Chapter 2G: Security of Personal Data Flashcards

1
Q

A _____ is often a prerequisite to achieving compliance with other data protection principles?

A

State of security. E.g. insecurity could lead to the alteration of personal data, or the unlawful flow of personal data across international boundaries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the potential repercussions of inadequate security?

A

In addition to being a very serious compliance failure in its own right, absence of security can cause serious noncompliance across the entire GDPR legislative framework.

Serious cases are guaranteed press and media attention, with international attention in worst cases.

Scale and harm when security issues are involved can be increased compared to other breaches of data protection principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What article of the GDPR establishes the security principle?

A

Article 5(1)(f) - personal data ‘shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’ (intergrity and confidentiality)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who has the obligation to prove that they are applying appropriate security measures?

A

Processor & controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Article 30 GDPR brings into effect a key step to deliver on security objectives and understand the full extent of data processing operations. What does it require?

A

Article 30(1) requires controllers to maintain records of processing activities under their responsibility, which should include ‘a general description of the technical and organisational security measures referred to in Article 32(1).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does Article 32 of the GDPR set out?

A

Underpinning principles of security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does Article 33 and 34 of the GDPR set out?

A

Personal data breach notification requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What three domains of security are covered by Article 32?

A

Preventative security - the controller and processor should act proactively to limit risks of insecurity

Incident detection and response - breaches are inevitable, so controller and processor need to detect possible security failures and respond appropriately - breach notification falls within this domain.

Remedial security - in relation to risks and incidents, the controller and processor need to take steps to improve security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The duty of security should reasonably include the scope of applicable risks, from accidents and negligence or deliberate and malevolent actions - controllers and processors are thus required to…

A

Implement controls to protect against complex technological threats, such as malware and denial-of-service attacks, but also other criminal threats, as to guard against negligent employees (appropriate technical and organisational measures).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

‘Appropriate’ indicates that GDPR does not require absolute security - meaning…

A

A controller or processor can suffer a security breach without being in violation of the law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does article 32 of the GDPR require re: assessment of controls?

A

A risk based approach to the assessment of what are/are not appropriate controls. The risk assessment must reflect the nature of the data to be processed and foreseeable threats that could exploit business process and technical system vulnerabilities. Sensitive data will require tighter controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a state-of-the-art test?

A

The test requires controllers to consider industry best practices, not average. It requires controllers and processors to reflect upon professional opinion for security (i.e. if a body of reasonable informed security professionals consider that a particular control is appropriate, then the consensus should be considered by the controller/processor making a decision on whether to apply it)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Article 32(1)(a) identifies encryption, along with pseudonymisation, as…

A

A control that must be considered by controllers and processors during the design of security assessment. Integration of encryption as an express control in GDPR reflects an increasing awareness of industry-acceptable measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The idea of maintaining ‘confidentiality, integrity, availability and resilience’ is lifted directly from…

A

The infosecurity industry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A controller/processor that rules out a particular control on the account of cost alone will…

A

Not be treated favourably in the even of enforcement if the consequence is to deny security in circumstances that amount to a rejection of the consensus of professional opinion or its own ability to make the financial investment in the control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the essence of Article 32(4)?

A

People who have access to personal data under controllers or processors are working under circumstances that are paramount to creating a duty of confidence and must act within the boundaries of their instructions/not subvert the controllers position.

Art. 32 - Security of Processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the ‘insider threat’?

A

The risk posed by employees and other workers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can controllers and processors address the ‘insider threat’?

A

Have robust policies that alert employees to their responsibilities in handling personal data, provide them with role-based and regular training, and make clear the consequences for violating the policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Can employees be monitored?

A

They can be subjected to reasonable monitoring but employers should be careful not to stray into committing workplace privacy violations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How does Article 28(1) enact the intention to flow down the security principle and requirements into the processors organisation and through the supply chain to subprocessors?

A

Article 28 uses the device of limiting the controller’s use of processors to those who can provide ‘sufficient guarantees’ about implementation or appropriate technical and organisational measures for compliance with the regulation and protection of data subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How can controllers comply with article 28 re: appropriate technical and organisational measures for security by processors?

