edisclosure myth or reality? » GDPR

Updated page on my contributions

admin — Wed, 27 Oct 2021 15:26:38 +0000

I have updated my various contributions.

My presentation on the Children’s Code

admin — Wed, 23 Jun 2021 16:56:55 +0000

As part of my secondee role as an Engagement Specialist at the ICO, I presented the Children’s Code at the Data Protection Forum on 1st June 2021. I’m sharing the slides here.
Children’s Code slides presented at the Data Protection Forum, June 2021

From noyb.eu (Schrems): steps for EU companies

admin — Tue, 28 Jul 2020 20:25:01 +0000

Following from the CJEU’s judgment on EU-US data transfers (SchremsII), Schrems has posted comprehensive steps and FAQs on noyb.eu.

I tweeted the news on 24th July 2020:

From #Schrems & https://t.co/c7eI7oxpgT – Next Steps for EU companies & FAQs https://t.co/GPsRPP03L7

— cher devey (@datachainrisk) July 24, 2020

International data transfer

admin — Fri, 17 Jul 2020 21:57:55 +0000

I just browsed #Schrems on my twitter streams. We now have a sequel to SchremsI – SchremsII came into force on 16 July 2020. Never a dull day when it comes to human rights and fundamental freedoms especially when such inalienable rights shine as actionable rights against other ‘rights’.

The CJEU’s judgment and the press release have been summarised by various folks. The essence of #SchremsII – extracted from Center for Democracy & Technology:

The safeguards provided by U.S. laws on the access and use by public authorities of data transferred from the European Union do not satisfy the requirements of EU law because, among other things, they do not grant European citizens actionable rights against the U.S. authorities.

Even if the Standard Contractual Clauses (SCCs) remain valid, the competent national data protection authorities are required to suspend or prohibit a transfer of personal data to the U.S. where U.S. law fails to appropriately protect Europeans’ personal data.

No doubt international data transfer or international trade will continue to flow (and flourish) even without Privacy Shield as there is still GDPR Article 49. Data transfer has to be read in terms of adequacy, derogation, surveillance and also trade politics.

For now, our inalienable rights shine until another round of drama in the courts.

My PhD Thesis

admin — Fri, 21 Jun 2019 13:51:45 +0000

My PhD #Thesis. pic.twitter.com/B8MsesgU0O

— cher devey (@datachainrisk) June 18, 2019

Post #GDPR webinar: my talk on ‘Rights of the Data Subject’

admin — Tue, 26 Jun 2018 16:39:12 +0000

For those who missed the Post #GDPR webinar hosted by @InfosecurityMag & @DanRaywood, replay/watch via:
Post GDPR, Is it Too Late to Comply?

You will need to register an account to login to view the webinar at www.infosecurity-magazine.com

I did my 10 mins talk on ‘Rights of the Data Subject’. The sound wasn’t too brilliant as I had to put my telephone handset on speakerphone.

If you’ve trouble with any of the ‘words/sentences’ welcome to drop me an email cher [at] jyutsu [dot] com.

The quote by Justice Louis Brandeis: If the broad light of day could be let in upon men’s actions, it would purify them as the sun disinfects. Essentially, sunlight is the best of disinfectants.

I mentioned ‘sensitive, nefarious data’ & the contentious nature of the ‘Right to be Forgotten’.

We live in interesting data privacy times!

Many thanks,
Cher

A Poll on Post GDPR – I’m a speaker for a webinar on 26th June 2018

admin — Thu, 21 Jun 2018 14:22:56 +0000

Please vote, share this and tune in to the webinar.

Do please vote and share this tweet. I'm one of the speakers https://t.co/dV38dMuKpH https://t.co/KlkFD09o5h

— cher devey (@datachainrisk) June 21, 2018

@DanRaywood @InfosecurityMag interviewed me.

admin — Thu, 24 May 2018 13:36:13 +0000

A couple of days after the #GDPR Press Briefing at City, University of London @DanRaywood @InfosecurityMag interviewed me.

Check it out at:

New on @InfosecurityMag talked to @datachainrisk about her PhD research into data privacy and the effect of breaches on people, as well as how #GDPR came along at the right time. @CityUniLondon https://t.co/lq29fQ6ans

— DanRaywood (@DanRaywood) May 24, 2018

#GDPR Press Briefing in City, University of #London

admin — Sun, 22 Apr 2018 09:20:27 +0000

On 17th April 2018, I was one of the speakers in the GDPR Press Briefing held at City, University of London (City). Checkout the hot off the press ‘City academics discuss GDPR at press briefing’

My written prepared talk is shared below.

Privacy and the Individual – What difference will GDPR Make?

