Module 9 - Security of Processing

Question 1

What are the four security attributes anticipated under article 32, GDPR?

Answer 1

• Confidentiality - need-to-know access.
• Availability - when needed.
• Integrity - data accurate and complete.
• Resilience - capacity for recovery.

RISK-BASED APPROACH - The controller and processor must implement appropriate technical and organisational measures, with security level appropriate to risk considering the state of art, costs, nature, context, scope and purpose of the processing.

Absolute security NOT REQUIRED.

Question 2

What should controllers seek from processors in terms of security assurance under article 28, GDPR?

Answer 2

• Only processors providing SUFFICIENT GUARANTEES to implement appropriate technological and organisational measures to meet GDPR requirements and ensure protection of DS rights should be retained.
• MORE THAN CONTRACTS necessary - additional ASSURANCE MECHANISMS required.

Question 3

What is a data breach under article 4(2), GDPR?

Answer 3

Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.

Question 4

What are the applicable breach notification thresholds and timeframes?

Answer 4

• Processor => controller: ASAP (article 33, GDPR).
• Controller => data protection authority: ASAP WITHIN 72 HOURS / if RISK to data subjects (article 33, GDPR).
• Controller => data subjects: ASAP / if HIGH RISK to data subjects. A PUBLIC NOTICE may be used if disclosure of UNINTELLIGIBLE DATA, high risk NEGATED BY MEASURES or DISPROPORTIONATE (article 34, GDPR).

Question 5

What are the three key policy areas addressed by NISD / NISD II?

Answer 5

• Comprises EU cybersecurity law.
• Three areas of policy regulation:
  1. National capabilities;
  2. Cross-border collaboration;
  3. National supervision of critical sectors.