Data Protection Commission Ireland’s Post

A Data Protection Impact Assessment (DPIA) helps you identify and mitigate data privacy risks from the get-go. This means a stronger project, with clear communication about how personal information is handled. Doing DPIAs shows you're committed to data protection by design, building trust and transparency. #privacy #dataprotection #DPIA #dataprivacy #projectmanagement

Data Protection Impact Assessments can be used to identify and mitigate against any #data #protection related #risks arising from a #new #project, which may affect your organisation or the individuals it engages with. Read this guide published by the Data Protection Commission Ireland to learn more about how and when to carry out a #DPIA.

Brazil: Data Protection Authority publishes Regulation on Notification of Security Incident: On 26 April 2024, the Brazilian Data Protection Authority (ANPD) published the Resolution CD/ANPD no. 15 which approved the Regulation on Notification of Security Incident ("Regulation"). Such Regulation sets forth the mandatory procedures that data controllers must follow when notifying security incidents to ANPD and personal data subjects. According to Law No. 13,709/18 (Brazilian General Data Protection Law, or LGPD), the controller must notify the occurrence of a security incident that may give rise to relevant risk or damage to data subjects not only to ANPD, but also to the data subjects. The post Brazil: Data Protection Authority publishes Regulation on Notification of Security Incident appeared first on Global Compliance News. -via @bakermckenzie

The FDPIC has recently published its latest guidelines on technical and organizational measures (#TOM), which is a must-read 📢 for all data protection officers in Switzerland. These guidelines are shorter than the leaked draft of the AI Act and provide important information on how to ensure data protection in an organization. The publication "Guide to Technical and Organisational Data Protection Measures (TOM)" provides guidance on how to ensure data protection in an organization, specifically in Switzerland. It covers various aspects of data security, including infrastructure, sharing and transmission, access and processing, and the life cycle of data. The document outlines the various measures that must be taken by federal bodies and data controllers to ensure that personal data is processed and disclosed by the Federal Act on Data Protection (FADP). The document discusses the exception to the purpose principle, which allows for the processing of personal data for statistical purposes, provided that certain conditions are met. It also outlines the rights of data subjects, including the right to access their personal data and the right to request that certain measures be taken about the processing and disclosure of their data. In addition, the document provides requirements for data controllers who are based abroad and who process personal data relating to persons in Switzerland. Such data controllers must appoint a representative in Switzerland and publish their name and address. Overall, the document provides a comprehensive overview of the regulations and requirements related to the processing and disclosure of personal data in Switzerland. It is important for federal bodies and data controllers to be aware of these regulations and to take the necessary measures to ensure compliance with the FADP. The document was published on January 23, 2024, by the Federal Data Protection and Information Commissioner (FDPIC) and is an important resource for those who handle personal data in Switzerland. #FDPICGuidelines #DataProtection #AI #Data #SwissPrivacy #TOM #PrivacyRights #DataSecurity #Compliance #SwissRegulations

The Brazilian General Personal Data Protection Law (LGPD) establishes that security incidents that may compromise the protection of personal data must be communicated to the National Data Protection Authority (ANPD) and to the affected data holders, as it’s described on arts. 46 to 49 of Law nº 13.709/2018 (LGPD). According to the LGPD, an information security incident is a security breach that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data and depending on the incident, it can be interpreted that a "cyber-attack" is also included in this list. Therefore, the company must notify the ANPD whenever a security incident occurs that could compromise the protection of personal data, which must be done within 24 hours of the incident being discovered and must contain information such as: - description of the nature of the affected personal data; - technical and security measures used to protect affected data; - risks related to the incident; - measures adopted or that will be adopted to reverse or mitigate the effects of the incident. According to the law, in addition to the ANPD, the company must also notify affected data holders, informing them about the incident and the measures being taken to minimize its impacts. On the other hand, notification is not mandatory when there is a security incident, but this incident does not present risk or harm to the affected data subjects. The LGPD establishes that not all security incidents need to be notified to the ANPD, but only those that may create risk or harm to holders of personal data. This means that if the incident does not affect personal data, or if it does, but does not represent risk or harm to data subjects, notification to the ANPD is not mandatory. However, it is important to highlight that the company must carefully evaluate the incident and determine whether notification to the ANPD is necessary or not, considering that the risk assessment may not be immediate and, therefore, notification must be made if there are doubts. regarding the severity of the incident. Furthermore, the LGPD also establishes that the company must keep a record of all security incidents, even those that did not need to be notified to the ANPD, as a way of proving its compliance with the law. #Rubenviegaselianaalo

