Loading...

Author: Neil Miller

GDPR: Our Journey So Far

GDPR: Our Journey So Far

Our journey in data protection began in February 2017 with our adoption of the ISO 27001 framework for Information Security Management. This step underscored our commitment to upholding robust data protection standards globally. 

As providers of comprehensive data protection services on a global scale, we not only ensure our own compliance with GDPR but also assist our clients in adhering to various international data protection laws and regulations like EUGDPR, PLPL, CCPA, and CPRA. 

Specialising in Data Protection Officer (DPO) services across diverse sectors worldwide, we emphasise our dedication to safeguarding both personal data and sensitive information.  

Throughout our journey, we’ve recognised the importance of effectively communicating the significance of data protection from senior management to every team member. This understanding is crucial for our business’s success and reputation. 

We remain vigilant about the potential impact of existing and upcoming Data Protection Laws & Regulations, such as GDPR, on both our operations and our clients. Hence, we consistently strive to convey this message promptly and reinforce our internal culture of data security to ensure ongoing compliance.   

 

Mapping your data  

Unless importance and resource are applied to how your organisation complies to Data Protection Laws such as GDPR, prepare to face the risk of the financial and reputational impact that organisations face due to noncompliance of Data Protection Law and Regulations. 

Take some time out with a DPO specialist, whilst having no distractions and list where you think data is stored. This will help form part of your data mapping.  

Keep it simple to start with, consider: Key aspects of data management and protection, including how personal data is obtained (e.g., through emails, websites, CCTV), types of data collected (e.g., name, date of birth, banking details), storage locations (e.g., PCs, cloud-based systems), access control, and sharing outside of your jurisdiction. It also covers organizational details, purpose of data processing (e.g., compliance with legal requirements), data recipients, and measures to safeguard data privacy during transfers.  

Additionally, this will addresses retention schedules, security measures, privacy notice information, consent records, and controller-processor contracts. Examples include maintaining records of individuals’ consent for data processing and conducting assessments to identify and mitigate risks associated with data processing activities. 

There are several ways of mapping this phase. We used a product called i2 Analyst Notebook to help map our data or “information flow”; but you can use a simple flowchart within Word, or even a large flipchart or board. This will bring your data mapping to life, and you will be able to see and add to your map as the process continues. 

 

Questioning 

Data Protection Assessment is a vital tool for organizations to ensure compliance with Data Protection laws and regulations. By examining various aspects of the business, such as roles and responsibilities, communication, training, internal audit procedures, marketing activities, data flow, breaches, and subject access request handling, organizations can identify gaps and take necessary actions to address them. This assessment involves asking a series of questions to determine the current state of compliance and what steps need to be taken. 

The process involves reviewing policies, procedures, internal communications, incident logs, and other relevant documents to gather evidence of compliance with Data Protection laws. Once completed, the assessment informs the development of a Data Protection Action Plan. This plan outlines specific actions, sets timelines, allocates responsibilities, and establishes monitoring measures. 

As is with our internal process, regular reassessment through gap analysis is essential to ensure ongoing compliance. Conducting assessments once or twice a year allows organizations to adapt to changes in regulations and business practices, ensuring that Data Protection remains a priority within the organization. Ultimately, this proactive approach helps mitigate risks, protects individuals’ privacy rights, and builds trust with customers and stakeholders. If you’re interested, we can share our assessment questionnaire tool with you.  

 

Internal process changes 

You have a responsibility under the GDPR to update and review your internal policies and procedures. The aim is ensure they reflect your compliance to the GDPR and communicate these to your employees and third parties. Don’t assume that everyone will comply with your request, talk with them too. Make it part of your organisation’s plan to implement regular Data Protection Training and Privacy Impact Assessments. 

Decisions like how long to retain personal information should be set; who has access to the information (and who does not need access); keeping a record/register of the consents you have; and reviewing your ongoing relationships with individuals and their data. 

Consider also the procedures you will follow if you ever have the misfortune to detect or report a breach. Does your organisation require a dedicated Data Protection Officer (DPO) or someone else to take responsibility for data protection compliance? Who and where do you report a breach to? Do you outsource your data protection compliance?  

Ensure you have a procedure to follow when receiving a Subject Access Request. For instance:

  • how will you source the data you hold
  • how will you redact information where required
  • how will you share the data to the subject securely. Whilst ensuring you handle the SAR within the 30-day deadline as per the GDPR.   

Legal Terms 

The UK General Data Protection Regulation (GDPR) applies to processing conducted by organizations operating within the UK or outside the UK . Mostly, the ones that provide goods or services to individuals within the UK. Eventually, seeking professional advice on data protection will become necessary to ensure that your contracts and privacy notices adequately address legal requirements. 

Determining the legal bases and legitimate interests for controlling or processing personal data of data subjects is crucial. Considerations include: 

  • Training and awareness 
  • Data security 
  • Minimization of data storage 
  • Rights of data subjects 
  • Internal policies and procedures 
  • Compliant marketing strategies 
  • Transfers and restricted transfers 
  • Website privacy notices and cookie banners 

Again, conducting a Data Protection Assessment and Data Mapping, also known under the GDPR as Records of Processing Activities (ROPA), will help identify areas requiring assistance. Once you’ve identified your data, analysed gaps, mapped processes, and consulted with a data protection professional, much of the groundwork will be complete.  

 

Register with the ICO 

Finally, which many organisations forget to do, register your organisation with the Information Commissioner’s Office or if you are based outside the United Kingdom, a relevant supervisory authority. GDPR will be organic and change over time. Data Protection Professionals provide guidance on current data protection matters, including success stories and failures. They must be reported to the Information Commissioner’s Office (ICO). Keep monitoring the developments, continue to audit your processes and keep your internal housekeeping in order. 

