Chapter 10 - Security of Personal Data Flashcards
What does Article 5(1)(f) cover?
-Integrity and Confidentiality
-Establishes the security principle, requiring personal data to be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
-This principle is focused on the processing of personal data, not on who performs the processing activities.
What does Article 32 cover?
-Sets out the requirements for the security of processing. It applies to both controllers and processors and covers three domains of security:
(1) Preventative security: Limiting risks of insecurity.
(2)Incident detection and response: Detecting and responding to security failures.
(2) Remedial security: Improving security in reaction to risks and incidents.
What are the obligations on controllers and processors under Article 32?
-Controllers and processors must implement appropriate technical and organisational measures based on risk assessments, considering the nature of the data, foreseeable threats, state-of-the-art practices, and cost. Higher probability or impact threats require tighter controls, especially for sensitive data.
-The state-of-the-art test requires controllers and processors to consider industry best practices for security, including encryption and pseudonymization as key controls.
-Employees must act within the boundaries of their instructions and maintain confidentiality. Controllers and processors should have robust policies, provide role-based training, and monitor employees reasonably.
What does Article 28 cover?
-Contains specific provisions for the controller-processor relationship and the supply chain.
-It requires controllers to use processors that provide sufficient guarantees of appropriate security measures.
-This includes assurance mechanisms like inspections, audits, and certifications.
-Processors must act on the controller’s instructions and assist with compliance, including breach notification requirements.
-If a processor steps outside the boundaries of its instructions, it risks being defined as a controller.
-Controllers must cascade compliance obligations to processors through contracts or other legal acts.
What does Article 30 cover?
-Requires controllers to maintain records of processing activities, including a general description of technical and organizational security measures.
-Processors have similar obligations.
-These records help controllers and processors understand the full extent of their data processing operations and ensure compliance with GDPR.
What does Article 4(12) cover?
-Defines a personal data breach as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.
-Definition highlights the importance of actual breaches of security, not just risks, and ensures that breaches due to an absence of security controls are covered by notification and communication rules.
What does Article 33 cover?
-Sets out the requirement for notification of personal data breaches to data protection regulators and for keeping registers of breaches and remedial actions.
-Controllers must notify regulators without undue delay, within 72 hours of becoming aware of a breach likely to cause risks to rights and freedoms.
-Processors must notify controllers without undue delay.
-Controllers must have breach detection measures and perform risk assessments to determine the impact on rights and freedoms.
-Records of breaches must be maintained for retrospective examination by regulators.
What does Article 34 cover?
-Requires controllers to inform data subjects of personal data breaches if those breaches are likely to present high risks to rights and freedoms.
-Exceptions include when data is rendered unintelligible (e.g., encryption), when measures are taken to prevent high risks, and when notification involves disproportionate effort.
-Regulators can order controllers to engage in communications with data subjects following serious incidents.
What does Article 25 cover?
-Establishes the requirements for data protection by design and by default.
-Controllers must implement appropriate technical and organizational measures to ensure data protection principles are integrated into processing activities.
-This includes minimizing data collection, ensuring data accuracy, and implementing security measures from the outset of processing activities.
What do Articles 35 and 36 cover?
-Set out the requirements for data protection impact assessments (DPIAs) and prior consultation with regulators.
-DPIAs are required for processing activities that are likely to result in high risks to rights and freedoms. Controllers must assess the impact of processing activities on data protection and consult regulators if necessary.
What does the NIS Directive cover?
-Advances the European Union’s cybersecurity agenda, complementing GDPR by indirectly bolstering the security of personal data.
-Requires the development of national cybersecurity strategies, security measures for operators of essential services and digital service providers, and enhanced cooperation between member states.
-Operators of essential services must take appropriate technical and organizational measures to manage risks and notify incidents having a significant impact.
-Sectors = energy, water, transport, health, banking, providers of digital infrastructures
What changes are proposed in NIS 2?
-Proposes bringing new sectors into regulation (postal & courier, waste, food supply, critical manufacturing - pharma)
-Introducing prescriptive risk management rules, coordinating risk assessments
-Introducing ICT certifications, and harmonizing financial penalty powers.
-It aims to enhance cybersecurity capabilities and cooperation between member states.
Why is personal data security considered a VIP in data protection?
-Security is crucial for compliance with other data protection principles. Insecurity can lead to unlawful data flows, inaccuracies, data proliferation, and distress to individuals.
-High-profile security breaches attract media attention and can cause significant harm, such as identity theft and financial loss (Recital 75).
What is the significance of the Safe Harbor and Privacy Shield cases?
-These cases highlighted the importance of international data transfers and led to the end of the Safe Harbor Framework and its successor, Privacy Shield, due to concerns about U.S. and UK surveillance activities.
What is the relationship between personal data security and cybersecurity?
-Personal data security and cybersecurity are closely related, with cybersecurity adding importance to personal data security.
-The European Union has passed legislation related to cybersecurity, overlapping with GDPR requirements, especially around breach notification.
What is the role of the accountability principle in security?
-Article 5(2)
-The accountability principle requires controllers to demonstrate compliance with GDPR, including security measures.
-Processors must also prove compliance, and controllers must ensure processors meet security obligations through contracts or other legal acts.
What is the role of the European Data Protection Board (EDPB) in breach notifications?
The EDPB provides guidelines on personal data breach notifications and communications, including case studies and assessment criteria for determining when notifications are required.
What are the key components of a strong security program?
-Includes situational awareness, threat landscape understanding, security maturity assessments, independent reviews, and scenario planning for incident preparedness and response.
What are the key considerations for data-sharing scenarios?
-Data-sharing scenarios require vendor security risk management, encryption of data in transit, transfer impact assessments (TIAs), and agreements on joint controller responsibilities.
What is the importance of the layered approach in security policy frameworks?
The layered approach involves creating high-level policy statements, detailed controls, and specific operating procedures to ensure comprehensive security measures.
What are the key attributes of an engaged management team for security?
An engaged management team treats security as a board-level issue, fosters a culture of risk awareness, constitutes a multidisciplinary team, allocates sufficient resources, and engages in planning exercises.
What are the key components of a good incident response plan?
includes formal approval by senior leadership, a governance model, decision-making principles, roles and responsibilities, outcome analysis, reporting unusual events, multidisciplinary expert views, performance exercises, metrics, public messaging templates, and benchmarking.
What should be included in the incident response plan for post-incident activities?
Dealing with third parties, handling breach disclosure, developing a litigation posture, and creating a communications plan.
Why is close cooperation between security and data privacy teams vital?
To ensure an effective response to security breaches, minimize harms, and reduce the risk of reportable events. Adhering to GDPR principles will likely reduce the impact of security incidents.
What are classed as high-level breaches that would require notification?
-Cyberattacks affecting online services that result in data exfiltration
-Ransomware attacks that encrypt data that are not backed up/ cannot be easily stored
-Hospital medical records being unavailable for 30 hours due to a cyberattack
-Direct marketing email to multiple individuals that discloses the email addresses to every recipient.
What are the WP29 Guidelines to assess a PD breach/ notification?
-Type of breach
-Nature,sensitivity & volume of PD affected
-How easy it will be for person tin receipt of compromised data to identify affected individuals
-Severity of consequences for affected individuals
-Special characteristics of individuals affected
-Special characteristics of controller
-Number of individuals affected
What are some factors controllers/processors should consider when designing cybersecurity responses?
-Performance of threat/ vulnerability assessments/ security maturity assessments
-Management of security
-Human factors
-Physical environment
-Cyber & tech environment
-Policy, controls & business processes framework
-Incident detection & response
