Week 8

Question 1

What directive the EU create before GDPR?

Answer 1

The European Directive on Data Protection 1995. A European Union member had to have this base line of data protection.

Question 2

What law did the EU introduce in 2018?

Answer 2

GDPR. Countries would then submit their own laws to “fill in the blanks” for GDPR.

Question 3

What is the challenge with GDPR?

Answer 3

When info is sent from one country to another.

When a company has multiple locations

Question 4

What was the Data Protection Act 1984 by the UK?

Answer 4

Prohibited companies from using inaccurate/incomplete irrelevant personal data. It could result in decisions being made against individuals. Also companies using personal data for purposes that it wasn’t intended for.

Question 5

What was the Data Protection Act 1998?

Answer 5

It was created in the UK to conform to the European Directive on Data Protection 1995. Covers internet data as well as stored data. No longer assumes that only large organisations are offenders and addresses issues going on in specific countries.

Question 6

What was the Data Protection Act 2018?

Answer 6

In the UK, it supplements GDPR laws. Broadly in line with the 1998 Data Protection Act.

Question 7

How do you define “Data”?

Answer 7

Information that is processed or collected.

Question 8

What is sensitive data?

Answer 8

racial/ethnic group
political views
religious
sexual orientation
genetic info

Question 9

What are the principles of the Data Protection Act 1998?

Answer 9

1) The data subject needs to grant consent. In the case of sensitive data, the data subject needs to grant explicit consent.
2) Data that’s collected can only be used for the intended goals of why it was collected in the first place.
3) Don’t collect any more data than you need to.
4) Personal data needs to be accurate and up to date.
5) Personal data processed for a purpose needs to be deleted once the aim has been achieved.
6) Personal data needs to be processed in line with the Act, ie subjects are entitled to be told what data is being held about the info that a company has
7) Meet the security requirements of the data
8) Personal data shouldn’t be transferred to a country outside of the EU unless the country has laws in place to protect info.

Question 10

What is GDPR?

Answer 10

• Supersedes the European Directive in 1995
• No law required to bring GDPR into effect in member countries. It was enforceable without any legislation
• Contains 99 articles in 11 chapters
• Can be mapped to the 1998 UK DPA law

Question 11

What are the principles of GDPR?

Answer 11

7 core principles (similar to the 1998 DPA in the UK):

1) lawfulness, fairness and transparency
2) purpose limitation: you don’t repurpose the data and you make it clear what the purpose of data collection is in the first place.
3) data minimisation: if you have an intended aim, collect just enough to meet the aim
4) accuracy: put things in place to ensure the accuracy of the data is maintained
5) storage limitation: only keep the data for as long as necessary
6) integrity and confidentiality: only those that are authorised can consume the data
7) accountability: who is accountable for issues around the processing of data.

Question 12

What are the rights of data subjects under GDPR?

Answer 12

Not all of these rights are absolute; some will depend on the scenario.

1) Individuals have the right to be informed about the collection and processing of their personal info
2) Individuals have the right to access their personal data
3) If you believe there is inaccurate data, this should be altered and completed
4) Individuals have the right to erasure (i.e. put beyond use).
5) Right to restrict processing: specifically for a period of time. e.g. if you’ve been denied a loan, the organisation who is assessing your loan needs to know it is inaccurate. You need to stop processing of this data while loan is pending.
6) Individuals have the right to data portability works with number 5. Specifically, individuals are able to access data about themselves and then port it/relocate it somewhere else.
7) Individuals have the right to object to the processing of data
8) Individuals have rights in respect to automated individual decision making including profiling

Question 13

What is the material scope of GDPR?

Answer 13

• It doesn’t cover all aspects of personal data in the UK
• Does not cover activities outside of the EU, e.g national security
• The GDPR does cover automated processing of digital data, but also structured data on paper etc.
• Does not apply to individuals in their day-to-day life

Question 14

What is the GDPR Territorial Scope?

Answer 14

• If the controller and processor of personal data are established in the EU, then the GDPR applies to your organisation, even if you’re processing outside of the EU.
• Applies to data subjects that are in the EU, even if the controller and/or processor are outside of the EU.

Question 15

What is the difference between transfer and transit?

Answer 15

If data is being transferred between two EEA countries, passing through non-EEA countries, this would not be a restricted transfer.
Data being passed from an EEA country (the source) to a non-EEA country (destination) would typically be deemed a restricted transfer.

Question 16

Who makes an adequacy decision if the non-EEA country has suitable safeguards in place to ensure data protection, when transferring data from an EEA country?

