Last updated: 
3 weeks 3 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Incident Response and the GDPR

Wednesday, April 19, 2017 - 09:43

After (too) many years, I’ve turned the ideas from my original TF-CSIRT documents into a formal academic paper, which has just been published in the open access law journal, SCRIPTed:

Andrew Cormack, "Incident Response: Protecting Individual Rights Under the General Data Protection Regulation", (2016) 13:3 SCRIPTed 258 https://script-ed.org/?p=3180

The new General Data Protection Regulation provides explicit support for the idea that protecting the security of computers, networks and data is a legitimate interest of organisations. That has recently been confirmed by the European Court of Justice in the Breyer case.

After discussing the need for incident response, the very diverse legal approaches that have been taken to it in the past, and the problems those have created for collaboration, the paper looks at the rules that data protection law applies when processing for a "legitimate interest". This produces a framework for assessing the impact and benefit of security and incident response activities. Finally there are a series of practical case studies, suggested by various CSIRT teams, analysed against that framework. Reassuringly, the conclusion is that most current CSIRT practice - which is already designed to protect the security of sensitive information - also satisfies the requirements for privacy and data protection.

Thanks to everyone who has, knowingly or not, contributed to the final result.