UpdateFebruary2017

18/02/18 GeneralDataProtectionRegulation(GDPR)

NewGuidance1

Art29WPDraft:Consent» Reinforcesthenarrowcircumstancesinwhichconsentwillbevalid

Art29WPDraft:Transparency» Prettymuchare-statementofwhattheGDPRitselfsays

ICODraft:Children’sdata(consultationtill28thFeb).ForInformationSocietyServices:»  Ifusingconsent:“reasonableefforts”toeithergetfromparentorexcludechildren» Agethresholdfor“children”variesacrossEUL» Evenifnotusingconsent:child-friendlynotices,rightsprocesses,etc.(“cartoons”)

GDPRUpdate:LINX100 2

NewGuidance2

Art29WPFinal:Profilingandautomateddecision-making»  Significantimprovementon2017draft»  Thresholdisnowrefusalofcitizenship,socialbenefit,etc.(notcycle-hire)»  Stillaban(notanexercisableright)onfullyautomateddecisionsatthatlevel

Art29WPFinal:Breachnotification…

ICOFinal(undereIDAS/digitalsignaturesRegulation)»  Breachnotificationandrisk-basedsecuritydesign:likeGDPR,but24hourstoreportEuropeanCommission»  Infographicstoinformindividuals&organisations»  To-dolistformemberstates(justtwohavelegislated)

GDPRUpdate:LINX100 3

MissingGuidance

Finalversionsof» Art29:Consent» Art29:TransparencyStillpromised(otherthanafewparasontheICOwebsite):» ICO:DataProcessorcontracts» ICO:Accountability,includingdocumentation

GDPRUpdate:LINX100 4

LegislativeProgress(DataProtection)

DataProtectionBill(UK)» FinishedHouseofLords» ArrivedinHouseofCommons18thJan

ePrivacyRegulation(EU)» EUParliamentagreedon168requiredamendments›  Mostlymorerestrictive,butallowmoreprocessingforsecurity» EUCouncilexpecttobeworkingonitin2H2018

GDPRUpdate:LINX100 5

LegislativeProgress(NISDirectivetransposition)

DigitalInfrastructure(nowconsideredan“essentialservice”,liketraditionalCNI)–  TLDregistries(>2Bq/d),–  DNSresolvers(>2Mclients/day),DNSnameservers(>250Knames)–  IXPs(>50%shareorroutes)

›  Regulator:OFCOM›  Mustimplement14principles/NCSCCAF›  Year1:analyserequirements,gapanalysis,planremedialaction›  IncidentthresholdsTBA(users,duration,extent)maybedependency,impact

»  DSP(marketplace,searchengine,cloud(elastic&shared))›  Regulator:ICO›  RequirementssetbyEU:Commissiondraft31/1/18–  Reportincidentif>1Muser-hours,100Kusers,€1Mdamage,lossoflife

GDPRUpdate:LINX100 6

Thanks

7

AndrewCormackChiefRegulatoryAdviser,JiscTechnologiesAndrew.Cormack@jisc.ac.ukhttps://community.jisc.ac.uk/blogs/regulatory-developments/tags/Data-Protection-Regulation

Exceptwhereotherwisenoted,thisworkislicensedunderCC-BY-NC-ND

References

Article29WP:»  http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358

ICO:»  Children

https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/children-and-the-gdpr-guidance/

»  eIDAShttps://ico.org.uk/for-organisations/guide-to-eidas/NISDirective»  https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-

information-systems-directive(UKtransposition)»  http://ec.europa.eu/info/law/better-regulation/initiatives/c-2018-471_en(ECDSPrequirements)

Myblog:»  https://community.jisc.ac.uk/blogs/regulatory-developments/tags/Data-Protection-Regulation

EarlierpresentationsfromLINX98/9

GDPRUpdate:LINX100 8