Security Expert Interview Series: Gordon Wade
We recently checked in with Gordon Wade to learn about the main challenges for privacy today and how businesses in the online travel agency sector turn information security into an opportunity to differentiate themselves in the market. Gordon is a Data Protection Officer, and previously held the position of Data Privacy and Protection Lawyer at PwC (Middle East). In this interview, Gordon also reveals his single most important piece of advice to digital companies regarding staying GDPR-compliant. Make sure you do not miss his interesting insights, and read the full interview below.
1. How did you get involved in the information security industry?
I began my career as a trainee lawyer and then Associate at Irish law firm Mason Hayes & Curran solicitors and it was here that my passion for data privacy was born. MHC was then (and continue to be) Facebook’s external counsel for the Schrems I & II litigation and I had the opportunity to work with some stellar privacy lawyers during my time there.
I then joined KPMG Ireland’s legal team in a predominately corporate/ commercial lawyer role but with the scope to develop a new legal data privacy service line, supporting the firm’s consulting, risk and audit teams who were already busy advising clients on their GDPR readiness programs. I gained a lot of market exposure whilst at KPMG through newspaper interviews, legal journal articles, guest lecturing, and presenting at conferences. In late 2018, I was recruited onto PwC Middle East’s Legal Data Privacy team in Dubai where I advised clients on their GDPR implementation programs and also the growing number of emerging local data privacy laws across the Gulf including Bahrain, Qatar, the DIFC and Saudi Arabia. Alongside publishing guidance on these laws for LexisNexis and local media, I obtained the CIPP/E and CIPM certifications with the IAPP.
I also had the honour of speaking at the French Institute of Risk & Compliance’s 1st European Compliance & Tech Conference in Paris and was subsequently appointed as a Fellow of Information Privacy by the IAPP. Having spent a number of years advising a wide variety of clients from all sectors on data privacy compliance, I felt the time was right for me to make the move in house and joined Hostelworld.com back in Ireland as Data Protection Officer and Group Legal Counsel in January 2020, a role that I felt naturally compliments my experience as a lawyer and data privacy adviser and consultant. In December 2020 I was appointed as Young Privacy Professional for the Dublin Chapter of the IAPP.
2. What are 3 must-have skills a Data Protection Officer should have and is technical background necessary?
For me, the 3 must-have skills for a DPO are Communication, Leadership and Credibility. Of course, a DPO needs to have expert knowledge of the GDPR etc. but I think is a bit of a given these days for any DPO. I feel the same goes for being independent.
Every day I need to communicate the prevailing data protection issues in our market and our business to a multitude of people across numerous different departments made up of different teams in various fields. I need to be able to effectively advise and guide the HR team on employee privacy issues raised by Covid19 tracking as much as I need to work with my InfoSec team on rolling out an enhanced VPN to our remote workforce with privacy-by design and default features.
I also need to be able to provide effective training to a workforce located across five jurisdictions and be the jargon-free point of contact that our customers can reach out to about our processing of their personal data. Finally, I communicate with our board and external advisors like auditors regularly so I need to ensure succinctly distil our main privacy issues to them in brief detail.
By leadership I mean a DPO must be a self-starter, with the competence, confidence and skills to act without guidance and to know where to find information. Because I report to the highest management levels in Hostelworld (which includes a hugely experienced board in our listed parent company), I need to have and present a board-level presence.
Finally, a DPO needs to immediately establish their credibility with the company they serve and the relevant supervisory authority based on demonstrable experience, knowledge, credentials and relationship skills.
Personally, I do not think having a technical background is a perquisite for a DPO (but it will vary by organisation and industry). I know lots of DPOs who are absolute experts in technology but who rely heavily on their legal counsels to guide them on the law. I also know many DPOs who are expert lawyers but need the ongoing support of their IT and tech teams. For this reason, I think a DPO needs to sit within an Office of the DPO which should include privacy champions from HR, legal, tech, InfoSec, marketing and customer service.
3. What do you see as the main challenges for privacy today?
From experience, the shift to a remote working model as a result of Covid19 has without a doubt given rise to numerous privacy and cybersecurity compliance challenges, such as internet bandwidth issues, increased migration of organisation data to personal devices, cyber criminals taking advantage of Covid-19 and greater security exposure due to inexperience with remote working. Pre-Covid, many companies had only just about completed changes in their data management and businesses processes in light of the GDPR etc.
Then, virtually overnight, the office-based paradigm was replaced with the new remote access model. Those same companies now need to deal with almost all employees working from home. Even in post-pandemic world, many employees will still seek to work remotely so this will present the challenge of adapting your privacy and security strategy. Remote working requires a host of tech solutions and tools like video conferencing, email, cloud file storage, file sharing, chat and communication platforms, and remote desktop apps.
Ordinarily, implementing such new tech requires months of planning and preparation but COVID-19 meant companies had just weeks, if not days, to onboard new systems to keep operating. Ongoing training and education programs informing all employees of security best practices will be a must.
Related to this, I do think that the concept of national digital identities will become more prevalent as public services are delivered digital by default. We have seen the emergence of lots of new technical functionalities like Covid tracking and tracing, remote access to services and generally measures aimed at facilitating our emergence from local and national lockdowns. However, I feel individuals will fear that that these and future measures could lead to increased mass monitoring and storing of their personal data in the long-term – which I think makes sense when you consider that these measures are designed to control movement (by processing location, contact, and health data.
I also think what WhatsApp taught businesses is that individuals have become even more sensitive to how their personal data will be used. The pandemic has arguably caused digital relationships to have become frayed, if not even broken. The mass exodus of WhatsApp users to more privacy-focused messaging apps like Signal and Telegram after new data-sharing terms with Facebook were published shows that consumers are becoming more empowered and will freely move to a competitor business if they feel that their data privacy rights will not be protected and respected. This will feed into the challenge of dealing with a significant rise in DSARS across several sectors in light of widespread staff redundancies/ furloughs and, in the UK artificial intelligence exam grade calculations.
