- If you have not read the GDPR: “That would be awesome!”
- If you have read the GDPR: “Don’t be so bloody stupid.”
My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.
As for Data Protection, it’s not, in and of itself Privacy, and so on…
But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…
For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’: Continue reading
I’ve already written on the subject of privacy several times, and will likely be regurgitating a lot of what I’ve said previously, but an article I read last week really pissed me off; Three Reasons Why the “Nothing to Hide” Argument is Flawed. It’s exactly this kind of absolutist nonsense [from both sides of the privacy ‘debate’] that makes true progress so bloody difficult.
Their first point: “1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.” is backed up by several metaphors, one of which is “Do you close the door when you go to the bathroom?” Seriously? Even the Universal Declaration of Human Rights qualifies the right to privacy with the word ‘arbitrary’:
“Article 12 – No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Every other treatise [that I’ve read] on privacy has a similar qualifier, which clearly infers that there can be very good reasons for ‘interference’. This is further supported by the fact that privacy is only a fundamental right, not an absolute right. Continue reading
You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.
The UK’s ICO themselves provided a sample of what records of processing should look like, and even included examples of content. Their column headed “General description of technical and organisational security measures (if possible)” contains just two examples; “encrypted storage and transfer” and “access controls“. So in the absence of more detailed guidance from any supervisory authority [that I have seen] just what are organisations supposed to do?
First, you need to understand that in Article 32 – Security of Processing, the phrase “technical and organisational security measures” is qualified twice by the one word that makes the whole thing not only clear, but very simple; “Appropriate”.
Article 32(1): “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”.
I’m not going to go into detail about how you define ‘appropriate’, I’ve already done that in GDPR: How Do You Define ‘Appropriate’ Security Measures?, but I am going to provide an example of what this would look like on the only medium that counts; paper.