Recently I was invited to give a one-hour presentation on Data Protection and Incident Response, looking at how the demands of the two fields align and support each other, and how law and guidance have come to recognise that over the past decade or so. I finished with some thoughts on areas – data collection […]
Tag: Breach Notification
Posts relating to requirements to notify security breaches
Data Breach Shanty
To celebrate my 500th blog post, here’s another sea shanty: What shall we do with the stolen data? What shall we do with the stolen data? What shall we do with the stolen data? Early in the morning. Way-hey the fines are rising Way-hey the fines are rising Way-hey the fines are rising Early in […]
The Article 29 Working Party’s draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I’ve been warning since 2012, giving priority to notification. Now the Working Party is explicit that “immediately […]
[UPDATE: the Directive has now been published, with Member States required to transpose it into their national laws by 9 May 2018] The European Council has published the text of the Network and Information Security Directive recently agreed by its representatives and those of the European Parliament. This still needs to be “technically finalised” (in […]
GDPR – the final text?
The European Council of Ministers have now published a proposed text for the General Data Protection Regulation. This still needs to be edited by the Commission’s “lawyer-linguists” to check for inconsistencies, sort out the numbering of recitals and articles etc. But the working parties of both the Parliament and the Council have recommended that the […]
Breach Notification and the GDPR
[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text] The final version of the Data Protection Regulation’s breach notification proposals has addressed many of my concerns with the original draft. Rather than applying the same […]
Reducing the Impact of Privacy Breaches
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]
The various committees of the European Parliament have now published their response to the Commission’s draft Network and Information Security Directive. Their proposal is much more narrowly focussed than the Commission’s: public administrations are excluded (though individual Member States are allowed to opt theirs in), as they already “have to exert due diligence in the […]
The Department for Business, Innovation and Skills has published a summary of the responses to its consultation on the proposed EU Directive on Network and Information Security (NIS) (JANET’s response). Summarising that summary (!): There seems to be agreement that there is a role for the EU in Network and Information Security, in particular in […]
Two talks on the first day of the FIRST conference highlighted the increasing range of equipment and data that can be found on the Internet, and the challenges that this presents both for risk assessment and, if incidents do happen, assessing the severity of the possible breach and what measures need to be taken. Eireann […]