Net Neutrality – Is regulation really the answer to protect consumers and businesses from bandwidth throttling and broadband manipulation of internet protocols?
An extract of this article is available from Gulf News online (at bottom of page) and was published in full in hard copy.
Back in 2003, Tim Wu coined a new phrase “net neutrality”, when he identified the discrimination by broadband and telecommunication companies who used to practice biased services to consumers and corporates based on the type of data being transferred from the host to the user. Net neutrality is the unbiased delivery of packets of data over IPv4, being the main internet protocol (IP) for the transfer of information through the web. In 2015, the US Federal Communications Commission (FCC) was authorised by Congress to regulate internet rules to ensure that all web traffic and information transmitted by broadband providers is treated equally for all users, as per set policies. The FCC ruled in favour of the reclassification of broadband services in the same way utilities are regulated on a common carrier basis. Internet Service Providers are restricted in the practice of bandwidth throttling, being the limiting of user bandwidth for users for video streaming, peer to peer file sharing through Bit Torrents, FaceTime and VoIP (the transmission of voice and media over IP networks).
The new Chairman of the FCC, Ajit Pai, wants to roll back the internet rules of net neutrality, which are set out under Title II of the Communications Act of 1934 and Section 706 of the Telecommunications act of 1996. The FCC has put forward a proposal entitled “Restoring Internet Freedom” to remove the net neutrality regulations for the internet. You may ask yourself, ‘why is this important to me and how will such regulation affect you?’. In short, there are mixed views on what the relaxing of such regulations may have on commerce, consumers and innovation of the broadband ecosystem. If these regulations are relaxed or removed there could be restrictions levied on consumers through higher charges, to access social media, online services, independent news content and video streaming services. Some of the on-line companies such as Facebook, Netflix, eBay, Amazon, Twitter and Tumblr could be adversely affected under the new FCC proposal. Additional charges for quality services and high data transmissions, through premium pipelines for fast data transfer, would likely be passed on to businesses and consumers alike. This in turn may create a hierarchy of internet services and fees for corporates and consumers. The whole purpose of the internet was to provide everyone with unfettered access to online information and the transmission of information and data. The Internet Association encourages innovation, economic growth and empowerment of people through the free and open internet. Any internet restrictions or controls of internet data package transmission speeds in the US would likely impact us all as many the social media, online or cloud services have their servers based there.
My view of the FCC’s proposal is mixed, on the one hand I see that they want broadband and telecommunication companies to self-regulate and on the other hand they want to encourage further investment and development of internet infrastructure, through the funding of premium internet services, which could provide a competitive edge and raise additional taxes for the US economy. Unfortunately the proposal could negatively affect the ability of low income families and students to access information and connect with others through free VoIP services, both in the US and globally. I am for regulation, as long as it is in the best interest of society and economies. The FCC’s proposal for the reversal of the net neutrality is likely to be more advantageous to the larger corporates, whilst impacting smaller innovative web content producers and lower income consumers. A level playing field would allow an equal opportunity for businesses succeed or fail based on the quality of their websites and services.
My suggestion for small technology businesses and online retailers would be to try and mitigate their IT risk and stay abreast of the proposed US changes. The first round of public comments is now closed and the FCC will provide their formal response by August 16th. If you want to have your voice heard make your public comment on the FCC’s website where over 8.7 million comments have been left already.
Note on the author:
Robert Ford is currently the managing partner of Governance Gurus, which is a UAE entity providing Business and IT Consulting services and training masterclasses and workshops in corporate governance, director duties, the role of the company secretary, change management, corporate culture and leadership development. Robert is passionate about change management and the use of information technology for innovation and to protect the privacy of individuals, see out blog on GDPR and impact on GCC corporate governance practices. He holds a master’s degree in Leading Innovation and Change and whilst in the UAE he has helped an international law firm and big 4 consulting firm to use technology to improve efficiency and quality through cloud-based software for multi-jurisdictional and virtual team co-ordination and provision of services.
