General Data Protection Regulation (GDPR) 21/07/2018 Andrew Cormack, Chief Regulatory Adviser (@Janet_LegReg) Go to ‘View’ menu > ‘Header and Footer…’ to edit the footers on this slide (click ‘Apply’ to change only the currently selected slide, or ‘Apply to All’ to change the footers on all slides). To change the image on this slide: Click once on the image to select it, and then delete it Drag a replacement picture to the placeholder or click the icon in the centre of the placeholder to browse for & add another image Once you have added your replacement image, you may need to put it into the background so that it doesn’t cover other items on the slide. Do this by right-clicking on the new image and choosing ‘Arrange’ > ‘Send to Back’ from the contextual menu

Session Outline New Legislation Significant Changes How to Approach It Examples

What it is Regulation of the European Union (2016/679/EU) Applies directly to everyone/everyorg in Europe And beyond, to orgs providing services/collecting data for Europeans Replaces Data Protection Directive (1995/46/EC) ~3x longer In force from 25th May 2018

What is isn’t Finished… Around 50 areas for each Member State to decide (e.g. research) Regulators will be drafting guidance for whole of 2017 Planned list doesn’t cover all issues (e.g. cloud) ePrivacy Regulation first draft for comments (as of September 2017) Expect uncertainty/change/contradiction well beyond May 2018

Does it cover me? Yes, if you are processing (including storing) personal data Including MAC/IP address (inc.dynamic), RFID tags, etc. (Breyer) Assume any per-user record may be personal data ePrivacy Regulation covers all data relating to communications Headers, content, location… Even when it’s not personal data

And…? Also, if you’re designing/building systems for processing PD Operators/users will want to know about compliance features Especially types of data/processing that it’s not designed for

ePrivacy Regulation progress Commission Draft (Jan 2017) Covers public network operators Also wifi/Bluetooth tracking; also browsers/cookies Processing only for service, security or by consent Art 29/EDPS suggestions (April 2017) Add hospitals, hotels, universities, … Add anyone processing same data European Parliament/Council (May/June 2017) Timetable “unrealistic” (Council) 400 pages of amendments (Parliament Committee)

Main GDPR Changes (Summary) DPD: What personal data are we processing? GDPR: Why are we processing that personal data?

Main GDPR Changes (A Little More Detail) Accountability Data Protection by Design/Default Consent User Rights Security

Accountability Need to understand/document What you’re processing, why, where, how long for, who may obtain it Risks, and how they are managed Information lifecycles, not just asset registers How users can monitor processing of their data Different legal bases => different notices, duties and user rights If required, appoint a Data Protection Officer Public authorities (i.e. bodies with special legal powers), or Core activities involve large-scale monitoring/SPD of individuals

Data Protection by Design/Default Data protection considered early in system/process design Data minimisation, anonymisation, pseudonyms, etc. Options default to privacy-protecting: users must choose to relax Formal Data Protection Impact Assessments (DPIA) Required for large-scale/risky processing Identify risks to individuals (not the organisation), mitigate, assess DPA approval needed if high risks remain Probably need to cover existing systems, too, by 2021

Consent New, tighter, conditions for consent to be valid Free, informed, positive action, revocable (as easily) at any time In particular: not a condition of service, not under compulsion Must keep records of consent Who, when, how, to what Designed to be hard to obtain/manage (“reduce overuse”) Likely to have to consider other legal bases (see below)

User Rights to… (How different this is depends on your current national regime) Information (about processing) Subject Access (about their data) More metadata than current SAR Data Portability Is this (limited) SAR + digital format? Automated decision making Can insist on human intervention Rectification Correct wrong/incomplete data  Erasure When no lawful basis for processing Objection Depends on legal basis for processing Assess individual’s rights/interests Restrict processing Pending rectification/erasure/objection

Security Must use organisational & technical measures to protect data E.g. (GDPR text) encryption, pseudonyms, authorisation, exercises, … Risk-based, expected to develop as technology does Data Protection by Design Breach notification (Unauthorised/accidental loss, alteration, disclosure or access to personal data) To regulator, within 72 hours, if risk to rights & freedoms To individuals, without delay, if high risk to rights & freedoms Explicit support for security & incident response

How to Approach it Information Lifecycles (Security) Legal Basis for Processing (User Rights) Service Categories Localisation?

Information Lifecycles More than just an “information audit” (what information). Also… Why we have that information, what we use it for Collection, processing, transfers, disclosure, deletion Information flows in “space” and time Basic information for quality and information security standards too Should improve organisation’s use of information Could also think about risks/security/breach requirements at same time

Legal Basis for Processing Six bases available Necessary for: contract, law, life, public interest, legitimate interest Consent (may imply not “necessary”?) Different duties, rights, notice requirements for each Complex activities/services may well use more than one, e.g. Can’t provide service without it (contract) Can’t secure service without it (legitimate interest) Can make service prettier with it (consent)

Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk  X

Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk  X 2 Service provider has direct long-term relationship with user eduroam site contact ?

Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk  X 2 Service provider has direct long-term relationship with user eduroam site contact ? 3 User has relationship with third party eduroam user

Draft Service Categories Risk-based guide to prioritisation/standardisation Risk level Relationship Example Privacy notice? T & C? Legal basis test? DPIA? 1 Service provider has direct interaction with user helpdesk  X 2 Service provider has direct long-term relationship with user eduroam site contact ? 3 User has relationship with third party eduroam user 4 User may be unaware of service’s existence incident response

Localisation? Users may well want storage in specific places And/or avoid others Even within EU… (proposed free-flow law excludes personal data) Worth thinking about how service might implement Federated storage (i.e. multiple, localised databases) Per-country directory/service options (if that makes sense) If design supports it, can cost/implement if/when it’s asked for

Examples Federated AAI Security & Incident Response Location Data

Federated AAI R&E federations have done data minimisation for years  Attributes, pseudonyms, etc. Legitimate interests basis for necessary data Necessary to provide service user has requested Now covers “ad hoc” exports, too: good fit for AAI request/response Consent basis for additional data E.g. to have interface address you by friendly name

Security & Incident Response Explicit support in GDPR recital 49  Breyer case effectively backdates this to current Directive Likely to be essential to deliver breach notification duty Legitimate interests basis (as in Rec.49) provides lots of useful guidance Necessary/Proportionate, balance of interests Paper at http://script-ed.org/?p=3180 Largely compatible with existing Incident Response practice 

Location Data No special treatment under GDPR. So could be Necessary for service provision (e.g. cell site) Necessary for value-added service (e.g. find my X) Necessary for public interest (e.g. find badguy’s X) Consent… i.e. wider than current ePrivacy Directive ePrivacy Regulation debate seems conflicted Want service-necessary or consent (i.e. connected users only) But like, e.g., queue monitoring applications

References Regulators Implementing the GDPR References Regulators http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 (EU) https://ico.org.uk/for-organisations/data-protection-reform/ (UK) Regulation (2016/679/EU): http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 Me: https://community.jisc.ac.uk/blogs/regulatory-developments/tags/Data- Protection-Regulation https://script-ed.org/article/incident-response-protecting-individual-rights- under-the-general-data-protection-regulation/ https://eventr.geant.org/events/2731 (GDPR webinar)

Thanks Andrew Cormack Chief Regulatory Adviser, Jisc Technologies Andrew.Cormack@jisc.ac.uk https://community.jisc.ac.uk/blogs/regulatory-developments/tags/Data-Protection-Regulation Go to ‘View’ menu > ‘Header and Footer…’ to edit the footers on this slide (click ‘Apply’ to change only the currently selected slide, or ‘Apply to All’ to change the footers on all slides). Except where otherwise noted, this work is licensed under CC-BY-NC-ND

Twelve (UK ICO) Steps Project Plan Awareness Data Protection by Design/Impact Assessments Information Lifecycle Audit Breach Notification Process Legal Basis for Processing Privacy Notices Individual Rights Processes (inc. Subject Access) Consent Processes (inc. Children)

GÉANT and GDPR Nicole Harris Budapest October 3rd 2017

GÉANT Community Facing Activities and GDPR IAMonline GÉANT Code of Conduct eduGAIN GDPR Review REFEDS Attribute Release Policies SIG-NOC (upcoming) TF-CSIRT presentation SIG-ISM (upcoming SIG-MSP presentation eduGAIN GDPR consultation AARC Policy on Personal Data https://eventr.geant.org/events/2731 https://wiki.geant.org/display/gn42na3/Community+GDPR+Activities

Leading to TF-DPR “The Task Force proposes to gather information, discuss and develop tools and best practices to be able to deal with the requirements of data protection regulation, with a focus on the General Data Protection Regulation (GDPR) and how NRENs and our shared services can prepare for the GDPR. Other relevant legislation with an impact on data protection – like the upcoming e-privacy Regulation – is also in scope. The results of the task force will yield documentation and tools for NRENs.” https://eventr.geant.org/events/2732

GÉANT Organisational Approach to GDPR Shaun Cairns - Responsible Owner Pete Janusz GDPR Lead Ana Alves GDPR Project Manager Evangelos Spatharas Security Officer Nicole Harris Community Liaison

Talk to us! What Can You Do? Where you are processing personal data. Think about: Where you are processing personal data. The reasons why you are processing. Are you asking for too much information? Where is it stored? Who has access? How long do you need to keep it? Talk to us!