A

The use of contracts is a key control mechanism, but controllers should focus on getting proof of the processor’s competence. There must be appropriate checking and vetting of a processor by the supplier via third party assessment or certification validation before and after a contract is created.

Processes of assurance must include processes of audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

If a controller cannot ascertain proof of a processor’s adequate technical and organisational measures of security…

A

If controller cannot establish proof of competence, it has to walk away or will be in automatic breach or article 28.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the data breach requirements imposed by Article 33?

A

Controllers must notify data protection authorities about personal data breaches in certain circumstances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the data breach requirements imposed by Article 34?

A

Controllers must notify impacted individuals about personal data breaches in certain circumstances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the benefits of transparency surrounding breach notification to shine a light on operational failure?

A

Mitigation of loss and damage (people affected can take steps to protect their own interests)

Controllers, regulators and society understand the causes of failure, enabling the development of appropriate responses to minimise the risk of future events and their impact

Notification provides regulators with necessary information to perform their supervisory functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

In 2009, the Citizens Rights Directive amended the ePrivacy directive 2002 to…

A

Create a breach disclosure regime for the providers of publicly available electronic communications services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the NIS Directive / Cyber Security Directive (the Directive on security of network and information systems)?

A

The EU Security of Networks & Information Systems (NIS) Directive aims to raise levels of cyber security and resilience of key systems across the EU. It has introduces comparable disclosure rules for critical infrastructure, online platforms and cloud computing services re: data breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the definition of ‘personal data breach’ (Article 4(12))?

A

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

A personal data breach needs to consist of an actual breach of security that actually leads to one of the negative outcomes prescribed; security breaches may not be personal data breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What does Article 33 set out (re notifying the regulator)?

A

Article 33 sets out the requirement to notify the regulator/keep registers of breaches and remedial actions.
Obligation to notify the regulator arises from the controller becoming aware of a breach.

30
Q

WP29 says that controllers should be able to recognise incidents as part of the process addressing them, which means controllers need -

A

Breach detection measures.

31
Q

What does a controller need to determine once a breach has been detected?

A

Whether its a personal data breach and, if so, whether it’s likely to cause a risk to the rights and freedoms of individuals.

32
Q

How long does a controller have to notify the regulator?

A

Without undue delay and within 72 hours of discovery.

33
Q

When can a controller be considered ‘aware’ of a breach?

A

When the controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.

34
Q

What do the WP29 guidelines advise on when a personal data breach should be notified?

A

Type or breach
Nature, sensitivity and volume of personal data effected
How easy it will be for a person to identify the individuals affected
Severity of consequences for individuals
Special characteristics of the individuals affected
Special characteristics of the controller
Number of individuals affected

35
Q

What is the European Union Agency for Cybersecurity (ENISA) and what does it do?

A

ENISA, the European Union Agency for Cybersecurity, is a centre of expertise for cyber security in Europe. ENISA helps the EU and EU countries to be better equipped and prepared to prevent, detect and respond to information security problems.

Controllers snd processors should refer to their methodology for assessing breach severity.

36
Q

What should a controller do if it is unable to provide all required information at the point of breach notification?

A

The WP29 says that controllers should give as much information as they can and not use the absence of information as an excuse to avoid notification.

37
Q

What are PETs?

A

Privacy-enhancing technologies are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals.

38
Q

Every time a personal data breach occurs, the controller should make an entry in its records (essentially equivalent to a notification to the regulator) - how long should the record bf held?

A

In perpetuity - although caution should be taken about the need to comply with the rules on retention periods for any personal data that forms part of the record.

39
Q

Should controllers record every data breach, regardless of whether it notified the regulator?

A

Yes - for both.

40
Q

What duty does a processor have re personal data breachers?

A

They must notify the controller without undue delay of any personal data breaches; however, processors should not perform the risk to rights and freedoms assessment, which is the controller’s responsibility.

41
Q

Under Article 34, when should a controller notify data subjects of personal data breaches?

A

If those breaches are likely to present high risks to their rights and freedoms; hence, there’s a severity threshold within Article 34.

