From time to time I am engaged to help organisations in the UK and in the EU make decisions about where their data is stored, how it is accessed, and how to keep things as stable as possible over the next few years. This was a dizzying mess until 2025, and in 2026 there are some big decisions coming. Organisations need as much certainty as they can get for making decisions which are expensive to change in the future. ...
The detail of the GDPR and its implied computer science contain a solution for sharing secrets according to law. This continues to be true in 2026, as the Digital Omnibus Regulation takes shape. Executive Summary The GDPR sets up a conflict in trust between companies in particular circumstances, which can only be resolved by using the automation of a cryptographic audit trail with particular properties as described below. Problem Statement Under the EU’s GDPR law virtually every company is a Controller, and virtually all Controllers use at least one Processor. When a Processor is engaged, the GDPR requires that a contract is signed with the very specific contents spelled out in clause 3 of Article 28. The GDPR requires that Controllers and Processors cooperate together in order to deliver data protection, and this cooperation needs to be very carefully managed to maintain the security and other guarantees that the GDPR also requires. That’s what this mandatory contract is intended to achieve. ...
The immense Privacy Shield was a 2016 self-certification scheme for US companies to hold themselves to the strict EU privacy rules. In 2020 Privacy Shield was struck down by the EU Court of Justice. In non-technical terms, the Court said: There is no way Privacy Shield can work. So don’t use US-controlled cloud companies such as Google or Amazon. In late 2021 this decision started rippling out across Europe, as one place and then another moves away from these giant US companies, starting with government users. We all like familiarity and wish to avoid change, so this decision seems astonishing to many people. Once organisations get over their surprise, it is not so difficult to do. In 2023 I wrote It remains to be seen what these US companies will do in 2023. Some of them are wealthier than several smaller EU nations combined. By 2026 we had the answer - they used coercion by political, economic and legal means to prevent EU citizens using their own IP to build their own services. ...
I have been lead implementer of the main security and privacy standards several times each. These can seem intimidating, but properly used they improve security overall, and can help a business run more smoothly. From a pragmatic, business point of view: These standards are about writing down the actual rules of your business relevant to security and privacy, and then writing down how you improve these rules, and recording how well they work. All businesses can benefit from challenging their working habits and practices, and since privacy and security touch most parts of a business, this is an opportunity to review how the business works before something goes wrong. From the point of view of both Computer Science and Information Management Science: ...