Consequences for an IT Department of the General Data Protection Regulation (GDPR)


 

 

 

 

Ed Stout
Support Services Manager
Leeds Beckett University
 

EUNIS 2017

Ed Stout was funded to attend this event as a 2017 UCISA bursary winner

 

 

 

 

 

 

 

During his EUNIS 2017 keynote ‘General Data Protection Regulation – Consequences for an IT Department’, Rainer W. Gerling, CISO of the Max Planck Society & Honorary professor for IT Security in the department of Computer Science and Mathematics at the Munich University of Applied Sciences, took us on a journey to better understand the soon to be fully in force General Data Protection Regulation (GDPR) within the European Union. In 2012, the European Commission tabled an initial proposal to regulate data protection within the EU and by the end of 2015, the European Commission, European Council and European Parliament had come to an agreement to take it forward. At this point in 2017, we are currently residing within the grace period before it formally comes into full force on 25th May 2018… this leaves all of us with not a lot of time to get our houses in order!


 

 

 

 

 

 

Microsoft within the development of their Windows 10 operating system now offer more than 50 native data protection settings within the ‘Privacy Settings’ however, Rainer stressed that it is highly important that we in HE review these settings to adjust from defaults.

 

 

 

 

 

 

 

Given the serious nature of the proposed fines, which can be as much as €20 million if found in breach of the regulations, it is certainly worth taking the new legislation very, very seriously. Encryption is paramount in accordance with GDPR Article 32 and what needs to be encrypted? Well, pretty much everything!!

 

 

 

 

 

 

 

Technically, standards which are considered ‘state of the art’ only remain so for a limited lifespan as new and improved solutions are developed, as is demonstrated in the below in relation to cryptographic protocols. It is therefore, important that we continually review to ensure that we are meeting legislative requirements.

 

 

 

 

 

 

 

So what should we be doing now? We should be:

  • Contacting our relevant data protection officers to discuss the implications of the legislation in line with our own institutions technical configuration.
  • Acknowledging that it is not simply the IT departments’ responsibility to ensure that we meet the relevant legislative needs but that the University as a whole is responsible.
  • Documenting our technical measures in line with ISO27000.
  • Collaborating with other HE institutions.

And we should be…

  • Improving our technical measures and accepting that state of the art is a moving target.

Rainer suggests that the current technical recommendations are:

(Click on photo to expand)

 

 

 

 

 

 

 

This blog post first appeared on http://www.edstout.co.uk/2017/06/27/day-3-reflections/

Interested in finding out more about a UCISA bursary, then visit UCISA Bursary Scheme.

One thought on “Consequences for an IT Department of the General Data Protection Regulation (GDPR)

  1. Grant Trotter

    I’ll have to agree with your comments on the GDPR, and also add to it by stating that GDPR compliance for U.S. businesses is an overwhelming topic indeed as I’m finding that organizations really don’t know where to start. What’s the scope? What policies need to be developed? The questions are endless and it can be frustrating, to say the least. My recommendations are to first get a sense of what scope is, which begins by identifying what type of personal data do you store, process, and or transmit for EU data subjects. Just knowing that should give controllers and processors in the US – and the UK – some comfort. After that, I would move to the all-important Article 32 to see what security policies, procedures, and processes you have in place, or are missing. Good luck!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *