4. Privacy&Security Flashcards
What does the acronym GDPR stand for?
General Data Protection Regulation
In what countries has GDPR been put into law?
All EU member states (27) & 3 members of the European Free Trade Association (EFTA): Iceland, Liechtenstein, and Norway
It can apply to organizations outside the EU if they process the personal data of individuals located within the EU. This aspect of GDPR ensures that the data protection rights of EU citizens are respected even when their data is handled by entities outside the EU.
What kind of data falls under GDPR?
● Personal data - any information that can be used to identify a natural person eg name, dob, address, ph# etc
● Special categories - eg religion, ethnicity, sexual orientation, medical info etc
● Criminal data
● Children’s data
List the five stakeholders of GDPR, and explain each of them.
- Data Subject:
● Individuals (resident of EU countries) whose personal data is being processed.
● They have rights regarding the processing and protection of their personal data.
▻ YOU - Data Controller:
● Entities or organizations that determine the purposes and means of processing personal data.
● They are responsible for ensuring compliance with GDPR and safeguarding data subject rights.
● Institution, business or a person processing the personal data e.g. e-commerce website.
▻ A COMPANY YOU HAVE DIRECT RELATION TO - Data Processor:
● Entities or organizations that process personal data on behalf of the data controllers.
● They operate under the instructions of the data controllers and must comply with GDPR requirements.
● Subject (company, institution…) processing a data on behalf of the controller e.g. Google, Facebook, CRM app…
▻ A THIRD PARTY THAT THE CONTROLLER HAS A DIRECT OR INDIRECT RELATION TO - Data Protection Officer (DPO):
● Appointed individuals or positions within organizations.
● They are responsible for overseeing data protection efforts, ensuring GDPR compliance, and acting as a point of contact for data subjects and supervisory authorities.
● Person appointed by the Data Controller responsible for overseeing data protection practices.
▻ AN EMPLOYEE AT CONTROLLER - Data Authority:
● Regulatory bodies established by each EU member state.
● They monitor and enforce GDPR compliance, handle data protection complaints, conduct investigations, and impose sanctions on non-compliant organizations.
Public institution monitoring implementation of the regulations in the specific EU member country.
▻ IN NORWAY: DATATILSYNET
List the seven principles of Data Protection.
- Lawfulness, Fairness, Transparency
- Purpose Limitation (Use only for one or more specified purposes)
- Data Minimisation (Collect only the amount of data required for the specified purpose(s))
- Accuracy (Ensure data is kept up to date, accurate and complete)
- Storage Limitation (Kept for no longer than necessary for the specified purpose(s))
- Integrity and Confidentiality (Processed ensuring appropriate security of data)
- Accountability (Essential not only to be compliant, but to be able to demonstrate compliance)
What does the principle called “Storage Limitation” mean?
- Retain the data for a necessary limited period and then erase
- Data must be “kept in a form which permits identification of data subjects for no longer than necessary”.
- You would have to set the retention period for personal data you collect and justify that this period is necessary for your specific objectives.
What are the possible fines for data breaches according under GDPR?
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher
- The basic principles for processing, including conditions for consent
- The data subjects’ rights
- Unlawful transfer of personal data to a recipient in a third country or an interna8onal organisation
- Any non-compliance with an order by a supervisory
What are the phases in the GDPR Information Life Cycle?
C SUD
- Capture – Obtain and record information
* What you are allowed to capture
* How you may do so
* What you must tell the person in advance
* What you must get from them (their permission) - Store – Save the information electronically or in paper format
* How you must store it
* Where it can be stored
* Obligations of third parties
* What happens if you lose it - Use – Use or reuse information
* What you can use it for
* What you can’t use it for - Destroy – Delete, erase or shred information
* How long you can keep it for
* When you must destroy information
What are the important aspects to control in the “Store” phase?
- Safe and Secure (Information must be stored appropriately e.g. locked cabinets/password protected files)
- Restricted Access (Only authorised persons should have access to it)
- Data Inventory (Information captured should be recorded)
- Subject Access Requests (Must be in a position to provide ALL information held)
- Contracts with Data Processors (Any third parties must have GDPR contracts in place)
- Data Breaches (Processes to detect, report and investigate Data Breaches must be in place)
What is Lawful Interception of internet traffic?
It refers to the legally authorized monitoring and interception of communication transmitted over the internet or other communication networks. It allows law enforcement agencies and government authorities to collect and access certain types of data for investigative or security purposes, subject to specific legal frameworks and procedures.
- An installation that gives the Norwegian foreign intelligence service access to data from the Internet-cables crossing the Norwegian border.
- Most electronic traffic crossing the Norwegian border use these cables.
- Similar installations already exist in countries we like to compare ourselves to
* Sweden, Germany, France, Great Britain, USA and Canada
* Switzerland has approved legislation, and had a referendum with positive result
* Under consideration in the Netherlands and in Finland - The Norwegian Foreign Intelligence service have argued that they need it
- The Lysne I commission argued that a new commission should write a report, followed by a public debate.
Why is Lawful Interception controversial?
- Privacy and Civil Liberties - can lead to mass surveillance, profiling, and potential abuses
- Lack of Transparency - can erode trust in government authorities and raise suspicions about potential misuse of intercepted data
- Potential for Misuse - e.g. unauthorized surveillance, political espionage, or violation of human rights.
- Chilling Effect on Freedom of Expression - may lead to self-censorship and reluctance to engage in open communication or express dissenting views
- Lack of Adequate Oversight - insufficient checks and balances, weak accountability, or limited transparency
- Global Surveillance Programs - extensive global surveillance programs by intelligence agencies in certain countries, as exposed by whistleblowers
- Technological Challenges - with advanced encryption technologies, difficulty balancing security & privacy
The controversy surrounding lawful interception revolves around the tens
Has Lawful Interception of Internet traffic been introduced in Norway?
No
What is the difference between meta-data and content-data?
Metadata:
* Metadata refers to descriptive or structural information about data.
* It provides details about the characteristics, context, and attributes of the data.
* Metadata does not include the actual content of the communication or message but rather focuses on the information surrounding it.
* Examples of metadata include information such as the sender and recipient’s addresses, time and date stamps, duration of communication, location data, subject lines, call logs, IP addresses, device information, and other transactional or logistical details.
* Metadata can provide insights into patterns, relationships, and connections between different data points.
* It is often used for analysis, profiling, tracking, or for understanding the context and usage patterns of communication or data without directly accessing the content itself.
Content Data:
* Content data refers to the actual information or substance of the communication or message.
* It includes the text, audio, video, images, or any other form of meaningful content exchanged between parties.
* Content data can be the body of an email, the text of a message, the audio of a phone call, or the visual content of a video.
* Content data carries the intended message or information and is typically the primary focus of communication or data analysis.
* Accessing content data provides detailed insights into the actual information being exchanged or communicated.
metadata describes the contextual and structural aspects of data,
while content data refers to the actual substance or information contained within the communication or message.
Does Lawful Interception break the European Declaration of Human Rights?
No, lawful interception, when conducted in accordance with the legal frameworks and safeguards established by European Union (EU) member states, is intended to be compatible with the protection of fundamental rights, including those outlined in the European Convention on Human Rights (ECHR). However, compliance with the European Declaration of Human Rights depends on adherence to applicable laws and the protection of individuals’ fundamental rights within the legal framework of each country.
(ChatGPT answer)
When did GDPR come into effect?
May 25, 2018
