Downloaded 21 times
![12 steps
11/11/2016 GDPR: More reasons for information security 10
Information Commissioner’s Office, [Preparing for the GDPR, 14/3/16], licensed under the Open Government Licence](https://image.slidesharecdn.com/andrewcormack-jiscsecurityconference2016-161111101148/75/GDPR-More-reasons-for-information-security-10-2048.jpg)
Uploaded byJisc
GDPR: More reasons for information security
The General Data Protection Regulation (GDPR) that takes effect in May 2018 provides additional incentives for organizations to strengthen information security practices. It requires companies to notify regulators of data breaches within 72 hours and individuals if there is a high risk to their rights and freedoms. Non-compliance with GDPR could result in fines of up to 20 million euros or 4% of annual global turnover. The regulation supports proactive security measures like encryption and incident response plans to mitigate potential damage from breaches and demonstrate compliance.
More Related Content
Similar to GDPR: More reasons for information security
![[REPORT PREVIEW] GDPR Beyond May 25, 2018](https://cdn.slidesharecdn.com/ss_thumbnails/altimeter-gdpr-strategies-preview-180212222226-thumbnail.jpg?width=640&height=640&fit=bounds)
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
GDPR: More reasons for information security
- 1. GDPR: More reasonsfor information security Andrew Cormack (@Janet_LegReg) 11/11/2016
- 2. Existing reasons 11/11/2016 GDPR:More reasons for information security 2 Information Security Reliability Confidence Trust ReputationPolicy Workload etc
- 3. General data protectionregulation (GDPR) 2016/679 11/11/2016 GDPR: More reasons for information security 3 Personal data processing May 2018 » Almost certainly pre-Brexit » Services to EU people covered anyway Becomes UK law automatically
- 4. GDPR supports proactive andreactive information security 11/11/2016 GDPR: More reasons for information security 4
- 5. Breach notification Unauthorised/accidental loss,alteration, disclosure or access to personal data 11/11/2016 GDPR: More reasons for information security 5 All breaches » Document Risk to rights/freedoms » Report to ICO (72 hour expectation) » Nature; number/type of records/people affected; mitigations High risk to rights/freedoms » Also notify individuals (unless mitigated) » Can take ICO advice
- 6. Security and incidentresponse 11/11/2016 GDPR: More reasons for information security 6 Very like security good practice (paper currently with journal reviewers) “Ensuring network and information security … CSIRTs… providers of networks and services… ” (Rec.49) A legitimate interest… (for processing personal data) If necessary/proportionate… Balance of interests test…
- 7. Other tools mentioned 11/11/2016GDPR: More reasons for information security 7 Encryption » Mitigate damage from breaches Data protection by design Exercises » Test readiness » Assist complianceAuthorisation » Reduce riskPseudonyms
- 8. New incentives 11/11/2016 GDPR:More reasons for information security 8 Security/incident response clearly lawful Increased public awareness Much bigger fines (€20M/4%) Damages, not just for monetary loss
- 9. Opportunities to improve 11/11/2016GDPR: More reasons for information security 9 Regulator guidance Lessons learned from breaches Compare public notifications NIS Directive => more sharing Cloud security standards etc.
- 10. 12 steps 11/11/2016 GDPR:More reasons for information security 10 Information Commissioner’s Office, [Preparing for the GDPR, 14/3/16], licensed under the Open Government Licence
- 11. Watch these spaces »ICO: › https://ico.org.uk/for-organisations/data-protection-reform/ » Regulation (2016/679/EU): › http://ji.sc/gdpr-text » Me: › http://ji.sc/dataprotection-regulation 11/11/2016 GDPR: More reasons for information security 11
- 12. jisc.ac.uk One CastleparkTower HillBristol BS2 0JA customerservices@jisc.ac.uk T 020 3697 5800 Except where otherwise noted, this work is licensed under CC-BY-NC-ND Thanks Andrew Cormack Chief Regulatory Adviser, JiscTechnologies Andrew.Cormack@jisc.ac.uk 11/11/2016 GDPR: More reasons for information security 12
Editor's Notes
- #6 ICO reckons “loss or inappropriate alteration of a staff telephone list” doesn’t normally require reporting https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/ Anything that “might leave them open to financial loss” goes to DS https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- #7 Essential for breach notification Recognised by UK ICO Note Breyer ECJ case supports this under DPD too
- #8 Positive view of all of these
- #9 Note ICO has already fined TalkTalk £400K under current £500K max for website open to SQL injection Representative bodies making claims could be a move towards class actions
- #11 Children (Art 8) need clear information, additional rules if offering ISS directly to them (need to get consent from adult) DPIAs (Art 35) if high risk to rights and freedoms, e.g. automated monitoring with legal effects, large scale processing of SPD, systematic monitoring of public area on a large scale DPBD for all processing at design and implementation stages DPO (Art 37) for public bodies (?unis?), regular and systematic monitoring on a large scale, core activities processing SPD International: Reg applies to processing by European establishment *or* processing of Europeans’ data. So TNE probably is covered if you’re the DC