2. Thinking DPD => GDPR
Data subject responsibility => Data controller accountability
Information assets => Information lifecycles
14/11/2017 Information lifecycles: a tool for GDPR 2
5. Information lifecycles
»Why are we doing this?
»What data do we need?
»Who do we get it from?
› Direct? Indirect?
14/11/2017 Information lifecycles: a tool for GDPR 5
Collect Process Dispose
6. Information lifecycles
»Why are we doing this?
»How are we processing?
› Where?
› How do we keep it secure?
14/11/2017 Information lifecycles: a tool for GDPR 6
Collect Process Dispose
7. Information lifecycles
»When are data no longer needed?
»How do we dispose of them?
› Delete?
› Aggregate?
› Anonymise? Need to keep reviewing re-identification risk
14/11/2017 Information lifecycles: a tool for GDPR 7
Collect Process Dispose
8. Optional stages
» Continuing responsibility
› Eg secondary uses, partner organisations
» Internal sharing
› Start another lifecycle
» External sharing
› Assign responsibilities through
agreement/contract
» Resp0nsibility ends on disclosure
› Eg law enforcement
» Needs a legal exemption
14/11/2017 Information lifecycles: a tool for GDPR 8
Share Disclose
9. Lifecycle questions
Collect
• Why?
• What?
• How?
Process
• Why?
• How?
Dispose
• When?
• How?
14/11/2017 Information lifecycles: a tool for GDPR 9
11. What?+How? => Breach notification process
» When security breach occurs, must notify:
› Regulator: if risk to individual, within 72 hrs of becoming aware
– Including what you’re doing to mitigate
› Individuals: if still high risk to them despite mitigation
– Including what they can/should do to mitigate
» Requires an efficient incident response process
» Could prepare for this as part of lifecycle development?
› What info => likely level of risk if breached
› How processed => possible mitigations, pre- and post-breach
14/11/2017 Information lifecycles: a tool for GDPR 11
12. Why? => Legal basis
» Is processing necessary (ie no less intrusive way to do it) for…
› Contract: an agreement between us (not just in writing)
› Legal obligation: law requires me to…
› Legitimate interest: I need to…
– Requires balancing test to ensure your interests don’t override mine
› Public interest (under debate): law requires someone else to…
› Vital interest: saving life requires me to…
» Or optional, ie we can both cope without it
› You give free, informed, positive consent; no compulsion
14/11/2017 Information lifecycles: a tool for GDPR 12
13. May be multiple legal bases
» Eg subscribe to blog updates
» Necessary to process personal data for
› Contract: to deliver the updates you want
› Legitimate Interest: to protect site/users from misuse
» Consent
› To address you by preferred (nick)name, if you want
14/11/2017 Information lifecycles: a tool for GDPR 13
14. Legal basis => User rights
» All: Information,Access, Rectification, Security, Breach notification
› Maybe object (see below) to automated significant decisions
» Contract: Portability
» Legal obligation: whatever law says
» Public/Legitimate Interest: Objection, Restriction
› Requires review of individual circumstances, not necessarily termination
» Consent: Portability, Erasure
14/11/2017 Information lifecycles: a tool for GDPR 14
15. Legal basis => Notice requirements
» All: Controller, purpose/legal basis, retention, rights, complaints
› If shared: Recipients, transfers
› If automated decisions: Description
» Contract:What contract, consequences of refusal
» Legal obligation:What law, consequences of refusal
» Public/legitimate interest:What interest
» Consent: Right to withdraw
14/11/2017 Information lifecycles: a tool for GDPR 15
See http://ji.sc/right-to-be-informed
16. Lifecycle drives GDPR implementation
14/11/2017 Information lifecycles: a tool for GDPR 16
17. From lifecycle, know…
Collect
• Notice
• (Consent)
• (Children)
Process
• Rights
• SubjectAccess
• Security
Dispose
• Breaches
14/11/2017 Information lifecycles: a tool for GDPR 17
18. ICO 12 steps (project plan by ANC)
14/11/2017 Information lifecycles: a tool for GDPR 18
Consent processes (inc. children)
Individual rights processes (inc. subject access)
Privacy notices
Legal basis for processing
Breach notification process
Information lifecycle audit
Data protection by design/impact assessments
Awareness
19. And also…
»Lifecycle thinking helps with…
› ISO27001 – information security
› ISO9001 – process quality
› Efficient use of data in general
14/11/2017 Information lifecycles: a tool for GDPR 19
20. jisc.ac.uk
Except where otherwise noted, this work
is licensed under CC-BY-NC-ND
Thanks/questions?
Andrew Cormack
http://ji.sc/reg-developments
Andrew.Cormack@jisc.ac.uk
14/11/2017 Information lifecycles: a tool for GDPR 20
21. References
» GDPR text: https://ji.sc/gdpr-text
» ICO: https://ico.org.uk/for-organisations/data-protection-reform/
» Art29WP: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
» Jisc
› “A year to get your act together”: jisc.ac.uk/blog/a-year-to-get-your-act-
together-how-universities-and-colleges-should-be-preparing-for-new-data-
regulations
› GDPR implementation plan: https://community.jisc.ac.uk/blogs/regulatory-
developments/article/gdpr-12-steps-illustrated
› GDPR lifecycles: https://community.jisc.ac.uk/blogs/regulatory-
developments/article/gdpr-moving-information-lifecycle-registers
14/11/2017 Information lifecycles: a tool for GDPR 21