Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information lifecycles: a tool for GDPR

by Andrew Cormack

  • Login to see the comments

  • Be the first to like this

Information lifecycles: a tool for GDPR

  1. 1. Information lifecycles: a tool for GDPR… Andrew Cormack, Chief regulatory adviser, Jisc technologies, @Janet_LegReg 14/11/2017 © Erich Ferdinand https://commons.wikimedia.org/wiki/File:Toolbox_(6788494881).jpg
  2. 2. Thinking DPD => GDPR Data subject responsibility => Data controller accountability Information assets => Information lifecycles 14/11/2017 Information lifecycles: a tool for GDPR 2
  3. 3. Information lifecycles 14/11/2017 Information lifecycles: a tool for GDPR 3
  4. 4. Information lifecycles Collect Process Dispose 14/11/2017 Information lifecycles: a tool for GDPR 4
  5. 5. Information lifecycles »Why are we doing this? »What data do we need? »Who do we get it from? › Direct? Indirect? 14/11/2017 Information lifecycles: a tool for GDPR 5 Collect Process Dispose
  6. 6. Information lifecycles »Why are we doing this? »How are we processing? › Where? › How do we keep it secure? 14/11/2017 Information lifecycles: a tool for GDPR 6 Collect Process Dispose
  7. 7. Information lifecycles »When are data no longer needed? »How do we dispose of them? › Delete? › Aggregate? › Anonymise? Need to keep reviewing re-identification risk 14/11/2017 Information lifecycles: a tool for GDPR 7 Collect Process Dispose
  8. 8. Optional stages » Continuing responsibility › Eg secondary uses, partner organisations » Internal sharing › Start another lifecycle » External sharing › Assign responsibilities through agreement/contract » Resp0nsibility ends on disclosure › Eg law enforcement » Needs a legal exemption 14/11/2017 Information lifecycles: a tool for GDPR 8 Share Disclose
  9. 9. Lifecycle questions Collect • Why? • What? • How? Process • Why? • How? Dispose • When? • How? 14/11/2017 Information lifecycles: a tool for GDPR 9
  10. 10. Lifecycle answers… 14/11/2017 Information lifecycles: a tool for GDPR 10
  11. 11. What?+How? => Breach notification process » When security breach occurs, must notify: › Regulator: if risk to individual, within 72 hrs of becoming aware – Including what you’re doing to mitigate › Individuals: if still high risk to them despite mitigation – Including what they can/should do to mitigate » Requires an efficient incident response process » Could prepare for this as part of lifecycle development? › What info => likely level of risk if breached › How processed => possible mitigations, pre- and post-breach 14/11/2017 Information lifecycles: a tool for GDPR 11
  12. 12. Why? => Legal basis » Is processing necessary (ie no less intrusive way to do it) for… › Contract: an agreement between us (not just in writing) › Legal obligation: law requires me to… › Legitimate interest: I need to… – Requires balancing test to ensure your interests don’t override mine › Public interest (under debate): law requires someone else to… › Vital interest: saving life requires me to… » Or optional, ie we can both cope without it › You give free, informed, positive consent; no compulsion 14/11/2017 Information lifecycles: a tool for GDPR 12
  13. 13. May be multiple legal bases » Eg subscribe to blog updates » Necessary to process personal data for › Contract: to deliver the updates you want › Legitimate Interest: to protect site/users from misuse » Consent › To address you by preferred (nick)name, if you want 14/11/2017 Information lifecycles: a tool for GDPR 13
  14. 14. Legal basis => User rights » All: Information,Access, Rectification, Security, Breach notification › Maybe object (see below) to automated significant decisions » Contract: Portability » Legal obligation: whatever law says » Public/Legitimate Interest: Objection, Restriction › Requires review of individual circumstances, not necessarily termination » Consent: Portability, Erasure 14/11/2017 Information lifecycles: a tool for GDPR 14
  15. 15. Legal basis => Notice requirements » All: Controller, purpose/legal basis, retention, rights, complaints › If shared: Recipients, transfers › If automated decisions: Description » Contract:What contract, consequences of refusal » Legal obligation:What law, consequences of refusal » Public/legitimate interest:What interest » Consent: Right to withdraw 14/11/2017 Information lifecycles: a tool for GDPR 15 See http://ji.sc/right-to-be-informed
  16. 16. Lifecycle drives GDPR implementation 14/11/2017 Information lifecycles: a tool for GDPR 16
  17. 17. From lifecycle, know… Collect • Notice • (Consent) • (Children) Process • Rights • SubjectAccess • Security Dispose • Breaches 14/11/2017 Information lifecycles: a tool for GDPR 17
  18. 18. ICO 12 steps (project plan by ANC) 14/11/2017 Information lifecycles: a tool for GDPR 18 Consent processes (inc. children) Individual rights processes (inc. subject access) Privacy notices Legal basis for processing Breach notification process Information lifecycle audit Data protection by design/impact assessments Awareness
  19. 19. And also… »Lifecycle thinking helps with… › ISO27001 – information security › ISO9001 – process quality › Efficient use of data in general 14/11/2017 Information lifecycles: a tool for GDPR 19
  20. 20. jisc.ac.uk Except where otherwise noted, this work is licensed under CC-BY-NC-ND Thanks/questions? Andrew Cormack http://ji.sc/reg-developments Andrew.Cormack@jisc.ac.uk 14/11/2017 Information lifecycles: a tool for GDPR 20
  21. 21. References » GDPR text: https://ji.sc/gdpr-text » ICO: https://ico.org.uk/for-organisations/data-protection-reform/ » Art29WP: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 » Jisc › “A year to get your act together”: jisc.ac.uk/blog/a-year-to-get-your-act- together-how-universities-and-colleges-should-be-preparing-for-new-data- regulations › GDPR implementation plan: https://community.jisc.ac.uk/blogs/regulatory- developments/article/gdpr-12-steps-illustrated › GDPR lifecycles: https://community.jisc.ac.uk/blogs/regulatory- developments/article/gdpr-moving-information-lifecycle-registers 14/11/2017 Information lifecycles: a tool for GDPR 21

×