Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

DADA/Articles/st20_gdpr_what_it_means.md

Go to file
 
 
Cannot retrieve contributors at this time
Data for Good and Evil Saving Lives Subverting Democracy General Data Protection Regulation (GDPR) Requirements Rights The Right to be Informed The Right of Access The Right to Rectification The Right to Erasure The Right to Restrict Processing The Right to Data Portability The Right to Object Exemptions GDPR and Security Four Aims Impact
146 lines (95 sloc) 6.43 KB
Raw Blame
Open in GitHub Desktop

Data for Good and Evil

Before considering the legal aspects of data collection and processing, consider the power of data. Below are two cases where data has had a large impact on society. They are just examples and we could easily find many more.

Saving Lives

"A clinical trial looked at the potential for a new type of bowel screening to save lives. Following 170,432 people for an average of 11 years, the trial showed that this one off screening could save thousands of lives, through early diagnosis and prevention, and led to it being adopted by the NHS in England. Patient data was used to identify appropriate people for the trial and then to monitor what happened to them after screening."

https://understandingpatientdata.org.uk/case-study/screening-bowel-cancer

Subverting Democracy

"We have found evidence of formally organized social media manipulation campaigns in 48 countries, up from 28 countries last year. In each country there is at least one political party or government agency using social media to manipulate public opinion domestically."

http://comprop.oii.ox.ac.uk/research/cybertroops2018/

General Data Protection Regulation (GDPR)

The GDPR is a Europe-wide regulation.

The GDPR deals with the security and confidentiality of personal information. In short, it demands that anyone who collects, stores or processes personal information does so securely.

The regulations state that data is required to be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’

Rather than just expect "best efforts", GDPR demands that at the design stage and during execution, any data collection or processing will be combined with appropriate technical and procedural controls that ensure that personal data is secure. This is known as "data protection by design".

In the UK, the GDPR is implemented as the Data Protection Act 2018.

Requirements

GDPR requires:

  • That no more personal data is collected than necessary
  • Access to personal data is managed and minimised
  • Confidentiality, Integrity and Availability (known as the CIA triangle) of the data are protected
  • Resilience and usable back-ups in case of incident
  • Regular testing of the effectiveness of measures implemented

Rights

The GDP gives the public a set of rights concerning their data:

The Right to be Informed

Simply put, when data is collected about an individual, they should be informed clearly.

The Right of Access

Individuals about whom data is collected have the right to access that data.

The Right to Rectification

Individuals have the right to have their data corrected if it is inaccurate or incomplete.

The Right to Erasure

Individuals have the right to request that their data is removed from a system. The request may be denied if it is required for valid and legal reasons.

The Right to Restrict Processing

Individuals have the right to request that rocessing of their personal data is halted if they believe their it is inaccurate and not have it resume until the issue is resolved.

The Right to Data Portability

For electronic records, users of a system can request their data to be made available in a portable format. For example, you should be able to request all of your e-mails from your e-mail provider in a format that you can then import into another e-mail service.

The Right to Object

Individuals have the right to object to their data being used in some circumstances. This includes automated decision making and profiling, which an individual might feel will result in detrimental outcomes if there is not a human making the decision.

Exemptions

These rights can sometimes be restricted. For example, in legal investigations, journalism, confidentiality of references, and so on, there are legitimate reasons to restrict the rights of individuals for a greater good.

GDPR and Security

GDPR requires that whoever is responsible for data collection, the Data Controller, is accountable for the security of that data and appropriate technical and organisational measures are in place to ensure, and be able to demonstrate, that processing of personal data is performed in accordance with the regulations.

Four Aims

The data security aspects of the GDPR are intended to lead to an organisation being capable of the following:

  1. Manage security risk
  2. Protect personal data against cyber attack
  3. Detect security events
  4. Minimise the impact

The specifics of each depend on the type and volume of data collected and the scale of the organisation. That is, all controls should be "appropriate", based on:

  • the state of the art of the technology
  • cost of implementation
  • the nature, scope, context and purpose of processing’, and
  • the severity and likelihood of the risk being realised.

The National Cyber Security Centre (NCSC) give some examples of security measures:

  • Tracking and recording of all assets that process personal data, including end user devices and removable media.
  • Minimising the opportunity for attack by configuring technology appropriately, minimising available services and controlling connectivity.
  • Actively managing software vulnerabilities, including using in-support software and the application of software update policies (patching) and taking other mitigating steps, where patches can’t be applied.
  • Managing end user devices (laptops and smartphones etc) so that you can apply organisational controls over software or applications that interact with or access personal data.
  • Encrypting personal data at rest on devices (laptops, smartphones, and removable media) that are not subject to strong physical controls.
  • Encrypting personal data when transmitted electronically.
  • Ensuring that web services are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the OWASP Top 10.
  • Ensuring your processing environment remains secure throughout its lifecycle.

Impact

In the particular case of minimising impact, you should consider:

  • minimising the impact of a personal data breach
  • capability to restore systems and services (backups, backup sites, backup schedules)
  • how to manage the incident appropriately
  • ensuring you have enough information to learn lessons for the future