If you make data protection part of your working day and culture, it will become much more manageable. However, if you haven’t done so already, make a start. 

Email us at dpo@tenintel.com and follow us on LinkedIn and Twitter @TenIntelligence for all updates. 

 

Our Intelligence | Your Assurance

Data Protection & Digital Information No. 2 Bill

Earlier this month, the UK Information Commissioner (ICO) gave evidence at the House of Commons to the committee scrutinising the Data Protection & Digital Information Bill. Today they’ve published a written response to the Bill. I’d like to share important updates on the DPDI No 2 Bill, based on the Information Commissioner’s Response.

Here are the ICO’s key points:

  1. Definition of Personal Data:
    New drafting introduces potential privacy risks and requires robust protection measures.
  2. Research and Statistical Purposes (RAS):
    Organizations may face challenges benefiting from RAS provisions due to unclear drafting on retaining the “key” for de-aggregation of aggregate data.
  3. Consent for Scientific Research:
    Clarity and structural improvements are suggested to enhance understanding of consent clauses for scientific research purposes.
  4. Purpose Limitation:
    Inconsistencies with other parts of the legislation raise concerns regarding misinterpretation and controller responsibilities.
  5. Vexatious or Excessive Requests:
    Language inconsistencies and a shift in the threshold for refusing data subject requests require careful consideration of all circumstances.
  6. Information to be Provided to Data Subjects:
    Exceptions to transparency information may not adequately cover cases where full transparency could undermine research objectives or where providing privacy information is costly.
  7. Automated Decision-Making:
    Further clarification is needed to determine if human involvement is required for decisions “based on entirely automated processing.”
  8. General Obligations and Duty to Keep Records:
    Clarity is needed on “appropriate measures” versus “technical and organizational measures,” as well as guidance on high-risk processing activities and mandatory risk assessments.
  9. International Transfers of Personal Data:
    Chapter 5 changes aim to clarify adequacy decisions and alternative transfer mechanisms, but further clarity is required.

These updates reflect the ICO’s recommendations for enhancing clarity and effectiveness of the second data protection & digital information Bill. Organizations should consider the implications for data protection practices.

For questions or further assistance regarding these changes, please reach out.

Lynsey Hanson DPO

Lynsey Hanson | Data Protection Officer

lynsey.hanson@tenintel.com

 

Why was ChatGPT Banned in Italy?

ChatGPT banned in Italy over privacy concerns,  Hannah Walker, Analyst at TenIntelligence reports…

Last week the Italian Data Protection Authority (The Garante) took steps to temporarily prevent ChatGPT from processing the personal data of individuals located within Italy. This is so that ChatGPT’s privacy practices can be investigated.

The Garante is implementing the ban due to concerns following ChatGPT’s recent data breach. Information such as Users’ chat titles and payment information was exposed. Following the breach, further questions were raised regarding potential GDPR violations. The main concerns raised by the Garante were the following:

  • OpenAI could not provide users with the required transparency information about the personal data being processed by ChatGPT.
  • No legal basis for the mass collection and processing of personal data for “training” the algorithms that the platform relies on for operation.
  • Regarding the potential inaccuracies with the processing of personal data.
  • A failure to verify the user’s age. This means the users under 13 could receive content not age appropriate. While Googles AI Chatbot “Bard” is only available to over 18s.

What is ChatGPT?

ChatGPT is an AI language model developed by OpenAI, based on the GPT (Generative Pre-trained Transformer) architecture. ChatGPT is designed to generate human-like text based on the input it receives, and it can be used for various purposes, such as answering questions, engaging in conversation, writing articles, generating creative content, and more. It has been trained on a vast dataset of text from the internet, which allows it to generate contextually relevant and coherent responses. However, it is important to note that its knowledge is limited to the information available up to September 2021.

The Technical Bit

ChatGPT is based on the GPT (Generative Pre-trained Transformer) architecture, which is a type of deep learning model specifically designed for natural language processing tasks. The technical aspects of ChatGPT can be divided into three main components: the Transformer architecture, the pre-training, and the fine-tuning.

  1. Transformer architecture: The Transformer is a neural network architecture introduced in a paper by Vaswani et al. (2017) called “Attention Is All You Need.” It is designed to handle sequential data like text, but unlike traditional recurrent neural networks (RNNs) or long short-term memory networks (LSTMs), it relies heavily on the attention mechanism to process input data in parallel, instead of sequentially. This enables the Transformer to scale more effectively and handle long-range dependencies in text.
  2. Pre-training: ChatGPT is pre-trained on a large corpus of text data from the internet. During pre-training, it learns to generate text by predicting the next word in a sentence, given the words that came before it. This process is known as unsupervised learning, as it doesn’t require labelled data. The model learns various language patterns, grammar, facts, and some reasoning abilities through this exposure to a diverse range of text.
  3. Fine-tuning: After pre-training, the model is fine-tuned on a smaller, more specific dataset with human-generated input-output pairs. This step is considered supervised learning, as it uses labelled data. Fine-tuning helps the model generalize its learned knowledge to respond more accurately and appropriately to user inputs, adapting its behaviour to specific tasks or conversational domains.

It’s important to note that, although ChatGPT is a powerful language model, it can sometimes generate incorrect or nonsensical answers due to biases in the training data or the lack of an explicit understanding of the world as humans do. Additionally, it may be sensitive to the phrasing of input queries and might generate different responses based on slight changes in phrasing.