The impacts of the GDPR on Corporate Governance practices in the GCC
The European Parliament and Council passed regulation (EU) 2016/679 to refresh the data and privacy protection laws for European Union states. The new regulations are commonly known as the General Data Protection Regulations (GDPR) and came into effect on May 25, 2018. GDPR has defined the rights of EU individuals relating to how their personal data is collected, stored, processed and used by organisations. Any organisation that handles the data of any EU citizen is bound by the provisions of the GDPR, these regulations are applicable globally and fines of up to 4% of worldwide turnover or 20 million euros (whichever is greater) will be levied on businesses breaching them. GCC organisations and businesses need to consider whether they collect, store, process or control any data for EU citizens and revise their own corporate governance framework and enterprise risk management frameworks to comply with the GDPR provisions.
A robust Corporate Governance framework as the foundation for business excellence and compliance with the General Data Protection Regulations (GDPR)
On May 25, 2018 the new European Euro (EU) data protection regulations came into effect and are known as the General Data Protection Regulations (GDPR). Due to increased concerns of breaches of privacy and misuse of personal data for individuals the European Union repealed Directive 95/46/EC (the old data protection directive) and replaced it with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR or the Regulations). The Regulations have an international reach and cover any organisation worldwide that collects, controls, processes or uses the information (data) of any EU citizen. The Regulations are available in multiple languages here:
The UK’s largest data protection agency the Information Commissioner’s Office (ICO) has aligned the updated UK data protection regulations 2018 with those of GDPR and they have also issued extensive guidance to assist organisations become compliant.
The below are some useful tools and guides provided by the ICO to prepare and explain what is required to be GDPR compliant and remain within the provisions.
Many organisations do not fully understand the impact of GDPR and how it will affect their business operations going forward. Some key points covered by the Regulations:
- Fines of 4% of revenue or 20 Million Euros (serious operational failures)
- 72 hours to disclose any material data breaches
- Covers all European Union citizens worldwide
- Some organisations now require a Data Protection Officer
- Board of Directors have a fiduciary duty to set the IT strategy – covering security, data and controls
- Greater need to understand what data organisation holds, where it is stored, processed and controlled
- Individuals have the right to access their data, request corrections and even be forgotten
- Fines of 2% of revenue or 10 Million Euros (minor/technical breaches)
GDPR – the beginning of the data protection and privacy journey for many GCC businesses
GCC businesses should review whether they hold data or information for any EU citizens and also consider whether the data is sufficiently minimised as per the Regulations requirements. If GCC organisations hold data for EU citizens and have not already implemented procedures on how they collect, store, process and control that data then they should urgently look at their IT policies, internal control procedures and enterprise risk management framework. A general review and update of their overall governance framework is likely to be required to integrate and simplify who is accountable for making decisions and how breaches may be reported internally and escalated.
Organisations can follow the below roll-out plan to review and prepare to comply with the Regulations. Preparation and educate staff, roll-out and provide guidance, regularly audit and perform a gap analysis, improve controls, processes and procedures and repeat the cycle all over again.
All businesses that store and process data of EU citizens should review their processes, IT systems, internal controls, hardware, software and applications to be GDPR compliant and to conduct data risk impact assessments for new projects where personal data is collected, stored, processed and controlled.
Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime:
Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The ICO provides a 12-point guide and checklist for organisations to consider when preparing to comply with GDPR:
- Ensure senior/key people are aware of GDPR and appreciate its impact.
- Document any personal data you hold, where it came from and who you share it with. Conduct an information audit if needed.
- Review your privacy notices and plan for necessary changes before GDPR comes into force.
- Check your procedures cover all individuals’ rights under the legislation – for example, how you would delete personal data or provide data electronically in a commonly used format.
- Plan how you will handle subject access requests within the new timescales and provide any additional information.
- Identify and document your legal basis for the various types of personal data processing you do.
- Review how you seek, obtain and record consent. Do you need to make any changes?
- Put systems in place to verify individuals’ ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity.
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Adopt a “privacy by design” and “data minimisation” approach, as part of which you’ll need to understand how and when to implement Privacy Impact Assessments.
- Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within in your organisation’s structure/governance arrangements.
- If you operate internationally, determine which data protection supervisory authority you come under.
