Information Security and the Data Protection Regulation

The new European Data Protection Regulation is relevant to many areas of our work. Yesterday I had the opportunity to look at its likely effect on information security at a Jisc Special Interest Group meeting. For now, we’re still working from the three draft texts published by the European Commission in 2012, the Parliament in 2014 and the Council of Ministers in 2015. There are many differences between them but some common themes can be spotted, which seem likely to appear in the final version. Some provisional conclusions can also be drawn from the areas where there are significant differences.

With regard to information security, the Regulation seems likely to promote known good practices. All three drafts require privacy impact assessments (already the subject of guidance from the Information Commissioner) and early consultation with data subjects, though they vary in which projects, systems and data these will cover. Data Protection by Design and by Default are less concrete requirements in the Commission and Parliament drafts: the intention appears to be to ensure that protection is considered at an early stage of design, and that approaches such as data minimisation and appropriate access controls are included. These measures should further discourage the idea of "adding on security" after systems have been built. All three drafts promote incident response and breach notification. Although the timescales proposed for useful notification seem optimistic, it’s good to see a general European law recognising the role of effective detection and response in protecting privacy.

On the other hand, some opportunities have been missed. The Regulation was supposed to provide a consistent law across Europe, but the Council text in particular offers at least as much scope for national variations as the current Directive. There is little recognition that the Internet creates both new privacy challenges and new privacy opportunities: the geographic location of the disks still carries much more weight in this 21st century law than the location of the system administrator. A bald statement that IP addresses are personal data will subject them to the same treatment and obligations as postal addresses, even though their characteristics are in fact very different. The legal status of low-level cloud services is not addressed – an absence even more regrettable following the recent European Court judgment that it does not matter whether an organisation knows that the bytes it is processing consist of personal names rather than recipes.

With the current trilogue process likely to produce a hybrid of what are already inconsistent texts, certainty that any particular on-line activity is "compliant" seems unlikely to be possible. A more realistic aim seems to be to assess and manage risks at an acceptable level, taking note of guidance and priorities set by the local regulator. Of course a risk management approach is something information security people should already be familiar and comfortable with.