SlideShare uma empresa Scribd logo

Information lifecycles: a tool for GDPR

Jisc
Jisc

by Andrew Cormack

Tecnologia
1 de 21
Information lifecycles: a tool for GDPR… Andrew Cormack, Chief regulatory adviser, Jisc technologies, @Janet_LegReg 14/11/2017 © Erich Ferdinand https://commons.wikimedia.org/wiki/File:Toolbox_(6788494881).jpg
Thinking DPD => GDPR Data subject responsibility => Data controller accountability Information assets => Information lifecycles 14/11/2017 Information lifecycles: a tool for GDPR 2
Information lifecycles 14/11/2017 Information lifecycles: a tool for GDPR 3
Information lifecycles Collect Process Dispose 14/11/2017 Information lifecycles: a tool for GDPR 4
Information lifecycles »Why are we doing this? »What data do we need? »Who do we get it from? › Direct? Indirect? 14/11/2017 Information lifecycles: a tool for GDPR 5 Collect Process Dispose
Information lifecycles »Why are we doing this? »How are we processing? › Where? › How do we keep it secure? 14/11/2017 Information lifecycles: a tool for GDPR 6 Collect Process Dispose
Information lifecycles »When are data no longer needed? »How do we dispose of them? › Delete? › Aggregate? › Anonymise? Need to keep reviewing re-identification risk 14/11/2017 Information lifecycles: a tool for GDPR 7 Collect Process Dispose
Optional stages » Continuing responsibility › Eg secondary uses, partner organisations » Internal sharing › Start another lifecycle » External sharing › Assign responsibilities through agreement/contract » Resp0nsibility ends on disclosure › Eg law enforcement » Needs a legal exemption 14/11/2017 Information lifecycles: a tool for GDPR 8 Share Disclose
Lifecycle questions Collect • Why? • What? • How? Process • Why? • How? Dispose • When? • How? 14/11/2017 Information lifecycles: a tool for GDPR 9
Lifecycle answers… 14/11/2017 Information lifecycles: a tool for GDPR 10
What?+How? => Breach notification process » When security breach occurs, must notify: › Regulator: if risk to individual, within 72 hrs of becoming aware – Including what you’re doing to mitigate › Individuals: if still high risk to them despite mitigation – Including what they can/should do to mitigate » Requires an efficient incident response process » Could prepare for this as part of lifecycle development? › What info => likely level of risk if breached › How processed => possible mitigations, pre- and post-breach 14/11/2017 Information lifecycles: a tool for GDPR 11
Why? => Legal basis » Is processing necessary (ie no less intrusive way to do it) for… › Contract: an agreement between us (not just in writing) › Legal obligation: law requires me to… › Legitimate interest: I need to… – Requires balancing test to ensure your interests don’t override mine › Public interest (under debate): law requires someone else to… › Vital interest: saving life requires me to… » Or optional, ie we can both cope without it › You give free, informed, positive consent; no compulsion 14/11/2017 Information lifecycles: a tool for GDPR 12
May be multiple legal bases » Eg subscribe to blog updates » Necessary to process personal data for › Contract: to deliver the updates you want › Legitimate Interest: to protect site/users from misuse » Consent › To address you by preferred (nick)name, if you want 14/11/2017 Information lifecycles: a tool for GDPR 13
Legal basis => User rights » All: Information,Access, Rectification, Security, Breach notification › Maybe object (see below) to automated significant decisions » Contract: Portability » Legal obligation: whatever law says » Public/Legitimate Interest: Objection, Restriction › Requires review of individual circumstances, not necessarily termination » Consent: Portability, Erasure 14/11/2017 Information lifecycles: a tool for GDPR 14
Legal basis => Notice requirements » All: Controller, purpose/legal basis, retention, rights, complaints › If shared: Recipients, transfers › If automated decisions: Description » Contract:What contract, consequences of refusal » Legal obligation:What law, consequences of refusal » Public/legitimate interest:What interest » Consent: Right to withdraw 14/11/2017 Information lifecycles: a tool for GDPR 15 See http://ji.sc/right-to-be-informed
Lifecycle drives GDPR implementation 14/11/2017 Information lifecycles: a tool for GDPR 16
From lifecycle, know… Collect • Notice • (Consent) • (Children) Process • Rights • SubjectAccess • Security Dispose • Breaches 14/11/2017 Information lifecycles: a tool for GDPR 17
ICO 12 steps (project plan by ANC) 14/11/2017 Information lifecycles: a tool for GDPR 18 Consent processes (inc. children) Individual rights processes (inc. subject access) Privacy notices Legal basis for processing Breach notification process Information lifecycle audit Data protection by design/impact assessments Awareness
And also… »Lifecycle thinking helps with… › ISO27001 – information security › ISO9001 – process quality › Efficient use of data in general 14/11/2017 Information lifecycles: a tool for GDPR 19
jisc.ac.uk Except where otherwise noted, this work is licensed under CC-BY-NC-ND Thanks/questions? Andrew Cormack http://ji.sc/reg-developments Andrew.Cormack@jisc.ac.uk 14/11/2017 Information lifecycles: a tool for GDPR 20
References » GDPR text: https://ji.sc/gdpr-text » ICO: https://ico.org.uk/for-organisations/data-protection-reform/ » Art29WP: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 » Jisc › “A year to get your act together”: jisc.ac.uk/blog/a-year-to-get-your-act- together-how-universities-and-colleges-should-be-preparing-for-new-data- regulations › GDPR implementation plan: https://community.jisc.ac.uk/blogs/regulatory- developments/article/gdpr-12-steps-illustrated › GDPR lifecycles: https://community.jisc.ac.uk/blogs/regulatory- developments/article/gdpr-moving-information-lifecycle-registers 14/11/2017 Information lifecycles: a tool for GDPR 21