Click here for the full paper from the ICO:
Organisations handle risk management in different ways, the GDPR offers guidance on the risks that organisations should formally identify, namely: emerging privacy risks, this should include new projects. A register should be maintained of the processing activities and internal inventories created. Any organisation planning on conducting any high-risk data processing activities must complete a data protection impact assessment. Under certain criterion it will be compulsory to appoint a Data Protection Officer.
The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing and Regulations includes the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Governance Framework and GDPR
A robust Corporate Governance Framework can effectively manage risk, including the requirements of GDPR and other laws and regulations.
Corporate Governance definitions
“Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.” The OECD Principles of Corporate Governance
“Corporate Governance refers to the way in which companies are governed and to what purpose. It identifies who has power and accountability, and who makes decisions. It is, in essence, a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders (shareholders, employees, suppliers, customers and the community) are balanced.”- ICSA, The Governance Institute
Governance overview for GCC organisations and GDPR considerations to mitigate risks to the directors for breach of their fiduciary duties
The board of directors of an organisation is tasked with the control, oversight and setting the risk appetite and tolerance for the company in-line with the mission, vision, values and the strategic plan for the business. One major concern for directors internationally and in the GCC is the increasing risk of cybercrime, IT security and unauthorised access to data and information. With the GDPR we are seeing an amplified focus on developing the safeguards around IT systems, security, encryption, backups and control of data and information.
The GDPR has a global reach and any organisation which controls, processes or uses the data and information of EU citizens is required to protect the privacy and freedoms of these individuals. Organisations need to demonstrate they have the requisite enterprise risk management solution in place to identify the current and emerging risks concerning the privacy and freedoms of individuals and have effective procedures to mitigate risks, inform and report data breaches to the supervisory body, the ICO or other relevant organisation regarding any material breach or break down of operational controls, and continually monitor and improve controls. Risks should be treated appropriately, either eliminated, mitigated, transferred or accepted.
Boards’ are ultimately responsible for implementing a robust corporate governance framework which should include an enterprise risk management framework. Usually the audit or risk committee consider the risks which will now include the requirements under GDPR. In order to establish sufficient procedures, systems and controls an IT steering committee can do a lot of the leg work for the audit or risk committee to identify, monitor and improve any gaps in the risk management for data and information storage, processing and control. GDPR provide guidance on how organisations can implement risk impact assessments for projects which involve personal data and information of individuals, especially for EU citizens.
GDPR – reaffirms that individuals have the right to privacy and freedom, the regulations provide mandates on how organisations should safeguard and use personal data, what data should be stored (only relevant information and what is necessary), how data is processed and ultimately controlled. Data security should be by design and by default. The aim of GDPR is to ensure that the personal data of individuals is secured globally for EU citizens. Data protection and security is about processes, IT infrastructure and the people who have authorised access to use or transfer that data. GDPR highlights three main elements for the security and protection of data. Organisations must evaluate the data they hold, they need to safeguard and secure that data and monitor to detect any gaps or breaches. End to end encryption is seen as a necessary safeguard to ensure that data even if obtained unlawfully will not be accessible or usable by the perpetrator. Other safeguards can be used such as smart cards, two level authentication, token encryption and controlled user access to operating systems, software and applications. IT hardware. Organisations can limit their IT risk by minimising the number of access points or vectors and by using virtual machines and hypervisors – the process that separates a computer’s operating system and applications from the underlying physical hardware to minimise vulnerabilities.
Technology, IT security, IT systems and the future
The speed of technological advances has caught many organisations unawares. If we think about some of the recent major issues with data breaches, data crypto viruses and hacking, too many businesses have failed to develop their IT infrastructure, systems and software at the same pace as vulnerabilities were being exploited. From a governance point of view, an organisation should consider scenarios and plan to mitigate and have contingencies and business continuity plans in place. They should also consider disaster recovery and complete systems failures; all plans and mitigations should be tested to see if they work in practice.
