Ireland Data Protection Commissioner – The GDPR and You
Is a very nice introductory piece courtesy of the Irish Government – that Sophos referred to on a GDPR Webinar we attended.
This makes it clear we need a data controller appointed and need to run a risk register.
This is available from here: Ireland Data Protection Commissioner: The GDPR and You, November 2016
Sophos – The New EU Data Protection Regulation
Of course, Sophos are doing a lot on GDPR with webinars etc. because they feel they have a lot to offer, and they do with Encryption, Mobile Control and Data Leakage functionality.
So, I referenced their piece as well.
This is available from here: Sophos: EU Data Protection Laws, September 2016
Bird & Bird – guide to the General Data Protection Regulation
Then, we had an interesting internal debate in Globelink on whether personal surfing (to ebay, etc.) is included because of the PID obviously involved in this – and we found it is specifically excluded!! There is a clause in GDPR that states that it does not apply to personal use of the internet for “purely personal or household activities”.
This we got from the third public piece from Bird and Bird - a global firm of lawyers.
This is available from here: Bird & Bird: Guide to the general data protection regulation, January 2017
Information Commissioner’s Office – Overview of the GDPR
This “living document” we stumbled across. It is on the “must read and inwardly digest” list like all these documents in the list. The thing we found in this – which put it on the list – was that the appointed Data Controller and Data Processor (emphasis ours):
“If you are a (data) processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a (data) controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.”
There is plenty of other stuff that we need to absorb.
This living document is available from here: ICO: Overview of the GDPR Date: Today, maybe yesterday (as it is a living document :-)
Data Protection People – What is Personal Data
Finally, we had the question internally of “What is PID”. The following blog, properly and fully addresses the following questions:
- "Is a business contact’s name and email address personal data?
- Are the comments that I write about people personal data?
- Is a database ID personal data?.”
The fully detailed answer made a couple of things clear for us. First, it is all about the risk that a person can be identified from any information held *AND* the risk that the information can be abused either internally (for a non-valid business purpose) or externally through data leakage/theft. So, any information that can be “mined” and correlated with other information (like our Intelligence Communities like to do) to identify and know something about a person can be PID. Whether it is PID or is not PID - is down to the risk that someone can be identified from the information held. He says (emphasis mine):
So the context is absolutely key and that is where a lot of people I find struggle with the DPA. They want a simple set of rules which say what you can and can’t do. They don’t like it when you can do something under certain circumstances but not in others. But we need to get used to this risk based approach because there is more of it in the new order of GDPR.
So, one of our misconceptions was that PID is all about personal information like name, date of birth, etc. It’s not that at all. Actual Personal Information is just the totally and blindingly obvious example of what GDPR is about. Rather, it is about any information that can be used to identify a person. So, a business email can be used to identify a person. Even a generic email like firstname.lastname@example.org can be used to identify a person with the right additional information.
This blog is available from here: Data Protection People: What is Personal Data, April 2016
GDPR Useful Information & Globelink
Below is the useful stuff we have found so far in our GDPR journey.