Recomendados

Privacy is at the heart of data protection
Privacy is at the heart of data protectionPrivacy is at the heart of data protection
Privacy is at the heart of data protection
Jisc
 
DDoS mitigation at Jisc
DDoS mitigation at JiscDDoS mitigation at Jisc
DDoS mitigation at Jisc
Jisc
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
James Mulhern
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
Sagara Gunathunga
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
Unisys Corporation
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
blogzilla
 

Recomendados

Privacy is at the heart of data protection
Privacy is at the heart of data protectionPrivacy is at the heart of data protection
Privacy is at the heart of data protection
Jisc
 
DDoS mitigation at Jisc
DDoS mitigation at JiscDDoS mitigation at Jisc
DDoS mitigation at Jisc
Jisc
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
James Mulhern
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
Sagara Gunathunga
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
Unisys Corporation
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
blogzilla
 
Webinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPRWebinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPR
Storage Switzerland
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
TrustArc
 
Data privacy impact assessment
Data privacy impact assessmentData privacy impact assessment
Data privacy impact assessment
Stephen Owen
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
Peter Procházka
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
MyComplianceOffice
 
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
TrustArc
 
Enlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter GridEnlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter Grid
bradley_g
 
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
TrustArc
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
Ishay Tentser
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
TrustArc
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)
Tommy Vandepitte
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
TrustArc
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
kevintsmith
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
GDPR: Into Practice
GDPR: Into PracticeGDPR: Into Practice
GDPR: Into Practice
Jisc
 

Mais conteúdo relacionado

Mais procurados

Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
TrustArc
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
TrustArc
 
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
TrustArc
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
TrustArc
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
TrustArc
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
kevintsmith
 

Mais procurados (20)

Webinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPRWebinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPR
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
 
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
 
Data privacy impact assessment
Data privacy impact assessmentData privacy impact assessment
Data privacy impact assessment
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
 
Enlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter GridEnlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter Grid
 
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
 

Semelhante a Information lifecycles: a tool for GDPR

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
IBB Law
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
Nordic APIs
 

Semelhante a Information lifecycles: a tool for GDPR (20)

GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
GDPR: Into Practice
GDPR: Into PracticeGDPR: Into Practice
GDPR: Into Practice
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17
 
GDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICOGDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICO
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conference
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
 
Smart_cities_and_sustainability_Korpisaari.pdf
Smart_cities_and_sustainability_Korpisaari.pdfSmart_cities_and_sustainability_Korpisaari.pdf
Smart_cities_and_sustainability_Korpisaari.pdf
 
The role of the dpo-aspects of the role
The role of the dpo-aspects of the roleThe role of the dpo-aspects of the role
The role of the dpo-aspects of the role
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
 
UX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital ExperiencesUX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital Experiences
 
UX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital ExperiencesUX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital Experiences
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
 
Dave Lovatt | Our GDPR Journey
Dave Lovatt | Our GDPR JourneyDave Lovatt | Our GDPR Journey
Dave Lovatt | Our GDPR Journey
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
 

