Datafication 7 - Security, Risks & Data Breach Flashcards

1
Q

Security of Processing Art. 32

A
  • Taking into account a) state of the art, b) costs of implementation, c) nature / scope/ context / purpose of processing & d) risk of likelihood & severity for rights & freedom of natural person
  • the dc & dp shall implement appropriate a) technical & b) organizational measures
  • to ensure a level of security appropriate to the risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security of Processing Art. 32 - technical measures

A
  • physical = secure against physical access
  • digital / IT security = secure all digital activities in all digital systems & devices
    but often interdependent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security of Processing Art. 32 - technical measures - digital e.g.

A
  • e.g. securing servers, laptops, home workstations, networks
  • e.g. connecting personal devices might be risky -> prohibiting or restricting)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security of Processing Art. 32 - technical measures - physical e.g.

A
  • e.g. control access cards to physical stored pd
  • e.g. shell security = security of the exterior of the building, e.g. locking entries
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security of Processing Art. 32 - organizational measures

A

1) trainings & policies for behavior -> targeted to relevant audience e.g. HR
2) causes in employee contract
3) division of processing into functional areas to clearly assign purpose & responsibility to processing, e.g. HR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Goal of security is to protect pd from:

A
  • Unauthorized access (e.g. hacking, phisching, accidental disclosure)
  • Destruction (e.g. intentional or accidental, fire flood)
  • Accidental loss (e.g. lost USB, laptop)
  • Change (e.g. software corruption, damage to hardware)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk assessments

A
  • before processing
  • risk assessment by comparing
  • risk of data subjects’ rights (! not risk of company, authority etc.) (likelihood & seriousness)
  • against measures to protect these rights
  • “worst case scenario”: what happens if appropriate technical & organizational measures not implemented
  • level of security should be according to concrete risk, technical level & implementation cost
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk assessment - levels

A

1) Simple: for all types of processing
2) Extended: when expected high risk (= impact assessment or DPIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk assessment - intention to risk of ds:

A
  • Physical injury
  • Material or intangible damage
  • Discrimination
  • Identity theft or fraud
  • Economic impact
  • Damage to reputation & Social consequences
  • Influence on privacy
  • Damage to human dignity
  • Damage to legitimate interest
  • Restriction / violation of fundamental rights & freedoms
  • obstacle in exercising control over own pd
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk assessment - elements

A
  • likelihood & seriousness of risk
  • by reference to processing operation: Character, scope, context & purpose
  • On basis of objective assessment: risk or higher risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk assessment - methodology

A

= no formal requirements but must include:
- What is data processing?
- What pd
- Which categories of ds
- What purpose
- What tools
- In which environment & where is processed
- Who received pd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data Protection Impact Assessments Art. 35 (DPIA)

A
  • assessment of the impact of planned processing operations on the protection of pd
  • if high risk (no clear line when), especially when:
  • automated decision-making with significant effect
  • processing sensitive or criminal data on large scale
  • surveillance of public area on large scale
  • especially when > 2:
  • evaluation or analysis
  • systematic monitoring
  • AI (risk of biases -> discrimination)
  • sensitive info
  • ds to extensive processing
  • matching / combination of data sets
  • info on vulnerable ds (e.g. children)
  • use new technology
  • processing itself prevents ds from exercising rights or making use of service / contract
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DPIA examples when required

A
  • e.g. bank uses algorithms & automated decision if to terminate a loan in contractual relationship -> AI risk of biases & discrimination
  • e.g. hospital wants to implement a new health information database with patients health records -> sensitive info
  • e.g. bus company wants to implement surveillance cameras in buses to monitor drivers & passenger behavior -> surveillance of public areas on large scales
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DPIA- elements

A
  • Same as simple risk assessment
  • Focus on risk & measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Persona Data (security) Breach Art. 4(1)(12) & 33 & 44

A
  • breach of security leading to
  • accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to pd transmitted, stored, or otherwise processed
  • dc obligations: Art. 33 & 44 only if data breach poses a risk to ds (but always document)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Persona Data (security) Breach - dc obligations 33 & 44

A
  • Notification to the Supervisory authority Art. 33
  • Communication to data subject Art. 34
17
Q

Data Breach - Notification to the Supervisory authority Art. 33

A
  • dc must notify pd breach to SA
  • Exception: breach unlikely to result in risk to rights & freedoms of natural persons -> dc must proof (principle of accountability)
18
Q

Data Breach - Notification to the Supervisory authority Art. 33, timing

A
  • Without undue delay
  • where feasible not later than 72 hours after becoming aware (if not: notification shall include reasons for delay)
19
Q

Data Breach - Notification to the Supervisory authority Art. 33, content

A
  • Nature including categories & approximate number of ds & pd records
  • DPO (or other contact point)
  • Likely consequences
  • Measures
20
Q

Data breach - Communication to data subject Art. 34

A
  • Dc must notify pd breach to ds (allow him/her to take necessary precautions)
  • only if: pd breach likely to result in high risk to rights & freedoms of natural persons -> dc must proof (principle of accountability)
21
Q

Data breach - Communication to data subject Art. 34 - exceptions

A
  • dc implemented appropriate technical & organisational protection measures (e.g. personal data unintelligeble to any person not acess to authorised, code -> need of encryption)
  • dc has taken subsequent mesures which ensure that high risk to rights & freedoms of dc unlikely
  • Would involve disapropriate effort (e.g. need of public communcation)
22
Q

Data breach - Communication to data subject Art. 34 - timing, content & form

A
  • Timing: Without undue delay
  • Content of communication: Art. 33
  • Form of communication: clear & plain language
23
Q

e.g. online webshop cyber attack -> credit card info stolen

A
  • high risk to ds
  • dc need to report to ds without delay
24
Q

e.g. loss of laptop or USB containing pd

A
  • if pd encrypted, backup exists, unique key not compromise, data restored in good time -> may not be necessary to report
25
Q

e.g. employee accidentally uploads file with e-mail addresses of customers to companies website, employee imidiately notices, IT determines that no visitors to website & no copies to search engine of list

A
  • probability that file known to unauthorised parties very low
  • not reported to DPA
26
Q

e.g. municipiality all info about employees on server which is backed up to cloud solution, server totally damaged by water, pd can be restored by cloud

A
  • not reported
27
Q
  • e.g. insurance agent by e-mail able to access info to customers not belonging to his scope (no sensitive data)
  • agent instantly reported to dc, dc corrected file & sent out again asking agent to delete former message, agent has to & did confirm deletion in written statement
A
  • internal documentation
  • no notificaiton to SA or ds
28
Q
  • e.g. break-in to childrens day-care center 2 tablets stolen incl. app with pd of children (name, date of birth, education info)
  • encrypted tablet turned off & app both protected by strong PW, back-up data available, shortly after awareness of break-in tablets wiped
A
  • internal documentation
  • no notificaiton to SA or ds
29
Q
  • list of participants in course by mistake sent to 15 former participants (names, e-mail, food preferences)
  • non of participants have protected identity, dc discovers immediatelty & informs recipients of mistake & ask to delete
A
  • internal documentation
  • no notificaiton to SA or ds