1. GDPR: More reasons for information security
Andrew Cormack (@Janet_LegReg)
11/11/2016
2. Existing reasons
11/11/2016 GDPR: More reasons for information security 2
Information
Security
Reliability
Confidence
Trust
ReputationPolicy
Workload
etc
3. General data protection regulation (GDPR) 2016/679
11/11/2016 GDPR: More reasons for information security 3
Personal data processing
May 2018
» Almost certainly pre-Brexit
» Services to EU people covered anyway
Becomes UK law automatically
4. GDPR supports proactive
and reactive information security
11/11/2016 GDPR: More reasons for information security 4
5. Breach notification
Unauthorised/accidental loss, alteration, disclosure or access to personal data
11/11/2016 GDPR: More reasons for information security 5
All breaches » Document
Risk to
rights/freedoms
» Report to ICO (72 hour expectation)
» Nature; number/type of records/people affected; mitigations
High risk to
rights/freedoms
» Also notify individuals (unless mitigated)
» Can take ICO advice
6. Security and incident response
11/11/2016 GDPR: More reasons for information security 6
Very like security good practice (paper currently with journal reviewers)
“Ensuring network and information security … CSIRTs… providers of networks
and services… ” (Rec.49)
A legitimate interest… (for processing personal data)
If necessary/proportionate…
Balance of interests test…
7. Other tools mentioned
11/11/2016 GDPR: More reasons for information security 7
Encryption » Mitigate damage from breaches
Data protection by design
Exercises » Test readiness
» Assist complianceAuthorisation
» Reduce riskPseudonyms
8. New incentives
11/11/2016 GDPR: More reasons for information security 8
Security/incident response clearly lawful
Increased public awareness
Much bigger fines (€20M/4%)
Damages, not just for monetary loss
9. Opportunities to improve
11/11/2016 GDPR: More reasons for information security 9
Regulator guidance
Lessons learned from breaches
Compare public notifications
NIS Directive => more sharing
Cloud security standards etc.
10. 12 steps
11/11/2016 GDPR: More reasons for information security 10
Information Commissioner’s Office, [Preparing for the GDPR, 14/3/16], licensed under the Open Government Licence
11. Watch these spaces
» ICO:
› https://ico.org.uk/for-organisations/data-protection-reform/
» Regulation (2016/679/EU):
› http://ji.sc/gdpr-text
» Me:
› http://ji.sc/dataprotection-regulation
11/11/2016 GDPR: More reasons for information security 11
12. jisc.ac.uk
One CastleparkTower Hill Bristol BS2 0JA
customerservices@jisc.ac.uk
T 020 3697 5800
Except where otherwise noted, this work is licensed under CC-BY-NC-ND
Thanks
Andrew Cormack
Chief Regulatory Adviser, JiscTechnologies
Andrew.Cormack@jisc.ac.uk
11/11/2016 GDPR: More reasons for information security 12
Editor's Notes
ICO reckons “loss or inappropriate alteration of a staff telephone list” doesn’t normally require reporting https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/
Anything that “might leave them open to financial loss” goes to DS https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Essential for breach notification
Recognised by UK ICO
Note Breyer ECJ case supports this under DPD too
Positive view of all of these
Note ICO has already fined TalkTalk £400K under current £500K max for website open to SQL injection
Representative bodies making claims could be a move towards class actions
Children (Art 8) need clear information, additional rules if offering ISS directly to them (need to get consent from adult)
DPIAs (Art 35) if high risk to rights and freedoms, e.g. automated monitoring with legal effects, large scale processing of SPD, systematic monitoring of public area on a large scale
DPBD for all processing at design and implementation stages
DPO (Art 37) for public bodies (?unis?), regular and systematic monitoring on a large scale, core activities processing SPD
International: Reg applies to processing by European establishment *or* processing of Europeans’ data. So TNE probably is covered if you’re the DC