Mais de Jisc

Mais de Jisc (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

Information lifecycles: a tool for GDPR

  • 1. Information lifecycles: a tool for GDPR… Andrew Cormack, Chief regulatory adviser, Jisc technologies, @Janet_LegReg 14/11/2017 © Erich Ferdinand https://commons.wikimedia.org/wiki/File:Toolbox_(6788494881).jpg
  • 2. Thinking DPD => GDPR Data subject responsibility => Data controller accountability Information assets => Information lifecycles 14/11/2017 Information lifecycles: a tool for GDPR 2
  • 3. Information lifecycles 14/11/2017 Information lifecycles: a tool for GDPR 3
  • 4. Information lifecycles Collect Process Dispose 14/11/2017 Information lifecycles: a tool for GDPR 4
  • 5. Information lifecycles »Why are we doing this? »What data do we need? »Who do we get it from? › Direct? Indirect? 14/11/2017 Information lifecycles: a tool for GDPR 5 Collect Process Dispose
  • 6. Information lifecycles »Why are we doing this? »How are we processing? › Where? › How do we keep it secure? 14/11/2017 Information lifecycles: a tool for GDPR 6 Collect Process Dispose
  • 7. Information lifecycles »When are data no longer needed? »How do we dispose of them? › Delete? › Aggregate? › Anonymise? Need to keep reviewing re-identification risk 14/11/2017 Information lifecycles: a tool for GDPR 7 Collect Process Dispose
  • 8. Optional stages » Continuing responsibility › Eg secondary uses, partner organisations » Internal sharing › Start another lifecycle » External sharing › Assign responsibilities through agreement/contract » Resp0nsibility ends on disclosure › Eg law enforcement » Needs a legal exemption 14/11/2017 Information lifecycles: a tool for GDPR 8 Share Disclose
  • 9. Lifecycle questions Collect • Why? • What? • How? Process • Why? • How? Dispose • When? • How? 14/11/2017 Information lifecycles: a tool for GDPR 9
  • 10. Lifecycle answers… 14/11/2017 Information lifecycles: a tool for GDPR 10
  • 11. What?+How? => Breach notification process » When security breach occurs, must notify: › Regulator: if risk to individual, within 72 hrs of becoming aware – Including what you’re doing to mitigate › Individuals: if still high risk to them despite mitigation – Including what they can/should do to mitigate » Requires an efficient incident response process » Could prepare for this as part of lifecycle development? › What info => likely level of risk if breached › How processed => possible mitigations, pre- and post-breach 14/11/2017 Information lifecycles: a tool for GDPR 11
  • 12. Why? => Legal basis » Is processing necessary (ie no less intrusive way to do it) for… › Contract: an agreement between us (not just in writing) › Legal obligation: law requires me to… › Legitimate interest: I need to… – Requires balancing test to ensure your interests don’t override mine › Public interest (under debate): law requires someone else to… › Vital interest: saving life requires me to… » Or optional, ie we can both cope without it › You give free, informed, positive consent; no compulsion 14/11/2017 Information lifecycles: a tool for GDPR 12
  • 13. May be multiple legal bases » Eg subscribe to blog updates » Necessary to process personal data for › Contract: to deliver the updates you want › Legitimate Interest: to protect site/users from misuse » Consent › To address you by preferred (nick)name, if you want 14/11/2017 Information lifecycles: a tool for GDPR 13
  • 14. Legal basis => User rights » All: Information,Access, Rectification, Security, Breach notification › Maybe object (see below) to automated significant decisions » Contract: Portability » Legal obligation: whatever law says » Public/Legitimate Interest: Objection, Restriction › Requires review of individual circumstances, not necessarily termination » Consent: Portability, Erasure 14/11/2017 Information lifecycles: a tool for GDPR 14
  • 15. Legal basis => Notice requirements » All: Controller, purpose/legal basis, retention, rights, complaints › If shared: Recipients, transfers › If automated decisions: Description » Contract:What contract, consequences of refusal » Legal obligation:What law, consequences of refusal » Public/legitimate interest:What interest » Consent: Right to withdraw 14/11/2017 Information lifecycles: a tool for GDPR 15 See http://ji.sc/right-to-be-informed
  • 16. Lifecycle drives GDPR implementation 14/11/2017 Information lifecycles: a tool for GDPR 16
  • 17. From lifecycle, know… Collect • Notice • (Consent) • (Children) Process • Rights • SubjectAccess • Security Dispose • Breaches 14/11/2017 Information lifecycles: a tool for GDPR 17
  • 18. ICO 12 steps (project plan by ANC) 14/11/2017 Information lifecycles: a tool for GDPR 18 Consent processes (inc. children) Individual rights processes (inc. subject access) Privacy notices Legal basis for processing Breach notification process Information lifecycle audit Data protection by design/impact assessments Awareness
  • 19. And also… »Lifecycle thinking helps with… › ISO27001 – information security › ISO9001 – process quality › Efficient use of data in general 14/11/2017 Information lifecycles: a tool for GDPR 19
  • 20. jisc.ac.uk Except where otherwise noted, this work is licensed under CC-BY-NC-ND Thanks/questions? Andrew Cormack http://ji.sc/reg-developments Andrew.Cormack@jisc.ac.uk 14/11/2017 Information lifecycles: a tool for GDPR 20
  • 21. References » GDPR text: https://ji.sc/gdpr-text » ICO: https://ico.org.uk/for-organisations/data-protection-reform/ » Art29WP: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 » Jisc › “A year to get your act together”: jisc.ac.uk/blog/a-year-to-get-your-act- together-how-universities-and-colleges-should-be-preparing-for-new-data- regulations › GDPR implementation plan: https://community.jisc.ac.uk/blogs/regulatory- developments/article/gdpr-12-steps-illustrated › GDPR lifecycles: https://community.jisc.ac.uk/blogs/regulatory- developments/article/gdpr-moving-information-lifecycle-registers 14/11/2017 Information lifecycles: a tool for GDPR 21