Data Protection Regulation

18 June 2013 at 3:17am

Uncertainty, Risk Assessment and Breach Notification

Andrew Cormack
Breach Notification
Data Protection Regulation
incident response
#firstcon13
Two talks on the first day of the FIRST conference highlighted the increasing range of equipment and data that can be found on the Internet, and the challenges that this presents both for risk assessment and, if incidents do happen, assessing the severity of the possible breach and what measures need to be taken.
Read more
6 June 2013 at 4:19pm

Privacy, Regulation and Innovation

Andrew Cormack
#tnc2013
Cookies
Data Protection Regulation
Privacy
ePrivacy Directive
Robin Wilton of the Internet Society gave a talk at the TERENA Networking Conference on the interaction between privacy, regulation, and innovation. It's a commonly heard claim that regulation stifles innovation; yet the evidence of premium rate phone fraud and other more or less criminal activities suggests that regulation can, in fact, stimulate innovation, though not always of the type we want.
Read more
1 June 2013 at 3:53pm

Article 29 Working Party on Profiling

Andrew Cormack
Data Protection Regulation
Privacy
Profiling
Cookies
In what sometimes seems like a polarised debate on the draft Data Protection Regulation, it’s good to see the Article 29 Working Party trying to find the middle ground. The subject of their latest advice note is the contentious topic of profiling, which has been presented both as vital to the operation and development of Internet services and as an extreme violation of privacy.
Read more
2 May 2013 at 10:17am

Legal developments affecting incident response

Andrew Cormack
incident response
Data Protection Regulation
Data Retention Directive
Communications Data Bill
I was asked recently how I saw current legal developments in Europe affecting the work of incident response teams, so here’s a summary of my thoughts.
Read more
1 May 2013 at 10:08am

International transfers within cloud providers

Andrew Cormack
Data Protection Regulation
Cloud computing
Data Protection Directive
The Article 29 Working Party have published an explanatory document on Binding Corporate Rules for Data Processors, to provide further detail on using the template they published last year.
Read more
26 February 2013 at 3:56pm

Template for Cloud Privacy Level Agreements

Andrew Cormack
Cloud computing
Data Protection Regulation
Last year the Article 29 Working Party published an Opinion on Cloud Computing expressing concern at the information available to those considering moving services to the cloud about the protection that cloud services offered for their data.
Read more
15 February 2013 at 3:15pm

ICO on pseudonyms, consent and legitimate interests

Andrew Cormack
Access Management
Data Protection Regulation
incident response
Privacy
It’s interesting to read the Information Commissioner’s comments on the draft European Data Protection Regulation, which have just been published. A number of the comments address issues we’ve been struggling with in providing Internet services such as incident response and federated access management.
Read more
1 February 2013 at 9:15am

Reporting Information Security Breaches

Andrew Cormack
Breach Notification
incident response
Data Protection Regulation
An interesting, though depressing, figure from Verizon’s 2012 Data Breach Investigations Report is that 92% of information security breaches were discovered and reported by a third party. Not by the organisation that suffered the breach, nor by its customers who are likely to be the victims of any loss of personal data, but by someone else.
Read more
20 June 2013 at 3:43am

Privacy Law Amendments Could Hinder Response to Privacy Incidents

Andrew Cormack
Data Protection Regulation
incident response
One of the areas of network operations where it’s particularly tricky to get legislation right is incident response, and recent amendments proposed by the European Parliament to the draft Data Protection Regulation (warning: 200 page PDF) illustrate why.
Read more
20 November 2012 at 12:36pm

ENISA: "Right to be Forgotten" has limits

Andrew Cormack
Data Protection Regulation
right to be forgotten
ENISA’s study on the “Right to be Forgotten” contains useful reminders that once information is published on the Internet it may be impossible to completely remove it. Implementing a right to be forgotten would involve four stages:
Read more
Subscribe to Data Protection Regulation