Thanks John for the introduction. A warm welcome to all.

Any talk on privacy and the GDPR invariably uses terms or phrases that may be blurry or obscure. So just to set the scene, when I say the ICO I’m referring to the UK’s data protection watchdog – The Information Commissioner’s Office. When I say ‘data’ I’m referring to personal data as described in the GDPR.

Although the GDPR did not reference privacy – itself a complex term, privacy is embedded as information or data privacy and expressed in phrases such as:
‘respect for human rights and fundamental freedoms (Art. 12 – exercise of the rights of the data subject); ‘High risk to the rights and freedoms of natural persons’ (Art. 35 -Data protection impact assessment), and ‘Risks to the rights and freedoms of natural persons (individuals)’ (Recital 75).

It is no longer just about protecting personal data or processing of personal data but data privacy.

With this comes obscure or unclear terms.

What is ‘high risk’? How do you express ‘rights and freedoms’ of natural persons (individuals) especially in the context of privacy impact assessment (PIA) or data protection impact assessment (DPIA)?

We know that the GDPR describes DPIA (Art. 35) and also breach notification (Art. 33 – notify the ICO, and Art. 34 – communicate to the data subjects).

I know fresh in our minds is the recent Facebook-Cambridge Analytica scandal. Flashback to October 2015, anyone here still remembers the TalkTalk data breach incident?

Would you all agree that both Facebook & TalkTalk responded or handled the data breach announcement or notification to affected individuals rather badly or failed to do so in the eyes of the public and the affected individuals?

Certainly, under the GDPR both would be required to notify the ICO within 72 hours and to affected UK individuals without undue delay or ‘as soon as possible’ (Guidelines on Personal data breach notification under Regulation 2016/679)

As we know the GDPR requires organisations to notify the ICO where there is a risk to the rights and freedoms of individuals, and only notify the individuals where there is high risk.

My research examines data incidents response, in particular, the privacy harm to individuals as a consequence of the data incident. I have designed a prototype dashboard and have conducted user evaluation study with industry practitioners. The dashboard is for assessing privacy data harm by addressing the initial breach notification question to notify or not affected individuals and to the ICO during initial data incident response.

There is still fear in organisations when it comes to disclosure of data incidents. However, the GDPR will held organisations accountable e.g. with the fines and penalties, and to be transparent to report data incidents. Affected individuals have the right to know.

The outcome of my study also revealed that it is possible to do an initial data breach assessment even with the unclear terms: ‘high risk’ and the ‘rights and freedoms’ of individuals. The prototype dashboard also shows notification alerts with the countdown to 72 hrs from the point of being aware of the incident. One participant remarked: ‘It (the dashboard) provides a calm objectivity in time of panic & stress. Because you’re going to be stressed, you immediately think your personal reputation and your organisation’s reputation. Would we be fined? And all these things come in rather than actual thinking of the consequences to individuals’.

When the data incident happened, the genie was out of the bottle, out in the wild – the harm was already done.

The GDPR would not bring the genie back into the bottle or stop the harm. So as a matter of good business practice and in the spirit of the law, organisations should notify their customers.

Thank you.
Cher
p.s.
May post a photo taken by John Stevenson (City’s Senior Communications Officer)

Anonymisation & GDPR

admin — Fri, 30 Mar 2018 13:09:58 +0000

Yesterday evening, 29th March 2018 I attended a BCS Law Specialist Group event – GDPR: Anonymisation,re-identification risk and GDPR profiling. The talk was presented by Dr. Amandine Jambert from the French Data Authority CNIL. The anonymisation slide is interesting.

I asked whether the WP29 thinking (& their opinions) about the 3 properties are for the ‘direct and indirect’ way of identification of the personal data. The answer was not in the method itself but that the properties are for ‘all data types’ i.e. any dataset. Her exact wordings ‘ use by anyone on any dataset’. Also, the DPA (DPO/Organisation?) needs to prove (or justify or show) that the dataset has indeed been anonymised (using any of the 2 options). My understanding is that the anonymisation if done (risk-based, database and/or algorithmic-driven) should not enable the direct and indirect re-identification of the individual(s).
As noted on this slide: ‘No single technique eliminates all risks’.

It’s near impossible to identify/isolate ‘all the direct/indirect re-identification risks’ associated with any dataset, assuming the dataset is available and not hidden in some Cloud and/or in a chain of hidden registers.

We really need to re-think personal data in terms of ‘the harm to individuals’ as there’s no absolutely sure way of preventing re-identification risks (i.e. singling out, linkability or inference/deduction etc.)

Overall a great talk.

I just noticed the slides and talk are available online: BCS Law talk 29th March 2018