2 March 2018 at 9:55am
I've had a number of questions recently about how long help desks should keep personal data about the queries they receive. The correct answer is "as long as you need, and no longer". But I hope the following examples of why you might need to keep helpdesk tickets are more helpful than that bare statement:
2 March 2018 at 9:49am
Collections of free text – whether in database fields, documents or email archives – present a challenge both for operations and under data protection law. They may contain personal data but it's hard to find: whether you're trying to use it, to ensure compliance with the data protection principles, or to allow data subjects to exercise their legal rights. Some level of risk is unavoidable in these collections, but there are ways to reduce it.
28 February 2018 at 8:30am
Although the Article 29 Working Party seem to have had applications such as incident response in mind when drafting their guidance on exports, that guidance could also be helpful in the field of federated authentication.
20 February 2018 at 10:09am
The Article 29 Working Party's guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. It seems unlikely that an organisation that hasn't prepared is going to be able to manage that.
2 February 2018 at 9:30am
In thinking about the legal arrangements for Jisc's learning analytics services we consciously postponed incorporating medical and other information that Article 9(1) of the General Data Protection Regulation (GDPR) classifies as Special Category Data (SCD): "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation" (mo
5 January 2018 at 1:24pm
One of my guidelines for when consent may be an appropriate basis for processing personal data is whether the individual is able to lie or walk away. If they can, then that practical possibility may indicate a legal possibility too.
18 December 2017 at 1:20pm
Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as personal data. But a law that required us to tell attackers how much we knew about their activities would help them far more than us.
15 December 2017 at 9:16am
The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR.
3 November 2017 at 10:21am
The Article 29 Working Party's draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I've been warning since 2012, giving priority to notification.
26 October 2017 at 4:23pm
Education Technology have just published an article I wrote (though I didn't choose the headline!) on how security and incident response fit into the General Data Protection Regulation. It aims to be an easy read: if you want something more challenging follow the "incident response protects privacy" link to get the full legal analysis.
Subscribe to GDPRtopics