GDPR and other laws (Lecture 7)

Question 1

List some laws relating to Information Security

Answer 1

Computer Misuse Act 1990

Obscene Publications Act 1964

Police And Criminal Evidence Act 1984

Network and Information Systems Regulations 2018

General Data Protection Regulations 2018

Data Protection Act 1998, 2018

Question 2

The Computer Misuse Act 1990 relates to what offences?

Answer 2

Unauthorised access to computer material

Unauthorised access with intent to commit or facilitate a crime

Unauthorised modification of computer material

Making, supplying or obtaining anything which can be used in computer misuse offences

Question 3

The Obscene Publications Act 1964 relates to what offences?

Answer 3

Act aims to strengthen law for preventing the publication for gain of obscene matter and the publication of things intended for the production of obscene matter

includes distribution, circulation, selling, letting, hiring

Question 4

What is PACE 1984

Answer 4

Police And Criminal Evidence Act

Governs police powers of investigation involving arrest, detention, interrogation, entry and search of premises and personal searches

Code B outlines powers to enter and search premises and seize possessions.

Question 5

What is Network and Information Systems Regulations 2018?

Answer 5

Applies to two groups of organisations: Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP’s)

NIS relates to any incident that has an impact on a service , where the impact produces a significant disruptive effect

IOC is the competent authority for RDSP’s and they can enforce NIS and issue fines of up to £17 million

Question 6

What defines a Relevant Digital Service?

Answer 6

Provide one or more of the following:

Online search engine
Online marketplace
Cloud computing service

Have to have head office in UK or have nominated a UK representative

Have more than 50 staff and a turnover or balance sheet of more than €10 million

Question 7

What is PECR 2003

Answer 7

Privacy and Electronic Communications Regulations 2003

Derived from EU law. Implement European Directive 2002/58/EC AKA e-privacy directive

Compliments the GDPR and sets out more specific privacy rights on electronic communications

Specific rules on marketing calls, emails, texts and faxes, cookies, keeping communications services secure, customer privacy with regards to traffic and location data and itemised billing

Question 8

What is the Data Protection Act 1998, 2018

Answer 8

Designed to protect personal data stored on computers or in organised paper filing systems

Question 9

What is the GDPR

Answer 9

General Data Protection Regulations 2018

designed to give people more control about how their data is used, shared and stored

Requires organisations to be more accountable and transparent about how they use someone’s data

Organisations must demonstrate compliance and prove they are being implemented

Question 10

What can the ICO do using powers under DPA 2018

Answer 10

Serve information notices requiring organisations provide specified information within a certain time

Conduct onsite assessments, enter premises, access documents and interview people. Also issue enforcement notices and fines

Question 11

What is a data controller?

Answer 11

A company that collects information about customers, suppliers, employees etc

In relation to personal data, means a person who determines the purposes for which and the manner in which any personal data are to be processed

Question 12

What is a data processor?

Answer 12

An organisation which processes data for other entities but they do not determine the purpose for their processing, what is collected, how it is processed or how long it is retained.

In relation to personal data, means any person (other than an employee off the data controller) who processes the data on behalf of the data controller

Question 13

What are your rights as a data subject? (8)

Answer 13

The right to be informed

The right of access

The right to rectification

The right to erasure (be forgotten)

The right to restrict processing

The right to data portability

The right to object

Rights in relation to automated decision making and profiling

Question 14

Explain the Right to Be Informed

Answer 14

Individuals have the right to be informed about the collection and use of their personal data. Key transparency requirement under GDPR

Must provide individuals with information including purposes for processing their personal data, your retention period and who it will be shared with (privacy information)

Must be provided at the time of data collection

Must be regularly reviewed and updated if necessary. Must bring any new uses of their data to their attention before processing is started

Question 15

Explain Right of Access

Answer 15

Subject access

Gives individuals the right to access and obtain a copy of their personal data as well as other supplementary information

Can make verbal or written requests for the information and it should be disclosed securely

Question 16

Explain Right to Rectification

Answer 16

Gives the right for individuals to have inaccurate personal data rectified or completed if it is incomplete

Can make request verbally or in writing

This right is closely linked to controllers obligations under the accuracy principle of GDPR

Question 17

Explain the Right to Erasure (right to be forgotten)

Answer 17

The right to have personal data erased. Individuals can make requests verbally or in writing

Right is not absolute and only applies in certain circumstances

Question 18

Explain the Right to Restrict Processing

Answer 18

Individuals have the right to request restriction or suppression of their personal data

Not an absolute right and only applies in certain circumstances

When processing is restricted you are permitted to store the personal data but not use it

Question 19

Explain the Right to Data Portability

Answer 19

Allows individuals to obtain and reuse their personal data for their own purposes across different services

Allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability

Enables individuals to take advantage of applications and services that can use this data to find them a better deal or help understand spending habits

Only applies to information an individual has provided to a controller

Question 20

Explain the Right to Object

Answer 20

In certain circumstances individuals have the right to object to the processing of their personal information

Absolute right to stop data being used for direct marketing

Can continue processing if there is a compelling reason to do so

Must tell individuals about right to object

Question 21

Explain Rights in Relation to Automated Decision Making and Profiling

Answer 21

Provides safeguards for individuals against the risk that a potentially damaging decision is taken by solely automated means (without human intervention)

Unless decision is required or authorised by law

A ‘qualifying significant decision’ is defined as a decision which significantly affects or produces an adverse legal affect on an individual and is authorised by law

Must ensure that the individuals are able to obtain human intervention, express their point if view and obtain an explanation of the decision and challenge it

Question 22

List specific requirements Article 5 of GDPR sets out about how data controllers should collect, process and manage data

Answer 22

Processed lawfully, fairly and in a transparent manner

Collected for specified, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary for the processing purposes

Accurate and where necessary kept up-to-date

Kept to permit identification of data subjects for no longer than is necessary for processing purposes

Processed in a manner that ensures appropriate security of the personal data

Question 23

What is the 3 part test in GDPR?

Answer 23

Purpose test - is there a legitimate interest behind the processing?

Necessity test - is the processing necessary for that purpose

Balancing test - is the legitimate interest overridden by the individuals interests, rights or freedoms?