the security capabilities of the IoT devices, policies regarding their use in the enterprise, and setting up compartmentalized networks to limit their access.
  • Regulatory Shifts. Led by the EU’s General Data Protection Regulation (GDPR), which goes into effect this May, there have been many recent and significant shifts in data privacy/protection and data breach regulation throughout the world. Even if you are not based in those countries, you are likely subject to these regulations if you have customers there, so a thorough understanding of these new regulations and their impact on your data collection and storage practices as well as on your breach readiness and notification plans is critical.

Though there are a number of key trends that bubbled to the surface in 2017, there are also a number of foundational principles organizations should follow to be good stewards of their data and minimize the impact of attacks or incidents. Broadly defined, these principles fall into two categories:

  1. Implement strong data stewardship (including security, privacy and risk reduction) through all phases of the data lifecycle, recognizing the global regulatory landscape and its impact on breach readiness (e.g., GDPR enforcement beginning in May 2018)
  2. Prepare strong, well-practiced incident response measures (including a well-designed plan, appropriate team, predetermined action steps, regular training and testing)

As OTA has advocated for many years, this is not a “once and done” proposition. By establishing a culture of stewardship (vs just compliance) and implementing policies that take a proactive approach to proper handling and safeguarding of data, organizations can minimize exposure to the cyber incident tsunami and actually thrive by building and maintaining trust with their customers.

Read the Cyber Incident & Breach Trends Report

About Internet Society

Announcing our updated Privacy Policy

Today we published a new Privacy Policy covering usage of our web sites as well as our collecting and maintaining Personal Data of our members, attendees to our events and subscribers of our various communications.

Over the last nine months, a small focused team of Internet Society (ISOC) Staff and our General Counsel have been discussing the need of ISOC to collect Personal Data (PD) while maintaining our commitment to privacy and adherence to numerous privacy laws around the world. We had already taken major steps to meet aspects of some laws (CAN SPAM and CASL most notably). During this time, the European Union contemplated and removed the Safe Harbor agreements and subsequently adopted the General Data Privacy Regulations (GDPR) this year. We now believe that our Privacy Statement meets at least the minimum specifications of these requirements.

Our Privacy Statement is an example of how organizations and companies around the globe should clearly state how they use and why they collect Personal Data. We maintain our commitment to our community that data collected by the Internet Society will only be used for those reasons that we collected it. We won’t sell or rent your information, and will only share it in ways we state in the policy. At any time you may change your granting of that use or subscription to communications.

Please take a moment to read the new Privacy Policy and familiarize yourself with its contents.

Image credit: Priscilla Du Preez on Unsplash