Chat GPT and Italy’s Ban: Exploring the Implications

This means that OpenAI now has 20 days to respond to the alleged breaches, as well as providing corrective measure details. If they fail to provide the requested information, they could be issued with a fine of £17.5 million ($21.7 m) or up to 4% of annual revenues.

The chatbot is blocked in several countries, including China, Russia and North Korea. The ban is also following the recent requests from key figures such as Elon Musk to pause AI development until there is a better understanding of AI systems.

Chat GPT and Italy’s Ban: What You Need to Know

Italy has become the first Western country to block the advanced chatbot ChatGPT, developed by OpenAI, due to privacy concerns raised by the Italian data protection authority. The regulator has banned and initiated an investigation into OpenAI’s compliance with the General Data Protection Regulation (GDPR). The watchdog cited a data breach involving user conversations and payment information and expressed concerns about the mass collection and storage of personal data for algorithm training. It also highlighted the potential exposure of minors to unsuitable content due to the lack of age verification.

OpenAI has disabled ChatGPT for users in Italy and stated its commitment to complying with GDPR and other privacy laws. The company expressed its belief in the necessity of AI regulation and its intention to work closely with the Italian data protection regulator. Other countries are monitoring the situation, with the Irish data protection commission coordinating with EU data protection authorities and the UK’s Information Commissioner’s Office stressing the importance of compliance with data protection laws.

 

TenIntelligence Thoughts

ChatGPT has proven how powerful and easily accessible AI can be but has also shown that it is something that will need additional legislation and stricter regulation. Although the EU is currently working on legislation for AI it does leave consumers at risk from the already available technology until the legislation can take effect.

The risks of ChatGPT to cybersecurity and due diligence could be immense. Here are some points to consider:

  • With Microsoft backing OpenAI, and looking to implement the same chatbot technology into its search engine Bing, it could be very easy for false information to be shared due to the lack of quality checks on the data being collected. From a due diligence standpoint giving clients false information without confirming the validity of the data could create a negative impact on company reputations.
  • A better standard of quality assurance needs to be implemented regarding the information it is collecting and sharing.
  • Another issue with using AI chatbots is how far can the AI go? It is already possible to ask the chatbot to check for security flaws in code snippets, can AI technology be used as a means of targeting companies finding weaknesses in their security?
  • It is also possible to ask the chatbot to generate pieces of code meaning that it is possible to ask it to generate malicious code as well.
  • Thanks to its ability to generate human-like content it is easy for phishing content to be generated, with malicious links included.
  • There has also been reports of cyber-criminals working on ‘deep fake chatbots’ where they use ChatGPT to pose as fake AI Assistants on popular websites, extracting information from unsuspecting users.
  • While OpenAI has included some ethical limitations on ChatGPT, for example someone couldn’t outright ask the chatbot to write a phishing email, but if phrased differently it could still be possible to have an email written with a sense of authority and still include a specific link leading to potentially fraudulent pages.

While there are risks that come with ChatGPT, there are some benefits to using the chatbot with more benefits arising as it is developed further.

  • While there is the disadvantage of being used to create malicious code, businesses are also able to use ChatGPT coding abilities to their advantage to find potential exploits early enough to be fixed.
  • It could also be possible to use it to help strengthen security, asking it to write defensive code, using it for file management, encrypt and store files in safer locations.
  • It could also be possible to ask ChatGPT with its coding abilities to write basic PowerShell scripts which could be useful for malware analytics, creating Python scripts used for detecting network port scans or blocking malicious IPs.
  • It can also be used to carry out repetitive and autonomous tasks, helping with penetration test reports.
  • It can also help with some aspects of cybersecurity training and awareness course for employees, asking employees to rethink opening certain emails. This could be pushed further with more development with AI being able to scan, identify and potentially isolate Phishing emails automatically.

Hannah

 

Written by

Hannah Walker | Analyst at TenIntelligence

Keeping Children Safe in Education | Recruitment Checks

Online Background Checks | What does KCSIE 2022 now say?

The updated guidance from the UK Department of Education’s “Keeping Children Safe in Education” in September 2022, has introduced a requirement that all schools should consider carrying out an online search as part of their due diligence on the shortlisted candidates.  These checks will help identify red flags, incidents, or issues that have happened and are publicly available online, which the School or College might want to explore with the shortlisted candidate at their interview.

Guidance from the Department of Education further states that it is recommended the online background checks and collation of information is carried out independently, and not involved in the recruitment selection process.

 

How can Tenintelligence help your business?

We provide with different levels of online background checks and due diligence, which are imperative to make assured decisions for your company. The step-by-step process  is given below:

  • we interrogate the history of individuals, specifically looking for undisclosed red flags, adverse findings, false or exaggerated statements
  • our research covers multiple international jurisdictions and is performed in different languages
  • we provide unbiased insight and assess the appropriateness of an individual based on third-party interviews

Contact us at info@tenintel.com or +44 (0) 173 252 5810 for further assistance.

 

Managing the Risks of Crypto Assets for Buyers

In this article, Will Charlesworth at Saunders Law discusses with Neil Miller, founder at crypto due diligence firm TenIntelligence, the risks associated with purchasing crypto assets and how they may be mitigated and managed.

Fear of Missing Out

We are in the midst of a crypto asset-goldrush, with cryptocurrencies and NFTs being the must-have investment crypto assets.

