GDPR Flashcards
What is GDPR?
It stands for General Data Protection Regulation, and it applies to all countries in EU. It replace Data Protection Act of the 1998 and it is effective since 2018.
It’s a Regulation, which meancs that it is composed by Articles (the law itself) and Recitals (explanatory notes whithin the body of GDPR).
There is a specific body within the EU named the Article 29 Working Party which is the central guidance body for the GDPR. That’s a set of delegates (one or more for each European country) that perform the overall surveillance over the GDPR.
The GDPR has got one “Supervisor Authority” in each country, which is the national Privacy Officer. For example, in Italy it is “Garante per la protezione dei dati personali”.
It is important because the regulation applies throughout Europe, but the implementation and the surveillance are made at national level, so there must be a national person in charge (Supervisor Authority).
Personal data
It is any information related to an identified identifiable living person, such as photographs, reports from supervisors…
They are valid for both automated and manual filing systems, so GDPR covers personal data protection independently from where they are stored.
Sensitive Personal Data
They are also called Special Category Personal Data and they are, for example, political and religious beliefs.
Data controller, data processor and data processing
The data controller establishes how and why personal data are processed.
The data processor processes data on controller’s behalf.
The data processing is any activity with personal data, including collecting, storing, using, deleting and sharing.
Data properties
- lawfulness: data must not be in breach of other laws
- Fairness: data subject must be made aware with a privacy notice
- transparency
- purpose limitation: data shall be collected for specified and legitimate purposes and not for further processing in a manner that is not compatible with the declared purposes
- purpose minimisation: collected data shall be all relevant and limited to what is necessary in relation to the declared purposes
- data accuracy: data shall be accurate and if necessary kept up to date
- storage limitations: data shall be kept in a form which permits the identification of the subjects for no longer than it is necessary for the declared purposes
Personal data breach
A personal data breach leads to the destruction, alteration, unauthorised disclosure or access to personal data.
It the breach is likely to result in a risk to the right and freedoms of individuals then the data controller needs to notify both the Supervisory Authority and the individuals.
Data transfer
Sometimes personal data need to be moved to another country where the GDPR does not take place, but it protects also that kind of transfer. GDPR imposes restriction on the transfer of personal data outside the EEA (European Economic Area) which is more than European Union, to third countries or international organisations (e.g., United Nations).
The European commission may designate some non-EEA countries as having adequate level of data pro- tection. Otherwise, if there was no declaration of equivalence, the transfer can take place only if there are appropriate safeguards (that can be technical or legal) such as:
* Agreements: for example, the Standard Commercial Clauses (SCC) which applies when an iPhone/Mac is bought, for example in Italy. While buying it, the user implicitly signs and accepts the Standard Commercial Clauses, since personal data are being transferred to the USA. That would not be possible unless the user gives that authorization, because Apple has only one central management system for all the shops in the world and that is in the USA. This is a legal safeguard.
* In the past there was an agreement between EU and US called Privacy shield which said that when data are transferred between Europe and US the technical solutions reported in the document must be applied. Now the Privacy shield is no more in place because US adopted new regulations that say that the American Government has the right to access the data of any citizen when data are stored on the US territory, even if they are not American citizens. This is tricky because a non-US citizen is not subject to the American government so why they should have the right to access data? This creates big troubles in cloud computing, because in CC we don’t know where data are stored. Now when an infrastructure is created it is possible to limit the geographic area in which storage and computational resources are deployed, just to avoid those kinds of things. China and many other countries have a similar rule.
Information Lifecycle Management
They are REQUIREMENTS to meet in order to achieve data protection.
- Information Access Register - IAR: it is a register where to keep the list of all personal data that are being processed
- Data Flow Mapping - DFM: data structure needed to understand where data are flowing into, how they are transmitted and processed
- Risk Assessment: needed to identify risks that may compromise personal data
- Privacy Notice: it can only be defined after defining the DFM; the user must be informed with adequate privacy notices about all these things (the data will be stored for this amount of time, they will be processed in this way, maybe they will be exported to the cloud, etc.).
- System Level Security Policy: needed to protect against identified risks
EU-GDPR art. 25
Paragraph 1
~~~
Taking into account
the state of the art,
the implementation cost
and the nature, scope, context and purposes of processing
as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing,
the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself,
implement appropriate technical and organisational measures, such as pseudonymisation,
which are designed to implement data-protection principles such as data minimisation, in an effective manner
and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
~~~
The first paragraph talks about costs because if there is a small company, GDPR is not pretending that you spend more than you earn. This means that the protection is adequate to the value of the data and to the income of the company.
Also, risks are mentioned because, as we saw before, we list storage, transmission and processing and then risks are evaluated.
The second paragraph says that first when a decision is taken, but also day by day (since the time of processing is every day) there must be appropriate measures.
Paragraph 2
~~~
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
That obligation applies to:
* the amount of personal data collected,
* the extent of their processing,
* the period of their storage,
* and their accessibility.
In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
~~~
Paragraph 3
~~~
“An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.”
