SlideShare a Scribd company logo

Assessing the impact of security services

Download as PPTX, PDF
Jisc
Jisc

A presentation from the Jisc security conference 2018 by Andrew Cormack, chief regulatory adviser, Jisc technologies

Technology
1 of 41
Assessing the impact of security services Andrew Cormack chief regulatory adviser, Jisc technologies, Jisc.
Why assess DP impact?
Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons”
Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons” Regulator recommendation? •ICO Legitimate Interests Assessment (LIA) •“if relying on legitimate interests”
5 But mostly… To reassure us, members, customers and users that we’re creating privacy/security benefits, not risks!
Factors likely to require DPIA (Art29WP/EDPB) Match 2 or more => Usually need DPIA •Evaluation or scoring •Automated decision-making •Systematic monitoring •Sensitive (or highly-personal) data •Data processed on large scale •Matching/combining datasets •Vulnerable data subjects •Innovative use or new technological/organisational solutions •Processing prevents data subject exercising right/using service/contract
Jisc security services…
Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA
Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA Penetration testing service •Small scale •Commissioned by organisation • Limited scope: systems and people •Active attacks/social engineering => LIA
10 SOC DPIA
DPIA process NOT based on ICO guide – it hadn’t been published 11
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A 12
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another 13
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? 14
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? •So use 1st round DPIA report for 2nd round consultation (~18 months) 15
ICO DPIA cycle 16 Identify need Describe process Consult? Nec. and Prop. Identify risks Identify controls Record and Sign off Integrate actions into plan Review
DPIA data gathering/reporting Based on GDPR structure 17
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… 18
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too 19
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) 20
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) •Conclusions •Are risks mitigated? Recommendations 21
DPIA risk management 22
DPIA risk management Assess impact •Think data and processing 23
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause 24
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 25
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 26 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident)
DPIA risk management Assess impact •Think processing and data •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 27 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident) •Think mitigations • Most of which reduce likelihood • Some reduce impact too •How to monitor/maintain compliance?
DPIA conclusions •All risks mitigated to (well) below high •Automated processing itself a significant mitigation •Some new opportunities for controls/monitoring • See https://ji.sc/SOC-DPIA 28
29 Penetration testing LIA
LIA process Based on ICO light-touch risk assessment… 30
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A 31
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? 32
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] 33
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] •Balance benefits vs harms •What is relationship with individuals? What is possible impact? •Will you explain it? Will they object/feel intrusion? •What safeguards can you provide? Can they opt-out? 34
LIA conclusions 35
LIA conclusions •Technical pentests have strong safeguards/minimisation 36
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals 37
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack 38
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack •Organisations must fix vulnerabilities, otherwise no benefit to justify risk! • See https://ji.sc/PENTEST-LIA 39
References • DPIA • Art.29 https://ji.sc/DPIA-art29 • CNIL https://ji.sc/CNIL-PIA-guides • [ICO https://ji.sc/ICO-DPIA] • https://ji.sc/SOC-DPIA • LIA • ICO https://ji.sc/ICO-legitimate-interests • https://ji.sc/PENTEST-LIA 40
Get in touch… Except where otherwise noted, this work is licensed under CC-BY Andrew Cormack chief regulatory adviser Andrew.Cormack@jisc.ac.uk

Recommended

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
Social Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingSocial Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile Computing
William Tanenbaum
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!
Performance Tuning Corporation
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast
Logikcull.com
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)
Bright
 

Recommended

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
Social Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingSocial Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile Computing
William Tanenbaum
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!
Performance Tuning Corporation
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast
Logikcull.com
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)
Bright
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
owaspsuffolk
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
IT Governance Ltd
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
François Samarcq
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Eryk Budi Pratama
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
Christiana Kozakou
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds Sutherland
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
Richard Hogg,Global GDPR Offerings Evangelist
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
IBM Sverige
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
Cloud Watchmen Inc.
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

More Related Content

What's hot

GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 

What's hot (20)

Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
 

Similar to Assessing the impact of security services

GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018
Ray Bugg
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
PECB
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
Cornerstone OnDemand
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
TrustArc
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 

Similar to Assessing the impact of security services (20)

Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?
 
GDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentGDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal Environment
 
General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, London
 
Week 4.pptx
Week 4.pptxWeek 4.pptx
Week 4.pptx
 
CIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento totalCIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento total
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 

More from Jisc

More from Jisc (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Assessing the impact of security services

  • 1. Assessing the impact of security services Andrew Cormack chief regulatory adviser, Jisc technologies, Jisc.
  • 2. Why assess DP impact?
  • 3. Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons”
  • 4. Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons” Regulator recommendation? •ICO Legitimate Interests Assessment (LIA) •“if relying on legitimate interests”
  • 5. 5 But mostly… To reassure us, members, customers and users that we’re creating privacy/security benefits, not risks!
  • 6. Factors likely to require DPIA (Art29WP/EDPB) Match 2 or more => Usually need DPIA •Evaluation or scoring •Automated decision-making •Systematic monitoring •Sensitive (or highly-personal) data •Data processed on large scale •Matching/combining datasets •Vulnerable data subjects •Innovative use or new technological/organisational solutions •Processing prevents data subject exercising right/using service/contract
  • 8. Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA
  • 9. Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA Penetration testing service •Small scale •Commissioned by organisation • Limited scope: systems and people •Active attacks/social engineering => LIA
  • 11. DPIA process NOT based on ICO guide – it hadn’t been published 11
  • 12. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A 12
  • 13. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another 13
  • 14. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? 14
  • 15. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? •So use 1st round DPIA report for 2nd round consultation (~18 months) 15
  • 16. ICO DPIA cycle 16 Identify need Describe process Consult? Nec. and Prop. Identify risks Identify controls Record and Sign off Integrate actions into plan Review
  • 17. DPIA data gathering/reporting Based on GDPR structure 17
  • 18. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… 18
  • 19. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too 19
  • 20. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) 20
  • 21. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) •Conclusions •Are risks mitigated? Recommendations 21
  • 23. DPIA risk management Assess impact •Think data and processing 23
  • 24. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause 24
  • 25. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 25
  • 26. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 26 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident)
  • 27. DPIA risk management Assess impact •Think processing and data •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 27 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident) •Think mitigations • Most of which reduce likelihood • Some reduce impact too •How to monitor/maintain compliance?
  • 28. DPIA conclusions •All risks mitigated to (well) below high •Automated processing itself a significant mitigation •Some new opportunities for controls/monitoring • See https://ji.sc/SOC-DPIA 28
  • 30. LIA process Based on ICO light-touch risk assessment… 30
  • 31. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A 31
  • 32. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? 32
  • 33. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] 33
  • 34. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] •Balance benefits vs harms •What is relationship with individuals? What is possible impact? •Will you explain it? Will they object/feel intrusion? •What safeguards can you provide? Can they opt-out? 34
  • 36. LIA conclusions •Technical pentests have strong safeguards/minimisation 36
  • 37. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals 37
  • 38. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack 38
  • 39. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack •Organisations must fix vulnerabilities, otherwise no benefit to justify risk! • See https://ji.sc/PENTEST-LIA 39
  • 40. References • DPIA • Art.29 https://ji.sc/DPIA-art29 • CNIL https://ji.sc/CNIL-PIA-guides • [ICO https://ji.sc/ICO-DPIA] • https://ji.sc/SOC-DPIA • LIA • ICO https://ji.sc/ICO-legitimate-interests • https://ji.sc/PENTEST-LIA 40
  • 41. Get in touch… Except where otherwise noted, this work is licensed under CC-BY Andrew Cormack chief regulatory adviser Andrew.Cormack@jisc.ac.uk

Editor's Notes

  1. UK ICO adds Risk of Physical Harm, Tracking, Invisible Processing; deletes large scale, automated decision-making, arguably systematic monitoring (which may be a superset of “tracking”); interestingly the EDPB pushes back against such modifications… Maybe it *is* harmonising?