However, cryptocurrencies and NFTs are so new, and the fear of missing out is so great, that many purchasers are not carrying out what might be termed ‘sensible’ or even ‘essential’ due diligence before buying. The result is an increased risk of loss (and in some cases, litigation); as we will explore in this article, the purchasers of crypto assets cannot rely solely on government regulation or lawyers (as good as they may be) to be their only protection or risk mitigation.

What is the Risk?

In the UK, unlike other forms of investments, crypto assets are currently largely unregulated. The press is reporting an increasing number of cases of fraud: from investment scams involving the mis-selling of cryptocurrencies at the Initial Coin Offering stage, to copyright infringing NFTs (leading to liability and loss for the purchaser), to the theft of tokens from crypto coin exchanges and wallets.

Whilst fraud can be reported to the Police/Action Fraud (and we would always suggest it should be in any event), the authorities often do not have sufficient resource to allocate to investigate and prosecute wrongdoers.

It is therefore left to specialist commercial litigators in many cases, to seek to enforce individual rights and recover assets.

The number of cases being brought in the English courts against coin exchanges, cryptocurrency and NFT creators (and traders) has increased exponentially over the last few months, keeping specialist lawyers in the crypto field, extremely busy.

Risk cannot be eliminated, and we therefore need to consider some practical ways in which to mitigate and manage the risks associated with purchasing crypto assets.

Is Regulation the answer to Risk Mitigation and Management?

In short, the answer is no, currently.

The UK government has plans to strengthen the rules on crypto asset advertisements and protect consumers from misleading claims, by bringing the promotion of crypto assets within the scope of financial promotions legislation. However, at the time of writing, such plans are yet to be implemented. The government says that it does not wish to stifle innovation in the crypto sector, however it wants to ensure greater safeguards are in place.

In respect of certain crypto assets, such as NFTs, they may fall within regulation if they match the criteria of either ‘electronic money’ (under the UK Electronic Money Regulations 2011) or a ‘security token’ (as a specific investment under the UK Financial Services and Markets Act 2000 (Regulated Activities) Order 2001). However, outside of those specific token definitions, there is little to no regulation or safeguards.

The Financial Conduct Authority (FCA) has taken steps to bring those carrying out crypto business in the UK within the existing Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations that cover other regulated businesses, however that may in practice do little to protect purchasers.

Those having to register with the FCA under the AML and CTF regulations include: Crypto asset exchange providers (including Crypto asset Automated Teller Machine (ATM), Peer to Peer Providers, those issuing new crypto assets, e.g Initial Coin Offering (ICO) or Initial Exchange Offerings), and wallet custodians.

The FCA’s responsibility under this regime is however limited to AML/CTF registration supervision and enforcement only. Registration under the MLRs does not mean that consumers will benefit from the protections of the Financial Ombudsman Service or the Financial Services Compensation Scheme (FSCS). Further, as most crypto assets are not “specified investments” it is unlikely that customers will have access to the Financial Ombudsman Service or FSCS.

The risk for purchasers of crypto assets here is also that if the business with which you are dealing is not registered when it should be, and is then subject to investigation and enforcement, it can have negative impact on your assets, leading to loss if those assets are seized.

It should be noted also that the HMRC are also now taking an active interest in crypto assets with their potential seizure: for example, HMRC has recently seized three NFTs as part of a probe into a suspected VAT fraud involving 250 alleged fake companies. See the article here.

In summary, one cannot rely solely on regulation at this time for risk management for a purchaser of crypto assets.

Are Lawyers the answer to Risk Management?

The answer is “yes, in part.”

Lawyers are often thought about too late in a transaction i.e. after the asset has been purchased. For example, if a crypto asset has been mis-sold or stolen, and the seizure and recovery of the assets or funds paid for the assets are sought, a legal action can be brought as a means of recovery however this is all after the event.

Legal actions in respect of crypto assets can be expensive and the costs are front-loaded, as the first steps in any such action are often to:

    • trace the location of the crypto assets/funds;
    • identify the perpetrators; and
    • seek a proprietary injunction either over the assets themselves, or a freezing order over the assets of the perpetrators (or both).

There can be good chances of success in a legal action, however litigation always carries an element of risk.

Are lawyers only relevant after a purchase, when it goes wrong? Well, as we are discussing managing the risks of crypto assets, we would suggest that specialist crypto lawyers are retained to advise as to the risks of a particular purchase before it is made. For example, with an NFT it is necessary to consider the nature of intellectual property rights accompanying the token, and the relevant rights (including how the smart contract is drafted (purporting to grant those rights)). Due diligence on the asset and the rights accompanying it, is something we would recommend.

Lawyers do play a part in risk management from a due diligence standpoint, but they are not the only available resource or the sole answer to the question.

Is Practical Due Diligence the answer to Risk Management?

The answer to the above is ‘yes, in part’.

It is often true that ‘prevention is better than cure’ and that certainty applies in the case of crypto assets. It is interesting that due diligence is always carried out in corporate transactions involving the sale and purchase of companies or other high-value assets, and similarly in the art world where provenance of a work is key. However, it is often not the case with crypto assets, which can cost as much, or more than ‘traditional’ investment assets such as property, businesses, and physical artworks.

Due diligence should apply as much in crypto, as it does elsewhere. If we consider the example of an Initial Coin Offering (ICO), which is relatively common in the crypto world, the cryptocurrency will release a ‘white paper’ as a first step, which is a marketing tool that’s used to persuade and influence investors.

There is no standard template for a crypto white paper, however it will typically include a project outline, the solution it purports to provide, an overview of the team behind the offering, information regarding the token release and marketplace considerations (typically the value, the number of tokens to be in circulation, and the platform on which they are to be issued), and a project roadmap.