4. In your opinion, is the GDPR rather a necessary evil or an opportunity for the digital economy?
Personally, I think it’s a mistake to consider data protection compliance a necessary evil. It is well-document at this stage, almost 3 years into this post-GDPR world, that treating GDPR-compliance as an opportunity and developing a robust compliance program coupled with a strong organisational culture of privacy by design and default can serve as a competitive differentiator and an anchor of trust for customers.
For eCommerce companies in particular, the key raw materials of the business are the (personal) data that is processed (and the commercial value attributable to it) and the customer trust and confidence that the data will be processed fairly, lawfully, and securely which is to be achieved through data protection combined with modern information security solutions. GDPR-compliance therefore has the potential to actively open up opportunities to build customer confidence in products and services in the digital economy.
5. How can businesses implement technical infrastructure that will ensure optimal security of their client data?
In order to provide the optimal levels of data security, businesses first need to fully comprehend their IT infrastructure, network (configuration and topology), network traffic and communication system. Once this understanding is in place, implementation can proceed along the following steps:
- documenting a data security policy, processes, procedures, and an implementation roadmap;
- getting buy-in from the highest levels of management;
- rolling out those policies and plans and maintaining standardised documentation of the entire technical infrastructure;
- regularly testing and auditing network security (i.e., Internet, Intranet and Extranet), updating it and maintaining an audit trail of all changes;
- creating data security awareness across the organisation through regular training.
From experience, I believe data defence lies in its depth. Therefore, a layered security model can be really effective at ensuring data security – six tiers of security layered on top of one another as follows:
- Layer 1: Defence Perimeter – the secure outer walls and roof of the house that includes firewalls, intrusion-detection systems and anti-virus filters.
- Layer 2: Internal Physical Security – where there the operating systems and web/mail/app servers are protected with password and permission access controls and physical security like secure server rooms, door locks and ID-only entry.
- Layer 3: Network Integrity – where automated, policy-driven traffic management systems monitor and react in real time to network traffic anomalies. The goal here is to ensure bandwidth is available for business-critical applications.
- Layer 4: Application Gateway – where the focus is on the contents of traffic reaching applications. Web application gateways, e-mail spam filters and XML security systems can help ensure that application traffic is clean, efficient and secure.
- Layer 5: Host Integrity – where security systems protect configurations on internal workstations connected to the network and include host-based antivirus applications, intrusion-prevention software, spyware tools and personal firewalls.
- Layer 6: Data Protection – use of encryption protocols (like 256 bit whole disk encryption) to safeguard personal data in transit and at rest.
6. We know that you have been working in the online travel agency (“OTA”) industry for over a year now. Please tell us what are 2 biggest security and compliance challenges that are being faced by OTAs.
There have been a number of high-profile data incidents affecting travel companies since the GDPR came into force – notably the British Airways and EasyJet breaches in 2018 and 2019 and the Prestige Software incident in 2020. These incidents I think demonstrate two significant data security concerns for OTAs: website vulnerabilities and supply chain management.
With websites, cyber criminals will target software flaws and applications that have not been updated so it is essential to regularly test and review security measures deployed to guard the website. The (mis)configuration of the AWS S3 bucket by Prestige Software shows us that OTAs need to regularly revisit their vendor landscape to look for proof of audits of current systems architecture and security measures and regular independent third party evaluation of such measures. At due diligence stage, contractual safeguards may not always be enough so involve software and security professionals in the vendor due diligence process, particularly for vendors who will process personal or sensitive data.
On the compliance side, it is important for OTAs to invest in information security tools such as Payment Card Industry Data Security Standard (“PCI DSS”) tools, the global data security standard for protecting confidential payment card information. By doing so, OTAs put in place proper procedures and employee training to protect the privacy and the security of their customer’s personal data.
7. How can businesses in the OTA sector turn information security into an opportunity to differentiate themselves in the market and gain the trust of their customers?
In our business, we collect a lot of personal and analytics data on our customers to better understand who they are and why the do what they do, i.e., stay in hostels rather than hotels, travel to particular places or book certain types of experiences, so we can personalise their journey with us. Data is our life blood, so securing it is paramount for us. Also, our customers want instant gratification, easy access to everything and are avid users of social media so the competition for their business is fierce.
Information security should be infused into core business functions such as customer experience, marketing and business operations and make security a part of the brand promise and delivery.
8. If you could share the single most important piece of advice to digital companies regarding staying GDPR-compliant, what would that be?
As the name would suggest, digital companies live in the digital world – and we are in the digital age which is characterised by being fast-paced, high tech, ever evolving, globalised and information driven. Organisations in this sector need to be equally dynamic and flexible to compete and roll out new products and features before the competition. However, the key to staying compliant in this environment I believe is to embrace the principles of data protection by design and default and embed privacy into new products, systems, or processes when it is conceptualised and as it is being developed.
When privacy is embedded at an early stage it increases internal awareness of privacy and data protection issues and helps identify potential problems at an early stage. Because privacy considerations are focussed on early in the process and checked prior to new products, systems, and processes being released, privacy by design and default can decreases the risk of GDPR non-compliance. As the organisation evolves, privacy be design and default enables a sustainable GDPR-compliant environment.
9. Lastly, what advice do you have for entry-level people who want to break into the field of information security?
If I could give three pieces of advice it would be to:
- The world of information security has a language all of its own so you will need to learn to speak it.
- Information security is not a monolithic field so focus on a specific discipline(s) you want to work in.
- Getting certified by doing InfoSec or data protection courses will be essential.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.