Answer 16

The European Commission (EC)

Question 17

What are the principles of GDPR? (this can be combined with the other card)

Answer 17

We need to consider the principles again:

1) purpose limitation: what is happening with the person’s personal data? Individual needs to consent to it. The purposes must be documented.
2) data minimisation: data has a clear contribution to the purpose and the org only collects data necessary for this purpose.
3) integrity and confidentiality: you may use pseudonymisation and encryption, physical and technical controls, risk analysis, policies, effectiveness and measures.
4) storage limitation: periodic review of data required. Keep data no longer than needed. What does an organisation and domain need to do/how long are they required to keep the data?
5) accountability: demonstrate compliance with regulations, evident throughout org and supported by management, appropriate measures adopted (communicated the process properly etc)
6) lawfulness, fairness and transparency: be open and clean about how the data has been used, valid reasons for processing the data, data is not processed in an unexpected manner.
7) accuracy: we have clear steps to correct mistakes, determine the challenges to keeping accurate data, what leads to data becoming inaccurate in the first place.

Question 18

What does data protection by design and default mean in the European context?

Answer 18

(principles) + (the rights of the data subjects)

Question 19

What is a Data Protection Impact Assessment (DPIA)?

Answer 19

A process where an org can consider and document the wider responsibilities they have in processing personal data. Also represents a significant risk to individuals.

Question 20

What should a Data Protection Impact Assessment (DPIA) consider?

Answer 20

The context, scope, nature and purpose (intended outcome of the data collection) of data processing. If we have identified the risks, what mitigation measures should we put in place.
The process of determining the risk considers the severity and likelihood of an event happening.
Significant risks that can’t be mitigated must be communicated to the National Data Protection Authority. (or ICO in the UK).

Question 21

What are the steps in the process of DPIA?

Answer 21

1) Determine if a DPIA is necessary: depends on the scale of your organisation. Ask the data protection officer (DPO) in your organisation.
2) Determine the description of the processing: scope, nature, context and purpose.
3) Consultation: go out and consult with the individuals for their data.
4) Necessity and proportionality of the process that’s occurring: are the actions being performed really necessary?
5) Identify and assess risk: what are the potential risks? Assess the severity and likelihood. Errors happening around discrimination.
6) Develop mitigation: how are we going to mitigate risks?
7) Document: document all the information so you have a complete record of the organisation considering all of the above.
8) good practice to publish this out to the public.

Question 22

What is privacy?

Answer 22

The right of an individual to choose their own audience.

Question 23

What is the International convention on cybercrime?

Answer 23

The council of Europe has approved a convention that covers a list of things such as child pornography, hacking, hate material etc and lots of other countries (even outside of Europe) have joined! Some countries have opted out, e.g. the USA opted out of the hate material clause since it goes against freedom of speech.

Question 24

What is obfuscation-based inference controls?

Answer 24

Limiting the inference that an attacker can have if they get their hands on data.

Question 25

What techniques are used to achieve obfuscation-based inference controls?

Answer 25

1) Anonymisation: anonymising the data by decoupling identification from the information.
2) Generalisation: say you have records on salaries, you could use ranges the salary.
3) Suppression: suppress e.g. 50% of the data records to make it more difficult for an attacker
4) Dummy addition: adding dummies or fake data points which are in place to interfere with inference
5) Perturbation: add noise to data to reduce the ability of other party to form inferences.

Question 26

Why would security through contracts be needed?

Answer 26

• To ensure security standards between companies
• Enforcement of the contract may be challenging if an individual breaks the contract. Could become costly or is unrealistic.
• If you had a data breach and as part of a process to interact with another company, they require you to adhere to these steps. If a data breach was to happen later on, you could prove that you’ve at least taken steps.

Question 27

What is an example of security through contracts?

Answer 27

Payment platforms, e.g. if you were selling a product, you would need to enter into a contract with the other party.

Question 28

Is the PCI DSS a standard or a law?

Answer 28

A standard.

Question 29

What is the fair and accurate credit transactions act (FACTA)?

Answer 29

Federal law designed to reduce identity fraud and provide citizens with a greater insight into their credit profile.

Question 30

What is automated decision making?

Answer 30

Systems making decisions without much human involvement. It doesn’t mean that humans aren’t involved at all. Doesn’t always use profiles to make a decision.

Question 31

What is profiling?

Answer 31

Extracting patterns through automated processing of large volumes of personal data. Through data patterns, a person’s personality, interests, health etc, can be derived and put into a profile. This can be done through eg social media or web browsing history.

Question 32

How would profiles be used by organisations?

Answer 32

To predict behaviour, make decisions about individuals, if the person is allowed to get a loan, best way to market a product to the person etc.