The information about the team may include photographs, short biographies, links to LinkedIn and Twitter profiles; it is designed to establish trust. An investor should be confident that the team proposed is capable of delivering on the project’s promises (the solution). A whitepaper is just a marketing tool however, and it’s vital to see and trust the information it represents. So, why not undertake some due diligence on the people and other companies behind the offering before investing?

Further, a whitepaper is a living document, updated and edited as the project continues, therefore due diligence is something that is likely to be required to be updated as the whitepaper is updated.

Will applying existing Financial Crime compliance measures work?

Yes, applying compliance measures is a proven technique to help mitigate risk”,

Neil Miller outlines below how TenIntelligence can assist with practical due diligence, which has become essential in the current market.

Good financial crime compliance and anti-money laundering directives all require organisations to introduce a risk-based approach to enhanced due diligence and fraud prevention measures.  When assessing the risks of money laundering and terrorist financing, organisations should check whether any high-risk factors apply.

The biggest risk currently facing investors and crypto currency platforms is the anonymity and ambiguity of customers as well as some of the individuals and developers that are behind the companies offering crypto currency services themselves.

Although, Crypto currencies are not currently measured by Financial Action Task Force (“FATF”) as a high risk, they do recognise that compliance processes are required in relation to Virtual Assets (“VA”) and Virtual Asset Service Providers (“VASPs”), in particular with regard to:

      • supervision or monitoring of VA, ICOs and their VASPs for anti-money laundering and counter finance terrorism purposes
      • licensing or registration of VA, ICOs and VASPs
      • fraud prevention measures, crypto due diligence, suspicious activity and transaction reporting
      • enforcement and sanction measures for offenders

Customer Due Diligence – a risk based approach

Let’s start with customer due diligence. When dealing with individuals or investors established in high-risk jurisdictions, or are exposed to other cases of high risk, it is imperative that  crypto companies identify the areas of risk and apply enhanced due diligence measures to manage and mitigate those risks appropriately.  Specifically, to question:

      • whether their customers are operating in geographical areas of higher risk, including areas of non AML/CTF legislation, significant levels of corruption, countries subject to UN sanctions and/or countries harbouring designated terrorist organisations
      • are ownership structures of larger investors appear unusual or excessively complex given the nature of their business
      • whether your organisation has received funds from unknown parties
      • what information you collect from your customers? Can you demonstrate sound “KYC – know your customer” compliance? How do you verify the information gathered?
      • whether any business relationships are conducted in unusual circumstances

ICOs, are they who they say they are?

Large and small investors will want to know who they are investing their assets with and the assurance that the ICOs are appropriate.  Will talked earlier about ICO due diligence and although there is no required template for the ICO organisation to complete, investors can still perform background checks on the management and developers who are behind the ICO platform.

The fundamentals of background checks remain the same regardless of the industry, it is just applied differently.  In the ICO example, our team would determine the ICO’s integrity, ability, reputation by performing open source intelligence and background checks on the senior management, board directors, relevant executives and shareholders of the ICO.

We would specifically be looking for adverse information and risk, including undisclosed red flags, conflicting findings, false or exaggerated statements and report these findings to the investor.

Background checks will include but not limited to verifying their qualifications and employment history, analysing their financial status, examining their record as a board director, identify whether there are any litigation, insolvency or court cases filed, as well as digging deeper via archived media and press articles, as well as possible exposure to sanctions lists and politically exposed persons.

If the required, an additional level of enhanced due diligence can be applied by providing investors with an independent analysis and assessment of the appropriateness of directors and developers’ professional background by speaking with former colleagues, clients and senior management that had previously worked with the individual.

All of these crypto due diligence measures, enhanced due diligence, industry insight interviews and regulatory references, allows investors to invest with more assurance, confidence and compliance.

Conclusion

In summary, the answer to mitigation and management of risk when buying crypto assets is a combined approach of legal advice, and practical due diligence.

The disputes arising out of crypto assets and the risk of such investments, is cause for a pause, and an active, informed, consideration of the steps that can be taken to understand and manage risk before proceeding with a purchase of a crypto asset.

The current crypto asset market is volatile and immature, presenting an elevated risk of loss, liability and in some cases, litigation. Due diligence before a purchase, that includes legal and practical investigation in our view is an essential step for any purchaser in managing their risk.

If you would like to discuss the issues raised in this article or require specific advice as to a crypto asset purchase or sale, please contact managing-risk-when-buying-nfts at will.charlesworth@saunders.co.uk and Neil Miller at TenIntelligence on neil.miller@tenintel.com.

Data Protection News | September 2022

International Data Transfers

Turning to our previous August Newsletter, you may recall we have previously talked about the upcoming requirement of Transfer Risk Assessments (“TRA’s”) in addition to the supporting International Data Transfer Agreements (“IDTA”).

When transferring personal data to a ‘restricted country’ an International Data Transfer Agreement and supporting Transfer Risk Assessment is required. This a regulatory obligation organisations must meet to remain complaint with the ICO’s guidelines and regulations from this month, the 21st of September 2022.

Hint: Having a Data Map, which I know some have already made a start on, is a great tool to visualize and plan where you may be transferring personal data, which should now include ‘restricted countries’ which requires TRA’s & IDTA post sharing, consider future foreign data projects here too. It may be that you also review and update internal supporting processes and procedures that could be used during this type of exercise.

Children’s Code

Children’s Code Self-Assessment Tool. With many children recently returning to their classrooms, it is a time where many parents may be educating their children on online harms and threats and how they can protect their own personal data.

