Security of Processing (9)

Question 1

What are the 4 attributes of security controls (per Article 32 1b)?

Answer 1

1. Confidentiality (access on need to know basis)
2. Integrity (ensure accurate and complete)
3. Availability (accessible when needed)
4. Resilience (withstand and recover from threats)

Question 2

What does GDPR require from controllers and processors regarding security?

Answer 2

Appropriate and technical measures to ensure a level of security appropriate to the risk

Question 3

What factors should be taken into account in determining appropriate technical and organizational measures?

Answer 3

State of the art
Cost of implementation
Nature of data
Context in which processing is taking place
Scope of data
Purpose of processing

Question 4

What are potential security-enhancing technologies?

Answer 4

encryption
antivirus and antispam
firewalls
identity and access management
incident detection
DLP
2-factor authentication
IP log management
regular security code peer review

Question 5

What are the two main activities of security technologies?

Answer 5

filtering electronic communications
monitoring use of IT and communication systems

Question 6

What are mechanisms to protect the physical environment?

Answer 6

sophisticated entry control systems
CCTV
lock and key and clean desk policies

Question 7

What does Article 28 require regarding security in the controller-processor relationship?

Answer 7

provide sufficient guarantees of appropriate technical and organizational measures

Question 8

What are sufficient guarantees?

Answer 8

assurance mechanisms (more than contracts) - appropriate checking and vetting of processors (certifications, validations, 3rd party assessments)

Question 9

Who does a processor need to notify in a data breach?

Answer 9

Controller

Question 10

Who does a controller need to notify in a data breach?

Answer 10

Supervisory Authority (within 72 hours)

Data Subject (depends, rights and freedoms)

Question 11

What is the definition of a personal data breach?

Answer 11

a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure and access of personal data

Question 12

What are the processor data breach notification duties under Article 33?

Answer 12

notify controller without undue delay from becoming aware of the breach

Question 13

What are the controller data breach notification duties under Article 33?

Answer 13

notify SA without undue delay within 72 hours after becoming aware
(delay permitted if reasoned justification, exempt if unlikely to result in risk to rights and freedoms)

notify data subject if high risk, without undue delay
(exemption: unintelligible data, high risk negated, and disproportionate to efforts)

Question 14

When does a controller become aware of a breach?

Answer 14

when the controller has reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised

Question 15

What 6 things does the controller need to notify to the SA for a data breach?

Answer 15

who (data subjects)
how many (data subject and records)
what types (categories of data)
contact (DPO)
likely consequences
follow-up (measures to be taken)

Question 16

What are the 3 focuses of the NIS Directive?

Answer 16

First cybersecurity law to cover entire EU

1. compel development of national cybersecurity strategies
2. cross border collaboration (enhance cooperation and best practices)
3. improve security of essential services ie energy, water, transport and digital service providers

Question 17

Why was a fine issued to social media company in Germany regarding a data breach?

Answer 17

stored passwords in plain text, not compliant with state of the art for security

Question 18

What does Article 5 (security) establish?

Answer 18

personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures

Question 19

What does Article 30 establish with regard to records of processing activities for controllers and processors?

Answer 19

controllers must maintain records of processing activities including a general description of technical and organizational security measures

processors must maintain records of processing activities carried out on behalf of controller

Question 20

What are the 3 domains of security covered by Article 32?

Answer 20

1. preventative security
2. incident detection and response
3. remedial security (steps to improve)

Question 21

What is a data breach (according to Article 4-12)?

Answer 21

breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed

Question 22

What is the trigger to notify in cases of a data breach?

Answer 22

controller becomes aware of the data breach

Question 23

How does WP29 define “awareness of a breach”?

Answer 23

when controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised

Question 24

What are some factors outlined by WP29 to use in assessing whether a breach should be notified?

Answer 24

1. type of breach
2. nature, sensitive, volume of personal data
3. ease of identifying individuals
4. severity of consequences to individuals
5. special characteristics of individuals
6. special characteristics of controller
7. number of individuals affected

Question 25

Are controllers required to maintain records of personal data breaches?

Answer 25

yes, per section 33 (5)

controller must make an entry in its records, no time limit on how long records should be kept

Question 26

Who performs the assessment of the risks to rights and freedoms in a data breach? (controller, processor or both)

Answer 26

the controller

processor only obligation is to report

Question 27

When are controllers required to inform data subjects of data breaches?

Answer 27

if breaches are likely to present high risks to the rights and freedoms of individuals

Question 28

What are the 3 exceptions laid out in Article 34 to the obligation for controllers to notify data subjects of a data breach?

Answer 28

1. where measures have made personal data unintelligible (ie encryption)
2. where controller has taken steps to prevent high risks from materializing
3. where breach disclosure would involve disproportionate effort

Question 29

What should a controller do in cases where a breach disclosure would involve a disproportionate effort (such as unable to identify all individuals in dataset)?

Answer 29

“substitute notice” - broad public announcement, new release or website statement

Question 30

What are some examples of high-risk breaches that may require notification to data subjects?

Answer 30

cyberattacks affecting online services that result in data exfiltration

ransomware attacks that encrypt data that cannot be easily restored

hospital medical records being unavailable for 30 hours or more

direct marketing email to multiple individuals that disclosures email addresses to every recipient

Question 31

What are the requirements for controllers to engage data processors?

Answer 31

Controllers must:

1) choose reliable processors
2) maintain quality control and compliance throughout arrangement
3) frame relationship in a contract

Question 32

What are the security and incident notification requirements for operators of essential services under the NIS Directive?

Answer 32

1. taking appropriate and proportionate technical and organization measures to manage risks
2. taking appropriate measures to prevent and minimize impacts of incidents

3 notifying CSIRTs or regulators of incidents with significant impact

Question 33

What changes were introduced with the NIS 2 Directive?

Answer 33

1. inclusion of new sectors in the scope of regulation
2. more prescriptive risk management rules for covered entities
3. EU to coordinate risk assessments of critical ICT services
4. new system of ICT certifications
5. new harmonized financial penalties