Categories
Articles

Data Breaches: assessing risk

Under the GDPR’s breach notification rules, it’s essential to be able to quickly assess the level of risk that a security breach presents to individual data subjects. Any breach that is likely to result in a risk to the rights and freedoms of natural persons must be reported to the relevant data protection authority, with […]

Categories
Articles

Algorithms: Explanations, Blame and Trust

“Algorithms” haven’t had the best press recently. So it’s been fascinating to hear from the ReEnTrust project, which actually started back in 2018, on Rebuilding and Enabling Trust in Algorithms. Their recent presentations have  looked at explanations, but not (mostly) the mathematical ones that are often the focus. Rather than trying to reverse engineer a […]

Categories
Presentations

Data Protection and Incident Response

Early in 2021 I was invited to give a one-hour presentation on Data Protection and Incident Response, looking at how the demands of the two fields align and support each other, and how law and guidance have come to recognise that over the past decade or so. Incident Response and GDPR: slides Discussion at that […]

Categories
Articles

Data Breach Shanty

To celebrate my 500th blog post, here’s another sea shanty: What shall we do with the stolen data? What shall we do with the stolen data? What shall we do with the stolen data? Early in the morning. Way-hey the fines are rising Way-hey the fines are rising Way-hey the fines are rising Early in […]

Categories
Articles Tools

Data Breaches: Be Prepared

The Article 29 Working Party’s guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. […]

Categories
Articles

Article 29 WP draft on Breach Notification

The Article 29 Working Party’s draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I’ve been warning since 2012, giving priority to notification. Now the Working Party is explicit that “immediately […]

Categories
Articles

Network and Information Security Directive – nearly done

[UPDATE: the Directive has now been published, with Member States required to transpose it into their national laws by 9 May 2018] The European Council has published the text of the Network and Information Security Directive recently agreed by its representatives and those of the European Parliament. This still needs to be “technically finalised” (in […]

Categories
Articles

GDPR – the final text?

The European Council of Ministers have now published a proposed text for the General Data Protection Regulation. This still needs to be edited by the Commission’s “lawyer-linguists” to check for inconsistencies, sort out the numbering of recitals and articles etc. But the working parties of both the Parliament and the Council have recommended that the […]

Categories
Articles

Breach Notification and the GDPR

[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text] The final version of the Data Protection Regulation’s breach notification proposals has addressed many of my concerns with the original draft. Rather than applying the same […]

Categories
Articles

Reducing the Impact of Privacy Breaches

At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]