With this in mind, it is a good time to remind you this tool is available to you and what some of the key challenges are, shown below:

  • Providing child friendly privacy information
  • Assessing the online service appeal to children of different ages and whether children use the service
  • Applying appropriate age assurance measures
  • Implementing new controls to existing services or products

You can find the assessment tool on the ICO’s website https://ico.org.uk/for-organisations/childrens-code-hub/children-s-code-self-assessment-risk-tool/.

ICO Complaint Handling

The ICO have recently published guidance on how small businesses handle Data Protection related complaints.

You may find even with the correct policies and procedures in place, people including staff may not be happy with how their personal data has been handled.

How you manage a compliant right from the moment you receive it, to the moment you provide a final response matters, as not only does effective complaint handling show the complainant you take their expression of dissatisfaction seriously, but it protects company reputation and can improves service levels.

The ICO’s guidance on how to handle complaints is made up of 6 stages:

Step 1- Acknowledge Receipt- Provide the subject with information explaining next steps, provide them a point of contact and reassure them you are investigating their complaint. Having a customer friendly Complaints Procedure is a great way of doing exactly this.

Step 2- Find Out What’s Gone Wrong/Source of dissatisfaction- Obtaining as much accurate information as possible is essential when carrying out root cause analysis. If you don’t know what has gone wrong, how are you going to know how to put it right, prevent it happening again, and identify if the complaint is one that is reportable to the ICO!

Step 3- Provide Regular Updates- Providing regular updates on where you are with the subject’s complaint, provides reassurance you take their complaints seriously, helps minimise any frustration the subject may feel. And in many cases makes working with the complainant a smoother and nicer process for all. It is quite often companies’ customer facing Complaints Procedure outlines at which stages of the complaints procedure the subject can expect an update from you.

Should you want further guidance on customer facing Complaints Procedures and/or how often you should contact complainants please contact our DPO, who will provide advice on ‘best practise’ and review any regulatory obligations you may have such as those under the FCA.

Step 4- Record Your Actions- Make a record of the date you received the data protection complaint and the date your response is due. Keep details of any related conversations and copies of all relevant documents from start to finish, including the reasons for the decisions you’ve made, and any action taken, or not taken. It will also provide evidence of what you’ve done, which the ICO or industry bodies may need in the future.

Step 5- Respond to Complainant- Having completed your investigation, let the person know the outcome. Clearly explain what you’ve done to resolve the data protection complaint and any actions you’ve taken as a result. Include enough information to help them understand how you’ve reached your conclusion. It can be useful to bullet point the complaint areas and respond to each point, providing appropriate evidence where possible.  You should also let the complainant know they have the right to complain to the ICO.

Step 6- Review Lesson Learned- Once you’ve responded to the complainant, take the opportunity to review what happened, review any ‘root cause’ you have identified. Consider if there’s anything you can learn or improve on to prevent future complaints, and what remedial or preventative measures could you take.

Hint: Keep an eye out for trends, if you routinely see a lot of complaints in similar areas, an appropriate change can make all the difference.

Should you wish to find out more on how to handle complaints, including tone and pace when handling complaints over the phone, please do not hesitate to reach out.

Regulatory Prosecutions

The Irish Data Protection Commission has fined Meta-owned social media platform Instagram €405 million for violations of the General Data Protection Regulation.  The fine, which is the second largest GDPR penalty to ever be handed down, covers alleged violations stemming from Instagram’s default account settings for children ages 13-17 that exposed email addresses and phone numbers associated with child-operated accounts.

It is the third fine for a Meta-owned company handed down by the Irish regulator, after a 225 million euro fine for WhatsApp and a 17 million euro fine for Facebook. A Meta spokesperson said:

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision”

For further information, guidance and advice on any of the subjects that have been mentioned in this month’s TenIntelligence Newsletter, please contact me at lynsey.hanson@tenintel.com

 

Kind regards,

Lynsey Hanson | DPO

TenIntelligence

www.tenintel.com/data-protection-privacy

Crypto Due Diligence | Will applying existing Financial Crime compliance measures work?

Why performing Crypto Due Diligence is a reliable fraud prevention tool.

Good financial crime compliance and anti-money laundering directives all require organisations to introduce a risk-based approach to enhanced due diligence and fraud prevention measures.  When assessing the risks of money laundering and terrorist financing, organisations should check whether any high-risk factors apply.

The biggest risk currently facing investors and crypto currency platforms is the anonymity and ambiguity of customers as well as some of the individuals and developers that are behind the companies offering crypto currency services themselves.

Although, crypto currencies are not currently measured by Financial Action Task Force (“FATF”) as a high risk, they do recognise that compliance processes are required in relation to Virtual Assets (“VA”) and Virtual Asset Service Providers (“VASPs”), in particular with regard to:

      • supervision or monitoring of VA, ICOs and their VASPs for anti-money laundering and counter finance terrorism purposes
      • licensing or registration of VA, ICOs and VASPs
      • fraud prevention measures, crypto due diligence, suspicious activity and transaction reporting
      • enforcement and sanction measures for offenders

Customer Due Diligence – a risk based approach

Let’s start with customer due diligence. When dealing with individuals or investors established in high-risk jurisdictions, or are exposed to other cases of high risk, it is imperative that  crypto companies identify the areas of risk and apply enhanced due diligence measures to manage and mitigate those risks appropriately.  Specifically, to question:

      • whether their customers are operating in geographical areas of higher risk, including areas of non AML/CTF legislation, significant levels of corruption, countries subject to UN sanctions and/or countries harbouring designated terrorist organisations
      • are ownership structures of larger investors appear unusual or excessively complex given the nature of their business
      • whether your organisation has received funds from unknown parties
      • what information you collect from your customers? Can you demonstrate sound “KYC – know your customer” compliance? How do you verify the information gathered?
      • whether any business relationships are conducted in unusual circumstances

ICOs, are they who they say they are?

