Datafication 7 - Security, Risks & Data Breach Flashcards
Security of Processing Art. 32
- Taking into account a) state of the art, b) costs of implementation, c) nature / scope/ context / purpose of processing & d) risk of likelihood & severity for rights & freedom of natural person
- the dc & dp shall implement appropriate a) technical & b) organizational measures
- to ensure a level of security appropriate to the risk
Security of Processing Art. 32 - technical measures
- physical = secure against physical access
- digital / IT security = secure all digital activities in all digital systems & devices
but often interdependent
Security of Processing Art. 32 - technical measures - digital e.g.
- e.g. securing servers, laptops, home workstations, networks
- e.g. connecting personal devices might be risky -> prohibiting or restricting)
Security of Processing Art. 32 - technical measures - physical e.g.
- e.g. control access cards to physical stored pd
- e.g. shell security = security of the exterior of the building, e.g. locking entries
Security of Processing Art. 32 - organizational measures
1) trainings & policies for behavior -> targeted to relevant audience e.g. HR
2) causes in employee contract
3) division of processing into functional areas to clearly assign purpose & responsibility to processing, e.g. HR
Goal of security is to protect pd from:
- Unauthorized access (e.g. hacking, phisching, accidental disclosure)
- Destruction (e.g. intentional or accidental, fire flood)
- Accidental loss (e.g. lost USB, laptop)
- Change (e.g. software corruption, damage to hardware)
Risk assessments
- before processing
- risk assessment by comparing
- risk of data subjects’ rights (! not risk of company, authority etc.) (likelihood & seriousness)
- against measures to protect these rights
- “worst case scenario”: what happens if appropriate technical & organizational measures not implemented
- level of security should be according to concrete risk, technical level & implementation cost
Risk assessment - levels
1) Simple: for all types of processing
2) Extended: when expected high risk (= impact assessment or DPIA)
Risk assessment - intention to risk of ds:
- Physical injury
- Material or intangible damage
- Discrimination
- Identity theft or fraud
- Economic impact
- Damage to reputation & Social consequences
- Influence on privacy
- Damage to human dignity
- Damage to legitimate interest
- Restriction / violation of fundamental rights & freedoms
- obstacle in exercising control over own pd
Risk assessment - elements
- likelihood & seriousness of risk
- by reference to processing operation: Character, scope, context & purpose
- On basis of objective assessment: risk or higher risk
Risk assessment - methodology
= no formal requirements but must include:
- What is data processing?
- What pd
- Which categories of ds
- What purpose
- What tools
- In which environment & where is processed
- Who received pd
Data Protection Impact Assessments Art. 35 (DPIA)
- assessment of the impact of planned processing operations on the protection of pd
- if high risk (no clear line when), especially when:
- automated decision-making with significant effect
- processing sensitive or criminal data on large scale
- surveillance of public area on large scale
- especially when > 2:
- evaluation or analysis
- systematic monitoring
- AI (risk of biases -> discrimination)
- sensitive info
- ds to extensive processing
- matching / combination of data sets
- info on vulnerable ds (e.g. children)
- use new technology
- processing itself prevents ds from exercising rights or making use of service / contract
DPIA examples when required
- e.g. bank uses algorithms & automated decision if to terminate a loan in contractual relationship -> AI risk of biases & discrimination
- e.g. hospital wants to implement a new health information database with patients health records -> sensitive info
- e.g. bus company wants to implement surveillance cameras in buses to monitor drivers & passenger behavior -> surveillance of public areas on large scales
DPIA- elements
- Same as simple risk assessment
- Focus on risk & measures
Persona Data (security) Breach Art. 4(1)(12) & 33 & 44
- breach of security leading to
- accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to pd transmitted, stored, or otherwise processed
- dc obligations: Art. 33 & 44 only if data breach poses a risk to ds (but always document)