(e.g. a breach of names and personal business email addresses to a third party might present a risk and trigger notification to the DPA, but not a high risk as many people openly share their business email address).

42
Q

What are the exceptions to notifying data subjects of high risk breaches?

A

Where measures have been taken to render personal data unintelligible, for instance, by use of encryption.

Where the controller has taken steps to prevent the high risks from materialising.

Where breach disclosure would involve disproportionate effort, which is most likely to arise where the controller is unable to identify all the individuals impacted - in this case, there should be some form of broad public announcement, perhaps via website statement or press release.

43
Q

What does Recital 75 say constitutes a high risk to the rights and freedoms of individuals?

A

Physical, material or non material damage

44
Q

What does Recital 76 say about the need for a risk assessment to review potential for high risk to rights and freedoms of individuals?

A

There is a need for a risk assessment whereby risks are evaluated on the basis of objective assessment referencing the nature, scope, context and purposes of the processing.

45
Q

With Recital 75+76 combined, what can ‘high risk’ be determined as?

A

Either through impact to a large number of data subjects or a large amount of damage to certain individuals.

46
Q

Examples of high-risk breaches that might require notification to individuals…

A

Cyberattacks affecting online services that result in data exfiltration

Ransomeware attacks that encrypt data that is not backed up or cannot be easily restored

Hospital medical records being unavailable for 30 hours due to a cyber attack

A direct marketing email disclosing the email addresses to every recipient

47
Q

Controllers and processors should address the following factors when designing their responses to security failure…

A

Performance of threat and vulnerability assessments and security maturity assessments
Management of security
Human factors
Physical environment
Cyber and technology environment
Policy, controls and business processors framework
Incident detection and response

48
Q

To be able to perform comprehensive risk assessments, an organisation needs to identify and understand the full information life cycle. The controller should…

A

Go through a full data mapping and inventory exercise to be able to pinpoint all points of data capture and data entry and should be able to plot the flow of data through the organisation until the point of redundancy is reached, when the data is finally deleted or destroyed.

49
Q

The growth of cloud computing, bring your own device (BYOD) strategies and ‘shadow ID’ can lead to…

A

A loss of control over an organisation’s data in a meaningful sense.

50
Q

Key components of a good culture for security…

A

Understanding people risks
Recruitment process (reflecting values of security)
Offer letter and contract of employment - embed org’s culture of security
Acceptance of job offers - the organisation has a timeframe to introduce the new recruit to its policy framework
Induction day - training for confidentiality and security and DP obligations
Continual role based trailing - policy, security threats and ownership of part to play
Monitoring of performance

51
Q

At the end of employment…

A

Physical assets need to be returned (laptops, phones, paper files)

Personal equipment must be cleansed of organisational data

Access rights and privileges need to be determined

Sufficient post-termination restrictions need to guarantee ongoing security and confidentiality need to be activated.

52
Q

Enforcement and supervision of data protection law can operate on an anticipatory basis, meaning…

A

regulators can take action if theres a risk a law will be breached in future.

53
Q

Beyond encryption, there are many mandatory security-enhancing technologies on the market, such as:

A
Antivirus
Antispam
Firewalls
Identity and access management
Incident detection
Data loss prevention
Two-factor authentication
IP log management
54
Q

The ability of technology stack to withstand cyberattacks and misuse should be tested - one way to do this is…

A

Penetration testing by ethical hackers.

55
Q

What physical environment security measures can be taken?

A

Sophisticated entry control systems
CCTV
Lock and key policy
Clean desk policy

These are as much a part of the picture as business continuity and disaster recovery and subject to the same restrictions as other monitoring controls.

56
Q

What obligations does a controller have for the engagement of data processors?

A

Choose reliable processors

Maintain quality control and compliance throughout duration of arrangements

Frame the relationship in a contract or other legally binding act that contains necessary provisions that require the processor to implement and maintain appropriate security measures, act only on the controller’s instructions, cooperate the the controller on compliance including breach disclosure and cascade these requirements through the supply chain

57
Q

The nature of contractual provisions can be more complex than suggested - for instance, contracts between two parties of unequal bargaining power or from EU and non-EU jurisdictions, or situations that involve loud computing due to difficulties knowing the precise nature of data processing operations given any moment in time. How can a controller shield itself from the accusation of non compliance?

