Regulatory Developments

Last updated: 
5 days 21 hours ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

GDPR: Official CSIRTs?

Wednesday, April 19, 2017 - 09:38

A couple of organisations have asked me recently whether the General Data Protection Regulation (GDPR) requires them to get some sort of external recognition of their incident response team. Here's why I don't think it does.

Recital 49 of the Regulation says:

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned…

If your work involves using logs or other usage data to protect network or information (system) security, then clearly it would be reassuring to be on that list. However it's already apparent that the list isn't exhaustive – the recent European Court case of Breyer v Deutschland added website operators to it. And, anyway, universities, colleges and most other organisations are already there as "providers of electronic communications networks and services": the GDPR wording (taken from the telecoms framework directive 2002/21/EC) covers both public and private networks. So those organisations are already covered by Recital 49, irrespective of whether they have a team called CERT/CSIRT.

As to which group(s) within the organisation are authorised to "process[] personal data … for the purposes of ensuring network and information security", the person responsible for deciding that is the data controller for that personal data, i.e. the university or college itself. An external body such as Jisc may be able to suggest how to do incident response in accordance with the Regulation (my paper on Incident Response and the GDPR tries to provide both a comprehensive framework and a lot of specific examples), but we can't decide how those tasks should be assigned within your organisation. So if your organisation operates a network or servers, and has authorised you to protect them against digital attacks, I'd be comfortable that Recital 49 applies to you.

Finally, and confusingly, unlike the GDPR the European Network and Information Security Directive does have a concept of an official CSIRT. However that's a team designated by the Government as having responsibility for part of the critical national infrastructure: not a status that Jisc or any university or college is likely to seek.

Data Protection Regulation
incident response
GDPRtopics
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo