Posts related to the General Data Protection Regulation. There are a lot of these, so if you want to find out how GDPR affects a particular topic, it’s better to use the topic tag; if you want to know about implementing GDPR, then try “GDPR Howto”
Looking at the contents of the Government’s new Bill suggests it may be more about Digital Information than Data Protection: Personal Data Processing (1-23) National Security & Intelligence Services (24-6) Information Commissioner’s Role etc. (27-43) Miscellaneous (44-5) Digital Verification Services (46-60) Customer & Business Data (a general framework for services like Open Banking) (61-77) Privacy […]
Whether you refer to your technology as “data-driven”, “machine learning” or “artificial intelligence”, questions about “algorithmic transparency” are likely to come up. The finest example is perhaps the ICO’s heroic analysis of different statistical techniques. But it seems to me that there’s a more fruitful aspect of transparency earlier in the adoption process: why was […]
A few weeks ago I presented on “ORCID and GDPR” at a UK Consortium event. I hope this was reassuring: I’ve always been very impressed with ORCID’s approach to Data Protection (in the European sense of “managed processing”, not the more limited one of “security”), but take it from the German Consortium’s lawyers, back in […]
The final text of the revised European Network and Information Security Directive (NIS 2 Directive) has now been published. This doesn’t formally apply in the UK, but does have some helpful comments on using data protection law to support network and information security. I’ve blogged about these previously but, since the final version significantly changes […]
European Data Protection Regulators have been expressing their concerns for nearly twenty years about public records of domain name ownership (commonly referred to as WHOIS data). A recent case (C37-20) on public records of company ownership (required under money-laundering legislation) suggests that the European Court of Justice would have similar doubts. But its comments on […]
I’ve read two documents this week – one academic paper and one guide from the Information Commissioner – pointing out that just because someone chooses to participate in an activity doesn’t mean that Consent is the appropriate legal basis for processing their personal data. There might be several reasons for that… First, if the nature […]
The latest draft part of the ICOs guidance on data protection technologies covers Privacy Enhancing Technologies (PETs). This is a useful return to a topic covered in a very early factsheet, informed both by technical developments and a better understanding of how technologies can (and cannot) contribute to data protection. Perhaps the most important message […]
A couple of recent discussions have mentioned “trade-offs” between risks. But I wonder whether that might sometimes be a misleading phrase: concealing dangers and perhaps even hiding opportunities? “Trade-off” makes me think of a see-saw – one end down, other up – which has a couple of implications. First, the two ends are in opposition; […]
Following my Networkshop talk on logfiles, I was asked at what point logfiles can be treated as “anonymous” under data protection law. Since the GDPR covers all kinds of re-identification, as well as data that can “single out” an individual even without knowing their name, that’s a good CompSci/law question: the work of Paul Ohm […]
Two common concerns in incident response are (a) not having the data needed to investigate an incident and (b) not being able to find signs of incidents in a mass of other data. My Networkshop talk (see “Making IT Safer… Safely”) looked at how the GDPR principles might help us to get it, like Goldilocks’ […]