Large and small investors will want to know who they are investing their assets with and the assurance that the ICOs are appropriate.  Will talked earlier about ICO due diligence and although there is no required template for the ICO organisation to complete, investors can still perform background checks on the management and developers who are behind the ICO platform.

The fundamentals of background checks remain the same regardless of the industry, it is just applied differently.  In the ICO example, our team would determine the ICO’s integrity, ability, reputation by performing open source intelligence and background checks on the senior management, board directors, relevant executives and shareholders of the ICO.

We would specifically be looking for adverse information and risk, including undisclosed red flags, conflicting findings, false or exaggerated statements and report these findings to the investor.

Background checks will include but not limited to verifying their qualifications and employment history, analysing their financial status, examining their record as a board director, identify whether there are any litigation, insolvency or court cases filed, as well as digging deeper via archived media and press articles, as well as possible exposure to sanctions lists and politically exposed persons.

If the required, an additional level of enhanced due diligence can be applied by providing investors with an independent analysis and assessment of the appropriateness of directors and developers’ professional background by speaking with former colleagues, clients and senior management that had previously worked with the individual.

All of these crypto due diligence measures, enhanced due diligence, industry insight interviews and regulatory references, allows investors to invest with more assurance, confidence and compliance.

AIM Director Due Diligence

AIM Director Due Diligence

Neil Miller, Founder at TenIntelligence was recently quoted in the Daily Telegraph Business section outlining the importance of director due diligence for AIM listed companies.

The firm Purplebricks has been forced to delay the appointment of its new boss as advisers examine the implications of a previous personal insolvency that has not been disclosed to shareholders. The online estate agent announced that Helena Marston was unable to take charge as chief executive on Monday as planned because due diligence checks are not yet finished.

It did not disclose the reasons for the hold-up, but sources said that concerns are focused on the fact Mrs Marston was declared bankrupt under her maiden name of Epplestone in September 2014.

As a company listed on the AIM junior stock market, Purplebricks must get board appointments vetted by its nominated adviser, Zeus.

The former personal insolvency was declared to Zeus as part of a questionnaire that Mrs Marston filled in when she was appointed. Her bankruptcy has been discharged.

Sources said there was an internal discussion about whether it should also be revealed to investors in a stock market notice on March 10 that announced her appointment. The details were included in a draft version of this announcement but then removed.

Neil Miller, chief executive of due diligence firm TenIntelligence, said that Mrs Marston’s credentials would have to be checked carefully as part of the appointment process.

He said: “Before any individual can be appointed to the board of an AIM listed company, the nominated advisor will need to complete their director due diligence. As part of this process the individual will need to submit, answer and disclose a Directors Questionnaire.

“Questions will give the individual the opportunity to include whether the individual has ever been subject to court cases, litigation, criminal records, disciplinary investigations and insolvency.

“Any adverse findings, unexplained gaps in their history or other red flags, have to be challenged as part of the judgement process before appointing the individual.”

Mrs Marston had served as chief operating officer under previous chief executive Vic Darvey, who resigned in March for personal reasons. She was not on the board in this role.

It is not the first time that Purplebricks has faced controversy. The company was fined £267,000 by HMRC in 2020 for violating anti-money laundering rules.

Purplebricks said: “Further to the announcement on 10 March 2022 relating to the appointment of Helena Marston as chief executive officer of the company, the company announces that due diligence checks required by the AIM rules are ongoing and therefore Helena’s appointment remains subject to completion of these checks.

“A further announcement will be made a soon as possible.”

 

How we can help:

We deliver concise due diligence on businesses, vendors, agents, individuals, customers and other counter-parties to satisfy financial crime compliance and AML demands, so that our clients can operate with confidence. We also assist clients undertake detailed risk assessments and implement tailored programmes in order to overcome their compliance challenges and to deter financial crime.

For more information regarding our due diligence service, please email us via info@tenintel.com. Our team is looking forward to providing International Background Checks and help your organisation make informed decisions.

For more updates, you can follow us on LinkedIn @TenIntelligence.

What is modern slavery and human trafficking | and how due diligence measures help?

What is modern slavery and human trafficking | and how due diligence measures help?

Generating about $150 billion US dollars annually, human trafficking and modern slavery are the third global largest source of criminal profit next to drug trafficking and trading counterfeit goods. Analyst, Fiona Harmsen reports…

Most of this dirty money moves through the global financial system. Therefore, financial institutions play a dominant role in the fight against human trafficking and modern slavery.

Slavery exists in situations of labour, domestic and commercial sexual exploitation, in which the person cannot refuse or leave due to threats or violence, but also in a situation in which someone exercises a power of ownership on that person.

According to the International Labour Force, in 2016, 24.9 million people were victims of forced labour.

Human trafficking is the “recruitment, transportation, transfer, harboring or receipt of persons, by means of the threat or use of force or other forms of coercion, of abduction, of fraud, of deception, of the abuse of power or of a position of vulnerability or of the giving or receiving of payments or benefits to achieve the consent of a person having control over another person, for the purpose of exploitation” (Palermo Protocol 2000)

The 3 most common types of human trafficking are sex trafficking, forced labour, and debt bondage. Human trafficking goes from using children for pornography or armed conflicts, to exploiting adults in to forced labour.