A

Verifying that the processor is cognisant of the core requirements of data protection

Researching whether processor has suffered any recent/high profile breaches of confidentiality or security

Clarify whether currently or previously under investigation for any breaches of DP law

Identifying other clients

Accredited under ISO 27001, CBEST, PCI DSS or any comparable regime

Review their policy framework for security and DP

Carry out site visits, inspections, audit

Identify their places of establishment

Understand their supply chain and subcontracting

58
Q

When choosing a processor it’s important to identify the range of alternative providers in the market, this can help the controller because…

A

Where there’s inequality in bargaining position or the processor refuses to operate on other terms having evidence that there was no better alternative available on the market can support controller’s decisions in the sense that it can help the controller counter the argument that it should have placed its business elsewhere.

59
Q

What are suitable ongoing assurance measures?

A

On-site audits, inspections, testing, periodic assessments of compliance

60
Q

What are the core requirements of a good incident response plan?

A

Formal understanding/approval by senior leadership

Governance model connected to anticipatory aspects of incident response and otherwise

Principles for decision making

A list of who will be involved/roles

Forward looking outcome analysis

Compulsory reporting of unusual events

A MDT expert view at the point of detection

Performance exercises (e.g. table top incidents)

Performance metrics for successful responses

Templates of public messaging and comms

Benchmarking against peers in the marketplace

Updated schedule to make sure plan is in accordance with prevailing legal and regulatory environment

61
Q

It’s important for a controller to know as quickly as possible whether an incident rises to level of breach because…

A

If misclassified, it may reach the wrong conclusion on treatment and breach disclosure.

62
Q

What can disclosure (to regulator or customers) potentially trigger for organisations?

A

Investigation, queries or complaints or contentious legal business (enforcement action or litigation)

63
Q

How can organisations be prepared for regulatory enforcement action or litigation?

A

A litigation posture, which should be reflected in the incident response plan or playbook, which explains the roles to be played by internal and external legal advisors and the role of legal/professional privilege.

64
Q

What are the three focuses of the NIS Directive?

A
  • Compel development of national cybersecurity strategies and structures by EU member states (i.e. establishing national computer security incident response teams [CSIRTs], appointing cybersecurity regulators and identifying operators of essential service)

Improve security levels of operators of essential services and digital service providers by requiring member states to pass laws setting out security and incident notification requirements for these entitites

Seeks to enhance cooperation between member states by creation of the NIS Cooperation Group that will coordinate the CSIRTs and develop best practices, cooperation between the CSIRTS and between member states between their CSIRT and regulator communities.

65
Q

What can be defined as an essential service by the NIS Directive (Annex II)?

A

Operators are essential if they provide a service necessary for the maintenance of critical societal or economic activities, if their service depends on network and information systems, and if an incident would have a significant disruptive effect on the service.

66
Q

What’s listed in Annex III of the NIS DIrective?

A

Digital service providers (e.g. online marketplaces, search engines and cloud computing services - such as ebay, Google, Amazon).

67
Q

Under the NIS Directive, the security and incident notification requirements for operators of essential services include…

A
  • Taking appropriate / proportionate technical and organisational measures to manage risks posed to the security of their network and information systems. When deciding these measures, should have regard for the state of the art
  • Taking appropriate measures to prevent and minimise the impacts of incidents, with a view to maintaining continuity of services
  • Notifying their CSIRTs or regulators of incidents having a significant impact without undue delay
68
Q

Security measures to be imposed on digital service providers are effectively the same as imposed on operators of essential services, with a bit more granularity, including…

A

Security of systems and facilities

Incident handling

Business continuity management

Monitoring, auditing and testing

Compliance with international standards.

69
Q

What principles can an organisation incorporate to reduce the impact of a security incident?

A

Data minimisation and data retention plans.

70
Q

What are the fines for breaches of security and incident notification requirements?

A

Member states can create their own provided they are effective, proportionate and dissuasive.