Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR: More reasons for information security

1,333 views

Published on

Presentation from the Jisc security conference 2016

www.jisc.ac.uk

Published in: Technology
  • Be the first to comment

GDPR: More reasons for information security

  1. 1. GDPR: More reasons for information security Andrew Cormack (@Janet_LegReg) 11/11/2016
  2. 2. Existing reasons 11/11/2016 GDPR: More reasons for information security 2 Information Security Reliability Confidence Trust ReputationPolicy Workload etc
  3. 3. General data protection regulation (GDPR) 2016/679 11/11/2016 GDPR: More reasons for information security 3 Personal data processing May 2018 » Almost certainly pre-Brexit » Services to EU people covered anyway Becomes UK law automatically
  4. 4. GDPR supports proactive and reactive information security 11/11/2016 GDPR: More reasons for information security 4
  5. 5. Breach notification Unauthorised/accidental loss, alteration, disclosure or access to personal data 11/11/2016 GDPR: More reasons for information security 5 All breaches » Document Risk to rights/freedoms » Report to ICO (72 hour expectation) » Nature; number/type of records/people affected; mitigations High risk to rights/freedoms » Also notify individuals (unless mitigated) » Can take ICO advice
  6. 6. Security and incident response 11/11/2016 GDPR: More reasons for information security 6 Very like security good practice (paper currently with journal reviewers) “Ensuring network and information security … CSIRTs… providers of networks and services… ” (Rec.49) A legitimate interest… (for processing personal data) If necessary/proportionate… Balance of interests test…
  7. 7. Other tools mentioned 11/11/2016 GDPR: More reasons for information security 7 Encryption » Mitigate damage from breaches Data protection by design Exercises » Test readiness » Assist complianceAuthorisation » Reduce riskPseudonyms
  8. 8. New incentives 11/11/2016 GDPR: More reasons for information security 8 Security/incident response clearly lawful Increased public awareness Much bigger fines (€20M/4%) Damages, not just for monetary loss
  9. 9. Opportunities to improve 11/11/2016 GDPR: More reasons for information security 9 Regulator guidance Lessons learned from breaches Compare public notifications NIS Directive => more sharing Cloud security standards etc.
  10. 10. 12 steps 11/11/2016 GDPR: More reasons for information security 10 Information Commissioner’s Office, [Preparing for the GDPR, 14/3/16], licensed under the Open Government Licence
  11. 11. Watch these spaces » ICO: › https://ico.org.uk/for-organisations/data-protection-reform/ » Regulation (2016/679/EU): › http://ji.sc/gdpr-text » Me: › http://ji.sc/dataprotection-regulation 11/11/2016 GDPR: More reasons for information security 11
  12. 12. jisc.ac.uk One CastleparkTower Hill Bristol BS2 0JA customerservices@jisc.ac.uk T 020 3697 5800 Except where otherwise noted, this work is licensed under CC-BY-NC-ND Thanks Andrew Cormack Chief Regulatory Adviser, JiscTechnologies Andrew.Cormack@jisc.ac.uk 11/11/2016 GDPR: More reasons for information security 12

×