How are human trafficking and modern slavery connected to financial institutions and what are their financial footprints?

From the manufacturing of our electronical devices to the food available in our supermarkets, our products can potentially be generated from forced labour coming from publicly listed trading companies that stock up major holdings from institutional investors.

On one hand, the financial sector can be connected to Human trafficking and modern slavery via their own operations through their own business; this can be done directly, however, the most common connection lies through client engagement: many employees in financial institutions can play a major role in identifying and reporting signs of human trafficking.

On the other hand, financial institutions can also take part of human trafficking and modern slavery via their business relationships, which includes but is not limited to investment, payments, and lending.

As an illustration, a financial institution investing in a business in which modern slavery occurs.

These business relationships and connections vary: they can be with upstream providers of financial inputs and services or with downstream clients.

For instance, financial institutions produce services based on upstream financial inputs, such as subscriptions into banking borrowing.

The providers of these inputs may themselves be linked to human trafficking and modern slavery, especially if they are inputting capital generated from human trafficking and modern slavery.

Or, institutional may own equity stakes in businesses that rely on human trafficking and modern slavery directly or in their supply chains.

Or, banks may lend to such firms, insurances may provide them policies, financial institutions may provide payment services to businesses involved in sex trafficking etc.

How can due diligence help manage human trafficking and modern slavery?

Not only due diligence is a requirement of anti-money laundering legislation, it is also a way to help in the fight against modern slavery and human trafficking.

By identifying the signs

Signs recognition of modern slavery and human trafficking is the first step in order to help managing it.

These signs can be found with the help of due diligence via behavioural indicators (such as evidence of emotional or physical abuse) and KYC process indicators (such as false ID documents or criminal associations).

Additionally, by using monitoring technology, financial institutions can recognize patterns of underlying human trafficking crimes in financial transactions.

These financial transactions can be such as hotel reservations made by the same individual for two rooms during the same period of time, or frequent purchases of small amounts of bitcoins.

On another hand, an unusual or unrelated number of joint account holders can also be a sign of potential modern slavery and human trafficking.

By managing the risks

Alongside with identifying the signs of modern slavery and human trafficking, due diligence also helps to manage these risks.

The process of managing risks comes in different shapes. It can be through facilitating asset confiscation and restitution, through revealing trafficking organisation membership and structure, or even through demonstration the motive of traffickers.

Embellishment or Fraud? The importance of CV verifications

Embellishment or Fraud? The importance of CV verifications

There are many examples of CV manipulation, embellishment and exaggeration.  Rae Legg explores the considerations regarding CVs and fraud.

“What’s the harm in a little white lie?”

“I’m not lying, I’m just omitting the truth!”

“Embellishment is just part of writing a CV!”

“Most job requirements are ridiculous!”

These are some of the many things people say in an attempt to justify lying about their qualifications or previous experience on their CVs. A question frequently asked on r/AskReddit is what people lied about on their CVs, and whether or not they got away with it.

The lies range from being fluent in a different language, having experience with a particular software, to purchasing forged diplomas with no regrets.

It is not surprising to hear how common CV fraud is.

A study conducted in 2019 by Credence and Higher Education Degree Datacheck (HEDD) found that out of the 55,000 CVs that were analysed, 15% returned academic discrepancies, ranging from inaccurate grades, different attendance dates, to making up a degree altogether.

Another survey from CV-Library in 2018 revealed that up to 92.5% of British people got away with lying on their CV, with approximately 71.6% getting a job as a result of their lying.

The frequency of people lying on their CVs may cause people to question or even downplay the harm involved with CV fraud.

History suggests, however, that there is in fact, a lot of harm, and that people who lie on their CV will most likely go on to lie about other aspects, or even commit fraud further down the line, having realised that they’ve got away with the first lie.

In October 2018, a woman from New Zealand was jailed after being found out for lying about having a medical degree when she registered in the UK and practised psychiatry for 22 years with no official qualifications. She had attempted to fake a dementia patient’s will and applied for power of attorney in order to inherit the patient’s £1.3m estate.

This is not an isolated incident. There are many other cases, including the case of ‘Dr’ Daniel Mthimkhulu who not only lied about having a PhD in rail engineering when interviewing for Passenger Rail Agency of South Africa (Prasa) and caused the “Tall Trains” scandal, but also created a fake counteroffer from a rival company in order to increase his salary. He has now been ordered to pay Prasa back R5.7m.

And most people are very aware of the story of the NHS fraudster, Philip Hufton. As detailed in our January 2021 insight, the former senior Business Development manager of an NHS Foundation trust lied about numerous qualifications, such as a PhD and a Master’s degree, and incurred £350,000 worth of fake expenses.

Situations like the above are completely avoidable when recruitment teams invest more in verifying qualifications and previous experience, as opposed to prioritising numbers and bums-on-seats.

Fraudsters get discouraged from applying to roles as it becomes easier to distinguish dishonest candidates from honest ones, and therefore companies are protected from potential reputational, financial, and judicial risk.

International Background Checks into senior executives, managers and new hires, entails rigorous interrogation and analysis of information gathered from a range of open sources.

Background checks should include searches with press articles, court searches, company registries, public records and documents, insolvency registers, financial regulator fines and licenses, subscribed databases, sanctions checks as well social media platforms.

When required, background checks should cover global jurisdictions and research must be performed in key languages.

 

How we can help:

We have a team of Analysts and Associates who interrogate the individual’s CV, application forms and corporate history specifically looking for adverse information and risk, including undisclosed red flags, conflicting findings, false or exaggerated statements and report these findings to the client.