EDPB: Legal study on the appropriate safeguards under Article 89(1) GDPR for the processing of personal data for scientific research

https://edpb.europa.eu/system/files/2022-01/legalstudy_on_the_appropriate_safeguards_89.1.pdf

Includes detailled assessment of the additional rules per EEA state.

“The results of this study show that certain harmonisation exists among EEA States with respect to appropriate safeguards for scientific research, as required by the GDPR. However, a conundrum of various bodies of law and (ethical) guidelines regulate scientific research in specific areas, such as biobanking, health, epidemiology, social benefits, artificial intelligence and statistics. In turn, this makes the legal framework for sectoral research to remain fragmented.”

EDPB: Legal study on Government access to data in third countries

https://edpb.europa.eu/our-work-tools/our-documents/legal-study-external-provider/legal-study-government-access-data-third_en

From the conclusion:

  • The present study preliminarily investigates the general situation of China, India and Russia concerning
    fundamental rights and freedoms, [..]

  • In relation to China, it can be seen that the Chinese legal system does not provide sufficient safeguards
    for foreigners’ data comparable to those found in the EU. Based on insights from the analysis of the
    People’s Republic of China (PRC) Constitution it is clear that government access to personal data is not
    constrained. [..]

  • In relation to India, it should be noted that the right to privacy was recognised only recently by the Indian
    Supreme Court. In close connection, also the right to personal data has received more attention.
    However, the Indian government has a track record of infringing both rights extensively. After careful
    assessment of relevant Indian legislation (Information Technology Act – IT Act, several IT Rules and
    Aadhaar Act), it may be concluded that these regulations foresee widespread exemptions for
    governmental access to personal data.[..]

  • In relation to Russia, it can be concluded that Russian data protection law is a complex matter. Although
    the formal legislative framework seems comprehensive, the enforcement and the application of the
    legislation has serious drawbacks. In addition, Russia has a striking record of violating the European
    Convention of Human Rights (ECHR) related to other related rights and freedoms, such as the freedom
    of expression [..]

Hong Kong PCPD: Cross-border transfers with China (PIPL)

“Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland” — Privacy Commissioner’s article contribution at Hong Kong Lawyer (December 2021)

The Personal Information Protection Law (PIPL) of the Mainland, which became effective on 1 November 2021, is the first piece of legislation dedicated to the protection of personal information in the Mainland. As the PIPL imposes requirements on the transfer of personal information from the Mainland to other jurisdictions, this article attempts to highlight the rules and the more salient requirements for businesses in Hong Kong.

https://www.pcpd.org.hk/english/news_events/speech/speeches_202112.html

EDPB: Guidelines 01/2021 on Examples regarding Personal Data Breach Notification

https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf
Adopted on 14 December 2021
Version 2.0

  • mentions a controller internal “Handbook of Handling Personal Data Breah” (as good practice)
  • internal documentation required for each and every breach (regardless of risk)

includes:

2 RANSOMWARE

2.1 CASE No. 01: Ransomware with proper backup and without exfiltration

2.2 CASE No. 02: Ransomware without proper backup

  • Notification to SA

2.3 CASE No. 03: Ransomware with backup and without exfiltration in a hospital

  • Notification to SA, Communication to Data Subjects

2.4 CASE No. 04: Ransomware without backup and with exfiltration

  • Notification to SA, Communication to Data Subjects

2.5 Organizational and technical measures for preventing / mitigating the impacts of ransomware attacks

  • Patch management
  • Network/system segmentation
  • Backups
  • Malware controls
  • Network security (firewall, IDS)
  • Phishing training
  • Forensics (identify the type of malicious code, -> nomoreransom.org)
  • Central log server
  • Strong encryption and MFA (multifactor authnetication), esp. for admins, appropriate key and password management
  • Vulnerability/penetration testing
  • CSIRT/CERT team
  • Reviews/tests/updates of risk analysis

