30122021 General Data Protection Regulation GDPR Andrew Cormack

30/12/2021 General Data Protection Regulation (GDPR) Andrew Cormack, Chief Regulatory Adviser (@Janet_Leg. Reg)

2 Session Outline New Legislation Significant Changes How to Approach It Examples

3 What it is Regulation of the European Union (2016/679/EU) » Applies directly to everyone/everyorg in Europe » And beyond, to orgs providing services/collecting data for Europeans Replaces Data Protection Directive (1995/46/EC) » ~3 x longer In force from 25 th May 2018

4 What is isn’t Finished… » Around 50 areas for each Member State to decide (e. g. research) » Regulators will be drafting guidance for whole of 2017 › Planned list doesn’t cover all issues (e. g. cloud) » e. Privacy Regulation first draft for comments (as of September 2017) Expect uncertainty/change/contradiction well beyond May 2018

5 Does it cover me? Yes, if you are processing (including storing) personal data » Including MAC/IP address (inc. dynamic), RFID tags, etc. (Breyer) » Assume any per-user record may be personal data e. Privacy Regulation covers all data relating to communications » Headers, content, location… » Even when it’s not personal data

6 And…? Also, if you’re designing/building systems for processing PD » Operators/users will want to know about compliance features » Especially types of data/processing that it’s not designed for

7 e. Privacy Regulation progress Commission Draft (Jan 2017) » Covers public network operators › Also wifi/Bluetooth tracking; also browsers/cookies » Processing only for service, security or by consent Art 29/EDPS suggestions (April 2017) » Add hospitals, hotels, universities, … » Add anyone processing same data European Parliament/Council (May/June 2017) » Timetable “unrealistic” (Council) » 400 pages of amendments (Parliament Committee)

8 Main GDPR Changes (Summary) DPD: What personal data are we processing? GDPR: Why are we processing that personal data?

9 Main GDPR Changes (A Little More Detail) Accountability Data Protection by Design/Default Consent User Rights Security

10 Accountability Need to understand/document » What you’re processing, why, where, how long for, who may obtain it » Risks, and how they are managed » Information lifecycles, not just asset registers » How users can monitor processing of their data Different legal bases => different notices, duties and user rights If required, appoint a Data Protection Officer » Public authorities (i. e. bodies with special legal powers), or » Core activities involve large-scale monitoring/SPD of individuals

11 Data Protection by Design/Default Data protection considered early in system/process design » Data minimisation, anonymisation, pseudonyms, etc. Options default to privacy-protecting: users must choose to relax Formal Data Protection Impact Assessments (DPIA) » Required for large-scale/risky processing » Identify risks to individuals (not the organisation), mitigate, assess » DPA approval needed if high risks remain Probably need to cover existing systems, too, by 2021

12 Consent New, tighter, conditions for consent to be valid » Free, informed, positive action, revocable (as easily) at any time » In particular: not a condition of service, not under compulsion Must keep records of consent » Who, when, how, to what Designed to be hard to obtain/manage (“reduce overuse”) » Likely to have to consider other legal bases (see below)

13 User Rights to… (How different this is depends on your current national regime) Information (about processing) Rectification Subject Access (about their data) » Correct wrong/incomplete data » More metadata than current SAR Erasure Data Portability » When no lawful basis for processing » Is this (limited) SAR + digital format? Objection Automated decision making » Depends on legal basis for processing » Assess individual’s rights/interests » Can insist on human intervention Restrict processing » Pending rectification/erasure/objection

14 Security Must use organisational & technical measures to protect data » E. g. (GDPR text) encryption, pseudonyms, authorisation, exercises, … » Risk-based, expected to develop as technology does » Data Protection by Design Breach notification (Unauthorised/accidental loss, alteration, disclosure or access to personal data) » To regulator, within 72 hours, if risk to rights & freedoms » To individuals, without delay, if high risk to rights & freedoms Explicit support for security & incident response

15 How to Approach it Information Lifecycles (Security) Legal Basis for Processing (User Rights) Service Categories Localisation?

16 Information Lifecycles More than just an “information audit” (what information). Also… » Why we have that information, what we use it for » Collection, processing, transfers, disclosure, deletion » Information flows in “space” and time Basic information for quality and information security standards too » Should improve organisation’s use of information Could also think about risks/security/breach requirements at same time

17 Legal Basis for Processing Six bases available » Necessary for: contract, law, life, public interest, legitimate interest » Consent (may imply not “necessary”? ) » Different duties, rights, notice requirements for each Complex activities/services may well use more than one, e. g. » Can’t provide service without it (contract) » Can’t secure service without it (legitimate interest) » Can make service prettier with it (consent)

18 Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level 1 Relationship Example Privacy notice? T & C? Legal basis test? DPIA? Service provider has direct interaction with user helpdesk X X X

19 Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk X X X 2 Service provider has direct longterm relationship with user eduroam site contact ? X

20 Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk X X X 2 Service provider has direct longterm relationship with user eduroam site contact ? X 3 User has relationship with third party eduroam user ?

