CS Nov-Dec 2023

More documents

Recommendations

Info

data privacy WHAT DATA PRIVACY MEANS NOW IS THE CONSTANT BATTLE TO KEEP DIGITAL PRIVACY LAWS AND REGULATIONS RELEVANT TO THE DIGITAL AGE BEING WON? What exactly is data privacy? The accepted definition is our ability to control what, where and how our personal or confidential information is collected, stored or shared. Data privacy was important long before the digital age, but the internet and electronic records have changed the meaning of data privacy, says Dashlane, a provider of password management solutions. "Internet service providers continually track your online activity and IP address, even when you use private or incognito browsing modes. Digital privacy laws and regulations determine how information gathered during our browsing sessions can and can't be used and how we're informed about the process," it points out. "The growth of cloud computing, e-commerce, telemedicine and other online services highlights the importance of personal data privacy practices to protect our identity and private information from cybercriminals and prevent consumer data from being used unethically." Personal information includes things such as your name, address, phone number and Social Security number that can be used to identify you. Unlike online preferences or browsing history, personal information is also relevant outside the digital world. Financial data, medical records and employee files are some of the many forms of personal information that must be protected. "Data privacy and protection are important to businesses in many ways. Maintaining the privacy of company information [intellectual property], employee data and information shared with customers and clients is essential," adds Dashlane. "A data privacy policy sets ground rules for tracking, storing and sharing customer data collected on the organisation's website. This policy also helps businesses establish compliance with a growing list of privacy laws. "Data privacy helps you control what information you choose to keep personal. All individuals have the right to prevent their personal information from being used or shared without their consent, even if this sharing wouldn't potentially lead to data theft or other cybercrimes." Due to the importance of data privacy, a long list of state, federal and international laws has been established to protect our privacy online and elsewhere. Important data privacy and security laws and regulations include: Children's Online Privacy Protection Act Health Insurance Portability and Accountability Act General Data Protection Regulation California Consumer Privacy Act. Identity theft is one of the most serious cybercrimes related to personal data privacy and security. Armed with just a few key pieces of personally identifiable information (PII), like your name, driver's licence number and Social Security number, an identity thief can begin accessing credit lines in your name, stealing your tax refund or draining your bank account, warns Dashlane. "Since many identity theft victims don't realise what's happened until after the damage is done, dark web monitoring is a recommended practice used to scan the depths of the internet for your personal information and notify you if something sensitive is found." Dashlane says that it is dedicated to creating software that helps users control their information online. "We include plain language summaries that make our data collection, use and sharing practices easier to understand in our Dashlane Privacy Policy." UK EXTENSION SET UP In an important development in transatlantic data policy, the UK and US governments have formally established a 'UK Extension' to the EU-US Data Privacy Framework, which, since 12 October 2023, is allowing businesses in the UK to 32 computing security Nov/Dec 2023 @CSMagAndAwards www.computingsecurity.co.uk
data privacy transfer personal data to certified US organisations in the same way as their European counterparts. It's a highly significant move, as Edward Machin a senior lawyer in Ropes & Gray's Data, Privacy and Cybersecurity team, acknowledges. "The UK Extension will be welcomed by British businesses, who will soon have an additional mechanism to transfer personal data to the United States and which will in part reduce the papering exercises required to ensure that their transatlantic data flows are conducted lawfully." The EU-US framework has already been legally challenged, he points out, and says it would be surprising if privacy interest groups in the UK don't mount their own challenge to the UK Extension. "We'll then see whether the English courts can strike a workable balance between upholding privacy rights and securing national security interests - a balance that their European counterparts arguably didn't manage when ruling on previous transatlantic data frameworks. PATH OF LEAST RESISTANCE "The UK's post-Brexit policymaking has revolved around liberalising its data protection regime without straying too far from the GDPR and therefore no longer being considered by the European Union to offer adequate protection for personal data," adds Machin. "A key concern in Brussels has been that the UK wants a watered-down transfer deal with the United States - and, left to its own devices, the government may have taken the path of least resistance. The fact that the UK Extension mirrors the Data Privacy Framework will help to assuage European concerns, but the UK's data transfer deals with other countries will continue to be subject to scrutiny both at home and abroad." What does it all mean, in practical, day-to-day terms? According to the Information Commissioner's Office (ICO), the UK government can assess whether another country, territory or an international organisation provides an adequate level of data protection, compared to the UK. "Some countries may have a substantially similar level of data protection to the UK. In these cases, the government can make UK adequacy regulations. This allows organisations to send personal data to that country, territory or international organisation, if they wish." An adequacy assessment may cover either general processing, or law enforcement processing, or both. The government must consider a range of factors, including that sending personal data to that country, territory or international organisation does not undermine people's protections. The Information Commissioner's Office (ICO) supports the government, undertaking adequacy assessments and making regulations. This enables personal data to flow freely in its global digital economy to trusted partners. "We do this by providing independent assurance on the process followed and the factors that government officials take into consideration," says the ICO. "This allows the Secretary of State to make an informed and reasonable decision. By doing this work once for everyone, the government and the ICO are reducing the burden of compliance on organisations that would otherwise have to put alternative measures in place. "One of our priorities for this year, as set out in our ICO25 strategic plan, is to 'enable international data flows through regulatory certainty'. This includes our work on adequacy assessments. We provided advice to the government during its assessment of the UK Extension to the EU-US Data Privacy Framework (UK Extension). "The Commissioner considers that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose risks to UK data subjects, if the protections identified are not properly applied. The Secretary of State should monitor these areas closely to ensure UK data subjects are afforded equivalent protection in practice and their rights are not undermined. He also recommends monitoring the implementation of the UK Extension generally to ensure it operates as intended." FRAMEWORK ESTABLISHED The UK's data protection laws set out a framework for the responsible use of personal data by organisations. People may lose this protection when organisations transfer their personal data to organisations in other countries or to international organisations. "This is why the UK General Data Protection Regulation (UK GDPR) has specific rules on how to make international transfers of personal data," adds the ICO. "These rules mean that organisations must put in place continuing protections for people's personal data when transferring it to another jurisdiction, or one of a limited number of exemptions must apply." One way that UK organisations can transfer personal data to another jurisdiction is by relying on UK adequacy regulations made by the Secretary of State. "The Secretary of State can assess a country, territory or international organisation, or a particular sector in a country or territory, and decide if its legal framework offers a similar level of data protection to the UK. Article 45 of www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2023 computing security 33
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6 and 7: news Daniel Hofmann, Hornetsecurity
Page 8 and 9: ook review INSIDE THE REVOLUTION A
Page 10 and 11: product review HORNETSECURITY 365 P
Page 12 and 13: 2023 CS Awards Magician Nick Einhor
Page 14 and 15: ansomware ENEMY NO 1 - IS THE CROWN
Page 16 and 17: ansomware Michael Smith, Vercara: r
Page 18 and 19: inside view RANSOMWARE THREATENS BA
Page 20 and 21: cybersecurity training DRIVING EMPL
Page 22 and 23: cyber awareness THE CRIME-BUSTING C
Page 24 and 25: cyber awareness Don Boxley, DH2i: t
Page 26 and 27: attacks offensive PHISHING ENTERS D
Page 28 and 29: attacks offensive Kennet Harpsoe, L
Page 30 and 31: artificial intelligence FAKING IT W
Page 34 and 35: data privacy Edward Machin, Ropes &
Page 36: Computing Security Secure systems,

CS Nov-Dec 2023

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?