Last updated: 
5 days 14 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Processing notification and protecting security

Monday, December 18, 2017 - 13:20

Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as personal data. But a law that required us to tell attackers how much we knew about their activities would help them far more than us.

Fortunately the law, and now the Article 29 Working Party of European Data Protection Regulators, recognise this and similar problems. As the Working Party’s draft transparency guidance explains, the situation is covered by at least two exemptions:

  • Paragraph 58 discusses Article 14.5(b), which says that informing the individual is not a requirement if doing so "is likely to make impossible or seriously impair the purpose of the processing". Analysing attackers' techniques so we can defend against them (and tell others how to do so) is an important aspect of keeping computers and data secure. Telling attackers when they need to change their approach would obviously "seriously impair" this purpose;
  • Paragraph 57 also notes that informing individuals may, in any case, be impossible where the processing does not require them to be identified. Analysing network traffic is one of these situations since it is generally done "with pseudonymised data". GDPR Article 11.1 states that such circumstances do not require the data controller to acquire additional personal data (for example an attacker’s contact details) solely to comply with GDPR requirements.

Security and incident response teams still have to ensure their processing is fair and has a legal basis. Recital 49 provides "legitimate interests" as the appropriate legal basis for securing networks, computers and data. Fairness should be ensured by the tests that processing is "necessary" for that purpose and is not overridden by the rights and freedoms of individuals. A public notice informing users of websites, networks and computers of an incident response team's activities should meet the GDPR's legal requirement as well as, perhaps, persuading at least some attackers to leave that organisation alone.