Chapter 2G: Security of Personal Data Flashcards
A _____ is often a prerequisite to achieving compliance with other data protection principles?
State of security. E.g. insecurity could lead to the alteration of personal data, or the unlawful flow of personal data across international boundaries.
What are the potential repercussions of inadequate security?
In addition to being a very serious compliance failure in its own right, absence of security can cause serious noncompliance across the entire GDPR legislative framework.
Serious cases are guaranteed press and media attention, with international attention in worst cases.
Scale and harm when security issues are involved can be increased compared to other breaches of data protection principles.
What article of the GDPR establishes the security principle?
Article 5(1)(f) - personal data ‘shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’ (intergrity and confidentiality)
Who has the obligation to prove that they are applying appropriate security measures?
Processor & controller
Article 30 GDPR brings into effect a key step to deliver on security objectives and understand the full extent of data processing operations. What does it require?
Article 30(1) requires controllers to maintain records of processing activities under their responsibility, which should include ‘a general description of the technical and organisational security measures referred to in Article 32(1).
What does Article 32 of the GDPR set out?
Underpinning principles of security.
What does Article 33 and 34 of the GDPR set out?
Personal data breach notification requirements.
What three domains of security are covered by Article 32?
Preventative security - the controller and processor should act proactively to limit risks of insecurity
Incident detection and response - breaches are inevitable, so controller and processor need to detect possible security failures and respond appropriately - breach notification falls within this domain.
Remedial security - in relation to risks and incidents, the controller and processor need to take steps to improve security.
The duty of security should reasonably include the scope of applicable risks, from accidents and negligence or deliberate and malevolent actions - controllers and processors are thus required to…
Implement controls to protect against complex technological threats, such as malware and denial-of-service attacks, but also other criminal threats, as to guard against negligent employees (appropriate technical and organisational measures).
‘Appropriate’ indicates that GDPR does not require absolute security - meaning…
A controller or processor can suffer a security breach without being in violation of the law.
What does article 32 of the GDPR require re: assessment of controls?
A risk based approach to the assessment of what are/are not appropriate controls. The risk assessment must reflect the nature of the data to be processed and foreseeable threats that could exploit business process and technical system vulnerabilities. Sensitive data will require tighter controls.
What is a state-of-the-art test?
The test requires controllers to consider industry best practices, not average. It requires controllers and processors to reflect upon professional opinion for security (i.e. if a body of reasonable informed security professionals consider that a particular control is appropriate, then the consensus should be considered by the controller/processor making a decision on whether to apply it)
Article 32(1)(a) identifies encryption, along with pseudonymisation, as…
A control that must be considered by controllers and processors during the design of security assessment. Integration of encryption as an express control in GDPR reflects an increasing awareness of industry-acceptable measures.
The idea of maintaining ‘confidentiality, integrity, availability and resilience’ is lifted directly from…
The infosecurity industry.
A controller/processor that rules out a particular control on the account of cost alone will…
Not be treated favourably in the even of enforcement if the consequence is to deny security in circumstances that amount to a rejection of the consensus of professional opinion or its own ability to make the financial investment in the control
What is the essence of Article 32(4)?
People who have access to personal data under controllers or processors are working under circumstances that are paramount to creating a duty of confidence and must act within the boundaries of their instructions/not subvert the controllers position.
Art. 32 - Security of Processing
What is the ‘insider threat’?
The risk posed by employees and other workers.
How can controllers and processors address the ‘insider threat’?
Have robust policies that alert employees to their responsibilities in handling personal data, provide them with role-based and regular training, and make clear the consequences for violating the policies.
Can employees be monitored?
They can be subjected to reasonable monitoring but employers should be careful not to stray into committing workplace privacy violations.
How does Article 28(1) enact the intention to flow down the security principle and requirements into the processors organisation and through the supply chain to subprocessors?
Article 28 uses the device of limiting the controller’s use of processors to those who can provide ‘sufficient guarantees’ about implementation or appropriate technical and organisational measures for compliance with the regulation and protection of data subjects.
How can controllers comply with article 28 re: appropriate technical and organisational measures for security by processors?
The use of contracts is a key control mechanism, but controllers should focus on getting proof of the processor’s competence. There must be appropriate checking and vetting of a processor by the supplier via third party assessment or certification validation before and after a contract is created.
Processes of assurance must include processes of audit.
If a controller cannot ascertain proof of a processor’s adequate technical and organisational measures of security…
If controller cannot establish proof of competence, it has to walk away or will be in automatic breach or article 28.
What are the data breach requirements imposed by Article 33?
Controllers must notify data protection authorities about personal data breaches in certain circumstances.
What are the data breach requirements imposed by Article 34?
Controllers must notify impacted individuals about personal data breaches in certain circumstances.
What are the benefits of transparency surrounding breach notification to shine a light on operational failure?
Mitigation of loss and damage (people affected can take steps to protect their own interests)
Controllers, regulators and society understand the causes of failure, enabling the development of appropriate responses to minimise the risk of future events and their impact
Notification provides regulators with necessary information to perform their supervisory functions.
In 2009, the Citizens Rights Directive amended the ePrivacy directive 2002 to…
Create a breach disclosure regime for the providers of publicly available electronic communications services
What is the NIS Directive / Cyber Security Directive (the Directive on security of network and information systems)?
The EU Security of Networks & Information Systems (NIS) Directive aims to raise levels of cyber security and resilience of key systems across the EU. It has introduces comparable disclosure rules for critical infrastructure, online platforms and cloud computing services re: data breaches.
What is the definition of ‘personal data breach’ (Article 4(12))?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
A personal data breach needs to consist of an actual breach of security that actually leads to one of the negative outcomes prescribed; security breaches may not be personal data breaches.