Organisations may consider implementing or integrating the following standards to minimise data privacy risks ISO 27000, ISO 27001 and BS-10012 “Information Governance”. As part of these standards, organisations should endeavour to gain certification and continually improve their systems, applications and policies. As businesses move towards artificial intelligence (AI), automation and the use of Blockchain technologies, it is even more important to adopt internationally recognised standards for IT security, information governance, privacy and confidentiality. With the use of AI and automation, organisations need to consider the impacts of the GDPR on the personal rights of privacy and freedoms of EU citizens. The Regulation speaks to the use of AI and how organisations need to balance the benefits of AI and automation with the rights and freedoms for EU citizens and other customers.
Most international organisations are still coming to grips with the GDPR requirements and how they will impact them. It is likely that the Regulation will become the international standard on data privacy and protection for individuals. There is a pressing need for GCC organisations and businesses that handle the data for EU citizens to embrace the principles of the GDPR and implement policies and procedures to safeguard all the data and information they store, process, control and transfer as the reputational risk for loss or breach of data is high.
About the author
Robert is the Managing Partner of a governance consulting enterprise called Governance Gurus FZE. The company provides strategic consulting and CPD accredited workshops and training to businesses across the region and internationally.
He is a regional thought leader and subject matter expert and is regularly asked to speak on corporate governance, compliance, enterprise risk management and change management matters and provides his clients with training and workshops too.
Robert advises the Senior Management teams and Boards of numerous organisation across the Middle East, Asia and Europe. He is also an investor and on the Board of two UAE businesses. He is also the Vice-Chairman of a Gulf Forum which brings together some of the leading thought leaders on corporate governance, risk management, compliance and company secretarial best practice.
Robert provided corporate governance advisory services to the Board and Committees of the Dubai Properties Group (DPG), a member of Dubai Holding. DPG is one of the largest fully integrated real estate and community development businesses in Dubai. He worked closely with the Chairman and the Group CEO to enhance the Corporate Governance Framework across DPG and its verticals and helped develop their Risk Appetite Compliance Assessment.
He holds a master’s degree in Leading Innovation & Change from York St John University and is also a qualified Governance Professional and Chartered Secretary (FCIS) and member of the UK Institute of Directors (for over 10 years) and a member of STEP – the Society of Trusts and Estate Practitioners. Robert is also part way through a Master’s Degree in HRM & Training with the University of Leicester.
Some Middle East Accomplishments
Designed and implemented two largescale transformation and governance projects, one for a big 4 firm whose project spanned 13 countries and resulted in annual savings of over $2,000,000 and increased profits.
Drafted and implemented corporate governance and Board and Shareholder relationship policies for one of the largest master developers in the UAE.
Advised a regional Government Agency on Corporate Governance best practice and Board composition (confidential assignment).
Provided a root and branch analysis for an international law firm to improve the quality, efficiency and profitability for corporate services to their clients across all regional offices. The project focused on governance and compliance matters and improvements to processes, systems, policies and procedures. This resulted in annual revenue of over $3.5 million and profits increased by 30%.
Various change management and business improvement projects.
About Governance Gurus FZE
Governance Gurus has brought together some of the leading minds on corporate governance, change management, human resource management and corporate culture. The team are passionate about designing, implementing and embedding governance frameworks, internal controls and policies to improve processes, systems and business performance.
Corporate culture and an organisation’s risk appetite and tolerances set the tone for employees, senior management and the Board. Organisations also need to manage relations with their stakeholders and shareholders. This can be successfully achieved through human resource management, employee engagement and performance measurement and rewards. Change management and business transformation projects can only be successful through sufficient planning, effective communication and by getting buy-in at all levels of the organisation. Most change initiatives fail due to a lack of urgency, reduced momentum or ineffective planning and communication.
Whether you need to change your corporate culture or the perceptions of your stakeholders with respect of your core values and business objectives, we can add fresh perspectives and ideas to help design and implement sustained cultural business strategy.
Change management is the thread which engages and empowers employees to apply human capital policies and procedures as part of the overall all corporate governance framework. Client centric and engaged employees, who are socially responsible are valuable human capital assets who help an organisation achieve their objectives uniquely.
Our team of professionally qualified and experienced advisors would be delighted to work with your organisation, department or team.
E-mail: [email protected]
Office: +971 (0) 4387 3554
Mobile: +971 (0) 55 8034 055