Security of Processing (9) Flashcards
What are the 4 attributes of security controls (per Article 32 1b)?
- Confidentiality (access on need to know basis)
- Integrity (ensure accurate and complete)
- Availability (accessible when needed)
- Resilience (withstand and recover from threats)
What does GDPR require from controllers and processors regarding security?
Appropriate and technical measures to ensure a level of security appropriate to the risk
What factors should be taken into account in determining appropriate technical and organizational measures?
State of the art
Cost of implementation
Nature of data
Context in which processing is taking place
Scope of data
Purpose of processing
What are potential security-enhancing technologies?
encryption
antivirus and antispam
firewalls
identity and access management
incident detection
DLP
2-factor authentication
IP log management
regular security code peer review
What are the two main activities of security technologies?
filtering electronic communications
monitoring use of IT and communication systems
What are mechanisms to protect the physical environment?
sophisticated entry control systems
CCTV
lock and key and clean desk policies
What does Article 28 require regarding security in the controller-processor relationship?
provide sufficient guarantees of appropriate technical and organizational measures
What are sufficient guarantees?
assurance mechanisms (more than contracts) - appropriate checking and vetting of processors (certifications, validations, 3rd party assessments)
Who does a processor need to notify in a data breach?
Controller
Who does a controller need to notify in a data breach?
Supervisory Authority (within 72 hours)
Data Subject (depends, rights and freedoms)
What is the definition of a personal data breach?
a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure and access of personal data
What are the processor data breach notification duties under Article 33?
notify controller without undue delay from becoming aware of the breach
What are the controller data breach notification duties under Article 33?
notify SA without undue delay within 72 hours after becoming aware
(delay permitted if reasoned justification, exempt if unlikely to result in risk to rights and freedoms)
notify data subject if high risk, without undue delay
(exemption: unintelligible data, high risk negated, and disproportionate to efforts)
When does a controller become aware of a breach?
when the controller has reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised
What 6 things does the controller need to notify to the SA for a data breach?
who (data subjects)
how many (data subject and records)
what types (categories of data)
contact (DPO)
likely consequences
follow-up (measures to be taken)
What are the 3 focuses of the NIS Directive?
First cybersecurity law to cover entire EU
- compel development of national cybersecurity strategies
- cross border collaboration (enhance cooperation and best practices)
- improve security of essential services ie energy, water, transport and digital service providers
Why was a fine issued to social media company in Germany regarding a data breach?
stored passwords in plain text, not compliant with state of the art for security
What does Article 5 (security) establish?
personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures
What does Article 30 establish with regard to records of processing activities for controllers and processors?
controllers must maintain records of processing activities including a general description of technical and organizational security measures
processors must maintain records of processing activities carried out on behalf of controller
What are the 3 domains of security covered by Article 32?
- preventative security
- incident detection and response
- remedial security (steps to improve)
What is a data breach (according to Article 4-12)?
breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed
What is the trigger to notify in cases of a data breach?
controller becomes aware of the data breach
How does WP29 define “awareness of a breach”?
when controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised
What are some factors outlined by WP29 to use in assessing whether a breach should be notified?
- type of breach
- nature, sensitive, volume of personal data
- ease of identifying individuals
- severity of consequences to individuals
- special characteristics of individuals
- special characteristics of controller
- number of individuals affected
