Security of Personal data Flashcards
What is the threshold for notification of personal data breaches under article 33?
After the controller has become aware of a breach
What are the exceptions to notification under article 33(3) of the GDPR?
- Encryption
- Good-Quality incident response strategies to prevent the high risks from materialising
- Where breach disclosure would involve disproportionate effort
Processors must take all measures required by which clause?
Article 32, which delineates the GDPR’s “security of processing” standards.
What’s are the similarities between article 32 (security of processing standards) of the GDPR and the Directive’s Article 17?
Controllers and processors are required to ‘ Implement appropriate technical and organisational measures ‘ taking into account ‘ The state of the art and the cost of implementation‘ and‘ the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
What’s are the differences between article 32 (security of processing standards) of the GDPR and the Directive’s Article 17?
The GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk”, including:
- pseudonymisation and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Controllers and processes that adhere to either an approved code of conduct or an approved certification mechanism – as described in article 40 and article 42, respectively – may use these tools to demonstrate compliance with the GDPR’s security standards.
What must a notification to the supervisory authority in the case of a personal data breach include at the very least?
(1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
(2) provide the data protection officer’s contact information;
(3) describe the likely consequences of the personal data breach;
(4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases
When a data processor experiences a personal data breach who must it notify?
It must notify the controller but otherwise has no other notification or reporting obligations under the GDPR.
What is ISO27002?
Code of Practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of organizational security standards and effective security management practices and to help build confidence in inter-organizational activities