21 Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk X X X 2 Service provider has direct longterm relationship with user eduroam site contact ? X 3 User has relationship with third party eduroam user ? 4 User may be unaware of service’s existence incident response ?

22 Localisation? Users may well want storage in specific places » And/or avoid others » Even within EU… (proposed free-flow law excludes personal data) Worth thinking about how service might implement » Federated storage (i. e. multiple, localised databases) » Per-country directory/service options (if that makes sense) If design supports it, can cost/implement if/when it’s asked for

23 Examples Federated AAI Security & Incident Response Location Data

24 Federated AAI R&E federations have done data minimisation for years » Attributes, pseudonyms, etc. Legitimate interests basis for necessary data » Necessary to provide service user has requested » Now covers “ad hoc” exports, too: good fit for AAI request/response Consent basis for additional data » E. g. to have interface address you by friendly name

25 Security & Incident Response Explicit support in GDPR recital 49 » Breyer case effectively backdates this to current Directive Likely to be essential to deliver breach notification duty Legitimate interests basis (as in Rec. 49) provides lots of useful guidance » Necessary/Proportionate, balance of interests » Paper at http: //script-ed. org/? p=3180 » Largely compatible with existing Incident Response practice

26 Location Data No special treatment under GDPR. So could be » Necessary for service provision (e. g. cell site) » Necessary for value-added service (e. g. find my X) » Necessary for public interest (e. g. find badguy’s X) » Consent… » i. e. wider than current e. Privacy Directive e. Privacy Regulation debate seems conflicted » Want service-necessary or consent (i. e. connected users only) » But like, e. g. , queue monitoring applications

Implementing the GDPR References Regulators » http: //ec. europa. eu/newsroom/just/item-detail. cfm? item_id=50083 (EU) » https: //ico. org. uk/for-organisations/data-protection-reform/ (UK) Regulation (2016/679/EU): » http: //eur-lex. europa. eu/legal-content/EN/TXT/PDF/? uri=CELEX: 32016 R 0679 Me: » https: //community. jisc. ac. uk/blogs/regulatory-developments/tags/Data. Protection-Regulation » https: //script-ed. org/article/incident-response-protecting-individual-rights-under -the-general-data-protection-regulation/ » https: //eventr. geant. org/events/2731 (GDPR webinar) 27

28 Thanks Andrew Cormack Chief Regulatory Adviser, Jisc Technologies Andrew. Cormack@jisc. ac. uk https: //community. jisc. ac. uk/blogs/regulatorydevelopments/tags/Data-Protection-Regulation Except where otherwise noted, this work is licensed under CC-BY-NC-ND

29 Twelve (UK ICO) Steps Project Plan Awareness Data Protection by Design/Impact Assessments Information Lifecycle Audit Breach Notification Process Legal Basis for Processing Privacy Notices Individual Rights Processes (inc. Subject Access) Consent Processes (inc. Children)

Symposium 2017 GÉANT and GDPR Nicole Harris Budapest October 3 rd 2017 GÉANT Symposium 2017

GÉANT Community Facing Activities and GDPR IAMonline AARC Policy on Personal Data https: //eventr. geant. org/even ts/2731 https: //wiki. geant. org/display /gn 42 na 3/Community+GDPR+ Activities GÉANT Code of Conduct edu. GAIN GDPR consultation edu. GAIN GDPR Review GDPR REFEDS Attribute Release Policies SIG-MSP presentation SIG-ISM (upcoming SIG-NOC (upcoming) TF-CSIRT presentation GÉANT Symposium 2017 31

Leading to TF-DPR “The Task Force proposes to gather information, discuss and develop tools and best practices to be able to deal with the requirements of data protection regulation, with a focus on the General Data Protection Regulation (GDPR) and how NRENs and our shared services can prepare for the GDPR. Other relevant legislation with an impact on data protection – like the upcoming e-privacy Regulation – is also in scope. The results of the task force will yield documentation and tools for NRENs. ” https: //eventr. geant. org/events/2732 GÉANT Symposium 2017 32

GÉANT Organisational Approach to GDPR Pete Janusz GDPR Lead Ana Alves GDPR Project Manager Shaun Cairns Responsible Owner Evangelos Spatharas Security Officer GÉANT Symposium 2017 Nicole Harris Community Liaison 33

What Can You Do? Where you are processing personal data. The reasons why you are processing. Think about: Are you asking for too much information? Talk to us! Where is it stored? Who has access? How long do you need to keep it? GÉANT Symposium 2017 34