3 Data Exfiltration ATTACKS

3.1 CASE No. 05: Exfiltration of job application data from a website

  • Notification to SA, Communication to Data Subjects

3.2 CASE No. 06: Exfiltration of hashed password from a website

3.3 CASE No. 07: Credential stuffing attack on a banking website

  • Notification to SA, Communication to Data Subjects

3.4 Organizational and technical measures for preventing / mitigating the impacts of hacker attacks

  • Strong encryption, key managemenet. Hashed/salted passwords. Prefer authentication controls without need to process passwords on server
  • Patch management
  • Strong authentication methods (e.g. 2FA), up-to-date password policy
  • Secure Software Development standards (input validation, brute force controls). Web Application Firewalls (WAF) might help.
  • Strong user privileges and access control management policy
  • Network security (firewall, IDS)
  • Security audits and vulnerability assessmnents
  • Backup controls are reviewed and tested
  • No session ID in URL in plain text

4 INTERNAL HUMAN RISK SOURCE

4.1 CASE No. 08: Exfiltration of business data by an employee

  • Notification to SA

4.2 CASE No. 09: Accidental transmission of data to a trusted third party

4.3 Organizational and technical measures for preventing / mitigating the impacts of internal human risk sources

  • Privacy and security awareness training
  • Data protection practices, procedures and systems (robust, effective, evaluated and improved)
  • Access control policies
  • User authentication when accessing sensitive personal data
  • Revocation of user access as soon as user leaves company
  • Checks for unusual dataflow between servers and clients
  • Technical controls on use of portable media (USB, CD, DVD, ..)
  • Access policy reviews
  • Disabling open cloud services
  • Preventing access to known open mail services
  • Disable print screen function in OS
  • Enforce clean desk policy
  • Automatic locking of computers after defined time of user inactivity
  • Use mechanisms (e.g. hardware tokens) for fast user switches in shared environments
  • Dedicated systems for manageing personal data. – Spreadsheets and other office documents are not appropriate means to manage client data.

5 LOST OR STOLEN DEVICES AND PAPER DOCUMENTS

5.1 CASE No. 10: Stolen material storing encrypted personal data

5.2 CASE No. 11: Stolen material storing non-encrypted personal data.

  • Notification to SA, Communication to Data Subjects

5.3 CASE No. 12: Stolen paper files with sensitive data

  • Notification to SA, Communication to Data Subjects

5.4 Organizational and technical measures for preventing / mitigating the impacts of loss or theft of devices

  • Device encryption
  • Use passcode/password on all devices. Encrypt all mobile devices and require complex password for decryption
  • Use multi-factor authentication
  • Turn on device location services for highly mobile devices
  • Use MDM (Mobile Devices Management) and localization, remote wipe
  • Use anti-glare filters.
  • Close down unattended devices
  • If possible, store personal data on central backend server – not a mobile device
  • Automatic backup workfolders of mobile clients – when connected to corporate LAN, if personal data unavoidable there.
  • Secure VPN
  • Locks to physically secure mobile devices while unattended
  • Regulate device usage inside and outside the company
  • Centralised device management (incl. controls on software installations)
  • Physical access controls
  • Avoid storing sensitive information in mobile devices and hard drives

6 MISPOSTAL

6.1 CASE No. 13: Postal mail mistake

6.2 CASE No. 14: Highly confidential personal data sent by mail by mistake

  • Notification to SA, Communication to Data Subjects

6.3 CASE No. 15: Personal data sent by mail by mistake

6.4 CASE No. 16: Postal mail mistake (another example)

  • Notification to SA

6.5 Organizational and technical measures for preventing / mitigating the impacts of mispostal

  • Setting exact standards for sending letters/emails
  • User training on how to send letters/emails
  • Default use of bcc: to send emails to multiple recipients
  • Four-eyes principle
  • Automatic addressing (rather than manual)
  • Use of message delay (to allow message deletion/editing after hitting “send” button)
  • Disable auto-complete when typing email addresses
  • User awareness trainings on data breach causes
  • Training session and manuals on data breach handling

7 Other Cases – Social Engineering

7.1 CASE No. 17: Identity theft

  • Notification to SA, Communication to Data Subjects

7.2 CASE No. 18: Email exfiltration (HR related data)

  • Notification to SA, Communication to Data Subjects

CCC rc3 – stream playlist (slightly off-topic)

On Relive (will migrate to https://media.ccc.de/c/rc3-2021 )