~~~
Privacy by Design
Each application which uses personal data must consider their protection in each design and implementation phase.
The data controller and processor must be able to demonstrate that there are adequate security measures and that the privacy principle is continuously applied and verified.
The ex Information and Privacy Commissioner of Intario defined the 7 principles of Privacy by Design:
1. proactive non reactive; preventative not remedial: proactive to avoid risks rather then limiting the damages
2. privacy by default: privacy must be applied automatically, the user shouldn’t have to request for it; data shall be stored only till they are needed without the request to delete them
3. Privacy embedded into design: privacy must be considered in the design of IT architectures, of business processes and operations, of technologies used… and this shouldn’t be done last minute
4. Full functionality: privacy must be a basic component of a system and not something that decreases the functionality capabilities. Trade-offs must be avoided: do not trade security for privacy
5. Full lifecycle protection: privacy does not refer only to the moment data are in use but privacy must hold also when data are stored and deleted
6. Visibility and Transparency: the privacy of the system should be verified by and external entity such that the adopted operations and solution are transparent for the data subject and service provider
7. Respect for user privacy above all: the user-centric approach must be adopted in order to have a correct privacy management as the main goal
Privacy Impact Assessment
It is explicitly required by GDPR and it aims to:
- identify personal data and discuss them with stakeholders
- identify risks keeping into account stakeholders perception
- identify good countermeasures
- define protection rules
- implement rules and countermeasures
- define rules and mechanisms for reviewing, auditing
Accountability principle
The data controller must be able to demonstrate to have adopted a complete set of legal, organisational and technical measures to protect personal data in such a way that the data processing is compliant to the GDPR.
EU-GDPR art. 32
Article 32 is dealing with technical solutions, and it goes back saying again:“Considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia...”
(par. 1)
“In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
(par. 2)
The suggested protection measures are:
* The pseudonymization and encryption of personal data
* The ability to ensure the ongoing confidentiality, integrity, availability, and resilience (continuing operations even if degraded way despite the attack) of processing systems and services.
* The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
* A process for regularly testing, assessing, and evaluating the effectiveness of technical and organiza- tional measures for ensuring the security of the processing.
= Cybersecurity + Business Continuity + Disaster Recovery
All these things together means that we need for privacy: cybersecurity of course because there is CIA and so on, but when it is written “resilience”, “availability”, it means business continuity, which means that even if there is a problem, the system can continue to work, and the ability to restore those things when physical incidents occur, means disaster recovery.
Business continuity and disaster recovery are different concepts, in which the first means that maybe the system is duplicated somewhere else and when technical problems occur, the system can continue to operate, while disaster recovery means that, for example, if there is flooding covering all Turin, maybe in 2/3 days we’ll have a site in Rome and we’ll be able to restart operations.
Anonymisation and pseudonymisation
Anonymisation
All data that may lead to identification of a subject are removed so that it becomes impossible to identify a person (it is still possible with statistical techniques that for example study the habits of a subject).
Pseudonymisation
All data that lead to identification are replaced with a pseudonym which is kept in a table to store the correspondence between real identity and pseudonym. The real identity can be disclosed if needed.
Confidentiality, integrity, availability and resiliency
The GDPR defines confidentiality by data encryption and access control. In case of data encryption confidentiality is intrinsic to the encryption; in case of access control the confidentiality property derives from the procedure to access data. Since the procedure could fail logs are needed to perform audit and understand the problem.
Integrity: detection of data modifications
Availability and resiliency: especially important for data that should be accessible by the owner anytime. In order to have it redundancy (multiple data copies and multiple servers) and monitoring could be adopted (ex. to know where there is no more capacity)
GDPR applicability
Any organization is subject to GDPR if it elaborates and/or controls data of EU residents, regardless of its size and location (Art. 3).
Records of processing activities (art. 30)
Article 30 of the GDPR requires organizations to maintain a record of processing activities. This record should list all the personal data processing operations that an organization carries out, to ensure transparency and compliance with data protection rights.
However, small and medium-sized enterprises (SMEs)—defined as organizations with fewer than 250 employees—are generally exempt from maintaining this record unless:
* The processing is likely to result in a risk to the rights and freedoms of data subjects (for example, if the processing could lead to harm, discrimination, financial loss, etc.).
* The processing is not occasional, meaning it is done regularly or systematically.
Key points required in the record:
* If possible, the record should specify the time limits for erasure of different categories of data.
* The record must include a general description of the technical and organizational security measures in place to protect the personal data (e.g., encryption, access control, staff training, etc.)
Data Destruction and loss
If data are destroyed or lost it is needed a good backup technique and strategy.
The backup must be done by using these guidelines:
* Offline (otherwise the backup itself may be attacked)
* Offsite (otherwise the backup itself may be hit in a disaster)
* Must have minimal or possibly null manual operations to minimize/avoid human errors
* Periodic (which data history can be reconstructed?)
* Verified (immediately after backup creation, for verification, and periodically, for technical obsolescence or support wear-out): after backup is created, immediately try to re-read it because if the external disk is broken it might not be detected until it is read.