A couple of organisations have asked me recently whether the General Data Protection Regulation (GDPR) requires them to get some sort of external recognition of their incident response team. Here’s why I don’t think it does.
Recital 49 of the Regulation says:
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned…
If your work involves using logs or other usage data to protect network or information (system) security, then clearly it would be reassuring to be on that list. However it’s already apparent that the list isn’t exhaustive – the recent European Court case of Breyer v Deutschland added website operators to it. And, anyway, universities, colleges and most other organisations are already there as “providers of electronic communications networks and services”: the GDPR wording (taken from the telecoms framework directive 2002/21/EC) covers both public and private networks. So those organisations are already covered by Recital 49, irrespective of whether they have a team called CERT/CSIRT.
As to which group(s) within the organisation are authorised to “process[] personal data … for the purposes of ensuring network and information security”, the person responsible for deciding that is the data controller for that personal data, i.e. the university or college itself. An external body such as Jisc may be able to suggest how to do incident response in accordance with the Regulation (my paper on Incident Response and the GDPR tries to provide both a comprehensive framework and a lot of specific examples), but we can’t decide how those tasks should be assigned within your organisation. So if your organisation operates a network or servers, and has authorised you to protect them against digital attacks, I’d be comfortable that Recital 49 applies to you.
Finally, and confusingly, unlike the GDPR the European Network and Information Security Directive does have a concept of an official CSIRT. However that’s a team designated by the Government as having responsibility for part of the critical national infrastructure: not a status that Jisc or any university or college is likely to seek.