I was actually chuckling to myself as I wrote that title because I know you were thinking [the equivalent of] one of the following as you clicked on the link:
- If you have not read the GDPR: “That would be awesome!”
- If you have read the GDPR: “Don’t be so bloody stupid.”
No, of course ISO 27001 certification won’t give you immunity from GDPR fines, even those related to data security breaches, which is the only thing 27001 actually covers. Data security (as opposed to data processing) is a single Article out of 99, and the fines related to data loss aren’t even the big ones (2%, not 4%).
That said, I believe there is a much greater chance of you being fined for lack of security than for any illegalities in your personal data processing.
It’s a matter of exposure.
The title should actually be more in question form; Did you know that there’s even a difference between being erased and being forgotten?
Article 17 of the GDPR is “Right to erasure (‘right to be forgotten’)“, which suggests they are the same thing. They are not [quite], and I think the only reason the right to be forgotten was added in brackets is because everyone was already calling it that. But it’s just not accurate …enough.
The right to be forgotten is intended to allow an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.” For example; you may have been guilty of a minor criminal offence 30 years ago, which in the UK would likely make that offence “spent” (i.e. it should not be considered in any decisions against you related to insurance, employment, loans and so forth). However, if this criminal record has been posted online then duplicated in numerous forms all over the place, it will never go away. In other words, you’ve paid your ‘debt to society’ but it will haunt you for the rest of your days.
My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.
As for Data Protection, it’s not, in and of itself Privacy, and so on…
But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…
For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’: Continue reading
I’ve already written on the subject of privacy several times, and will likely be regurgitating a lot of what I’ve said previously, but an article I read last week really pissed me off; Three Reasons Why the “Nothing to Hide” Argument is Flawed. It’s exactly this kind of absolutist nonsense [from both sides of the privacy ‘debate’] that makes true progress so bloody difficult.
Their first point: “1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.” is backed up by several metaphors, one of which is “Do you close the door when you go to the bathroom?” Seriously? Even the Universal Declaration of Human Rights qualifies the right to privacy with the word ‘arbitrary’:
“Article 12 – No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Every other treatise [that I’ve read] on privacy has a similar qualifier, which clearly infers that there can be very good reasons for ‘interference’. This is further supported by the fact that privacy is only a fundamental right, not an absolute right. Continue reading
You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.
The UK’s ICO themselves provided a sample of what records of processing should look like, and even included examples of content. Their column headed “General description of technical and organisational security measures (if possible)” contains just two examples; “encrypted storage and transfer” and “access controls“. So in the absence of more detailed guidance from any supervisory authority [that I have seen] just what are organisations supposed to do?
First, you need to understand that in Article 32 – Security of Processing, the phrase “technical and organisational security measures” is qualified twice by the one word that makes the whole thing not only clear, but very simple; “Appropriate”.
Article 32(1): “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”.
I’m not going to go into detail about how you define ‘appropriate’, I’ve already done that in GDPR: How Do You Define ‘Appropriate’ Security Measures?, but I am going to provide an example of what this would look like on the only medium that counts; paper.