18/02/18 general data protection regulation (gdpr) · ico draft: children’s data (consultation...
TRANSCRIPT
UpdateFebruary2017
18/02/18 GeneralDataProtectionRegulation(GDPR)
NewGuidance1
Art29WPDraft:Consent» Reinforcesthenarrowcircumstancesinwhichconsentwillbevalid
Art29WPDraft:Transparency» Prettymuchare-statementofwhattheGDPRitselfsays
ICODraft:Children’sdata(consultationtill28thFeb).ForInformationSocietyServices:» Ifusingconsent:“reasonableefforts”toeithergetfromparentorexcludechildren» Agethresholdfor“children”variesacrossEUL» Evenifnotusingconsent:child-friendlynotices,rightsprocesses,etc.(“cartoons”)
GDPRUpdate:LINX100 2
NewGuidance2
Art29WPFinal:Profilingandautomateddecision-making» Significantimprovementon2017draft» Thresholdisnowrefusalofcitizenship,socialbenefit,etc.(notcycle-hire)» Stillaban(notanexercisableright)onfullyautomateddecisionsatthatlevel
Art29WPFinal:Breachnotification…
ICOFinal(undereIDAS/digitalsignaturesRegulation)» Breachnotificationandrisk-basedsecuritydesign:likeGDPR,but24hourstoreportEuropeanCommission» Infographicstoinformindividuals&organisations» To-dolistformemberstates(justtwohavelegislated)
GDPRUpdate:LINX100 3
MissingGuidance
Finalversionsof» Art29:Consent» Art29:TransparencyStillpromised(otherthanafewparasontheICOwebsite):» ICO:DataProcessorcontracts» ICO:Accountability,includingdocumentation
GDPRUpdate:LINX100 4
LegislativeProgress(DataProtection)
DataProtectionBill(UK)» FinishedHouseofLords» ArrivedinHouseofCommons18thJan
ePrivacyRegulation(EU)» EUParliamentagreedon168requiredamendments› Mostlymorerestrictive,butallowmoreprocessingforsecurity» EUCouncilexpecttobeworkingonitin2H2018
GDPRUpdate:LINX100 5
LegislativeProgress(NISDirectivetransposition)
DigitalInfrastructure(nowconsideredan“essentialservice”,liketraditionalCNI)– TLDregistries(>2Bq/d),– DNSresolvers(>2Mclients/day),DNSnameservers(>250Knames)– IXPs(>50%shareorroutes)
› Regulator:OFCOM› Mustimplement14principles/NCSCCAF› Year1:analyserequirements,gapanalysis,planremedialaction› IncidentthresholdsTBA(users,duration,extent)maybedependency,impact
» DSP(marketplace,searchengine,cloud(elastic&shared))› Regulator:ICO› RequirementssetbyEU:Commissiondraft31/1/18– Reportincidentif>1Muser-hours,100Kusers,€1Mdamage,lossoflife
GDPRUpdate:LINX100 6
Thanks
7
AndrewCormackChiefRegulatoryAdviser,[email protected]://community.jisc.ac.uk/blogs/regulatory-developments/tags/Data-Protection-Regulation
Exceptwhereotherwisenoted,thisworkislicensedunderCC-BY-NC-ND
References
Article29WP:» http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358
ICO:» Children
https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/children-and-the-gdpr-guidance/
» eIDAShttps://ico.org.uk/for-organisations/guide-to-eidas/NISDirective» https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-
information-systems-directive(UKtransposition)» http://ec.europa.eu/info/law/better-regulation/initiatives/c-2018-471_en(ECDSPrequirements)
Myblog:» https://community.jisc.ac.uk/blogs/regulatory-developments/tags/Data-Protection-Regulation
EarlierpresentationsfromLINX98/9
GDPRUpdate:LINX100 8