Lecture 9: Security and Compliance Flashcards
Article 5(2) presents the principle of “Accountability”. What does this entail?
It requires the data controllers to be able to demonstrate compliance with, Article 5 paragraph 1 (The six principles relating to processing of personal data)
It also ensures the enforcement of the data protection rules in Europe
According to Article. 30, controllers and processors, or their representatives, must maintain a record of the processing activities carried out under their responsibility. This does not apply to enterprise or an organisation employing fewer than 250 persons unless…
the processing it carries out:
(1) is likely to result in a risk to the rights and freedoms of data subjects,
(2) the processing is not occasional,
(3) the processing includes special categories of data (sensitive data) or personal data relating to criminal convictions and offenses.
Art. 25 states that the data processor must implement appropriate technical and organisational measures that…
(1) are designed to implement data-protection principles, such as data minimisation (by design) and
(2) ensures that, by default, only personal data which are necessary for each specific purpose of the processing are processed (by default)
In order to avoid minimise risk, data controllers need to implement security measures, pursuant to Art. 32. These measures include:
- the pseudonymization and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
How do you define a personal data breach?
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Art. 4(1)(12))
What are the obligations of a Data Controller in the case of a data breach?
in case of a data breach, the data controller has the obligation to notify the supervisory authority and the data subjects whose data has been compromised (however, this does not apply if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons).
In the case of a Data Breach, what must the notification to a supervisory authority include?
- the nature of the personal data breach, categories of data and approximate number of data subjects and records contained
- name and contact details of the data protection officer or other contact point where more info can be obtained
- the likely consequences of the personal data breach
- the measures taken or proposed to address the data breach and mitigate its effects
If there’s a high risk involved in a planned processing operation, the controller shall prior to the processing carry out an assessment of the impact of the envisaged processing operations on the protection of personal data
What is such an assessment called?
Data Protection Impact Assessment(DPIA)
What are some factors that can indicate a high inherent risk?
- New technologies
- Overall assessment of “nature, scope, context and purposes”
- Automated profiling having legal effect or similarly significantly affecting the natural person
- Large scale processing of special categories of data referred to in articles 9(1) and 10
- Systematic monitoring of publicly accessible areas on a large scale
- Data Protection Authorities to issue additional guidance (“black and white lists”)
- “Risk” refers to the integrity of data subjects – not only security
What are codes of conduct?
Codes of conduct can act as a mechanism to demonstrate compliance with GDPR
codes of conduct should be sent to the Supervisory Authority before adopting it, and then approved by them if it is in compliance with GDPR
What are the tasks of a Data Protection Officer?
To inform and advice the data controller, to monitor compliance, to provide advice where requested related to DPIA, to cooperate with the supervisory authority, to act as a contact point for the supervisory authority on issues relating to the processing
Who must designate a Data Protection Officer?
- Public authorities and bodies
- Except for courts acting in their judicial capacity
- Undertakings for whom the core activity consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale
- Monitoring is described in further detail in recital 24
- Undertakings for whom the core activity consist of processing on a large scale of special categories of data pursuant to article 9 and data relating to criminal conviction and offences referred to in article 10
When must you disclose a Data Breach to the supervisory authority?
When: “… without undue delay and, where feasible, not later than 72 hours after having become aware of it…”
Where the notification to the supervisory authority is not made within 72hours, it shall be accompanied by reasons for the delay
Exception: “…unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
When must you disclose a Data Breach to the Data Subject?
Condition: Only if “the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”
When: “without undue delay” after having become aware of the data breach – but not a time limit on 72 hours
- The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects
- The communication must be in a “clear and plain language”