Last year, I was invited to give a talk “on GDPR” to NISO, an organisation that develops standards for managing digital information. While most of my thinking and writing has looked at applying data protection law to existing systems, this seemed like a good opportunity to think about how you might use it at an […]
Tag: Data Protection Regulation
Posts related to the General Data Protection Regulation. There are a lot of these, so if you want to find out how GDPR affects a particular topic, it’s better to use the topic tag; if you want to know about implementing GDPR, then try “GDPR Howto”
A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. Do you, for example, need to inform someone who is attacking your systems that […]
Digital Qualifications and GDPR
Over the past decade or more, we’ve developed federated access management as a technical, policy and legal framework to exchange up-to-date information to help current staff and students access the resources they need. Authentication, status and membership information all need to be fresh to be useful and frequent use makes it worth organisations entering into […]
Srry, you woke me…
Recently I was in a video-conference where Apple’s “smart” assistant kept popping up on the presenter’s shared screen. Another delegate realised this happened whenever the word “theory” was spoken. It’s close… These events – which I refer to as “false-wakes” – are privacy risk: maybe small, but that depends very much on the nature of […]
GDPR: Not about “trade-offs”
The Information Commissioner’s response to proposals for data protection reform has another take on my idea of the law helping us to find sweet spots: those points shouldn’t be seen as “trade-offs”, but as mutually beneficial. As the ICO puts it: The economic and societal benefits of this digital growth are only possible through earning […]
GDPR: A Guide to Sweet Spots?
I keep coming back to the idea that Data Protection law (at least as expressed in the GDPR) has two explicit objectives: to “protect natural persons” and to enable “free movement of data”. And those are presented as compatible, not conflicting. In the case of a couple of the Article 6 lawful bases for processing that’s […]
Schrems II: pragmatism or uncertainty?
A fascinating panel at the PrivSec Global conference looked at how individual courts and regulators have responded to the Schrems II decision on international transfers of personal data. That decision, and the subsequent guidance from the European Data Protection Board, aimed to establish a consistent regime for transferring personal data from the EEA to external […]
Information Sharing in Emergencies
The Information Commissioner’s new blog post explains how Data Protection law should be seen as a guide to when and how to share information in emergencies, not an obstacle to such sharing. In health emergencies three provisions are most likely to be relevant: Explicit Consent (GDPR Art.9(2)(a)): where an individual chooses to disclose information, such […]
[UPDATE: slides from my TF-CSIRT presentation are now available] Several years ago I wrote a paper on using the GDPR to decide when the benefits of sharing information among network defenders outweighed the risks. That used the Legitimate Interests balancing test to compare the expected benefits – in improving the security of accounts, systems or […]
The EDPB’s new Guidance on Data Protection issues around Virtual Voice Assistants (Siri, Alexa and friends) makes interesting reading, though – as I predicted a while ago for cookies – they get themselves into legal tangles by assuming “If I need consent for X, might as well get it for Y”. We’ve been focusing more […]