 🚨 What to do in case of a cyber-attack?  💻  Check out this special news about #LGPD, that I prepared to post on social medias of our law firm Ruben Viegas Eliana Aló Advogados Associados focused to our foreign clients and partners.

🔒 Data masking is a powerful technique for controlling information disclosure and protecting sensitive data. When choosing a specific masking technique, several factors come into play: 1️⃣ Data Disclosure Risks: Identify sensitive fields, assess potential harm, and consider who may be affected by data release. 2️⃣ Analytical Use Cases vs Masking Characteristics: Evaluate if downstream recipients require specific formatting or if certain information must be preserved. 3️⃣ Governance: Understand applicable compliance frameworks like GDPR and BCBS 239, and determine if masking can reduce compliance burden or enable broader data sharing. Join the conversation and explore the world of data masking to enhance data privacy and security. 🛡️💻 #DataMasking #DataPrivacy #InformationSecurity

Understanding and managing data entitlements is vital for safeguarding data privacy, maintaining data security, and promoting responsible data governance. It helps to ensure that data is accessed and utilized appropriately, respecting individual rights, organizational policies, and legal frameworks. This article attempts to explain the 3 key Authorization models / Entitlements model https://lnkd.in/gVQDHxHP

'The GDPR’s Rules on Data Breaches: Analysing Their Rationales and Effects' New paper by Hadi Asghari, Jaap-Henk Hoepman, Noel Bangma & me. Abstract: 'The General Data Protection Regulation (GDPR) requires an organisation that suffers a data breach to notify the competent Data Protection Authority. The organisation must also inform the relevant individuals, when a data breach threatens their rights and freedoms. This paper focuses on the following question: given the goals of the GDPR’s data breach notification obligation, what are its strengths and weaknesses? We identify six goals of, or rationales for, the GDPR`s data breach notification obligation, and we assess the obligation in the light of those goals. We refer to insights from information security and economics, and present them in a reader-friendly way for lawyers. Our main conclusion is that the GDPR’s data breach rules are likely to contribute to the goals. For instance, the data breach notification obligation can nudge organisations towards better security; such an obligation enables regulators to perform their duties; and such an obligation improves transparency and accountability. However, the paper also warns that we should not have unrealistic expectations of the possibilities for people to protect their interests after a data breach notice. Likewise, we should not have high expectations of people switching to other service providers after receiving a data breach notification. Lastly, the paper calls for Data Protection Authorities to publish more information about reported data breaches. Such information can help to analyse security threats.' Open access: https://lnkd.in/d638A69C #security #privacy #dataprotection #gdpr #cybersecurity #databreach #tech #law

Hi. My latest course is available for those with a subscription to Pluralsight. It is called "Data Security Champion: Data Privacy Regulations." Data breaches and privacy violations are growing concerns in today’s data-driven world, especially for data analysts who handle sensitive information. In this course, Data Security Champion: Data Privacy Regulations, you’ll learn to implement and advocate for robust data protection measures within your organization. First, you’ll explore the essential data privacy laws from around the globe, including GDPR, HIPAA, and CCPA, to understand the regulatory landscape. Next, you’ll discover practical ways to integrate these data protection principles into your daily data analysis workflow. Finally, you’ll learn how to foster a data privacy and security culture in your organization. When you’re finished with this course, you’ll have the skills and knowledge of data security needed to enhance compliance and protect sensitive data effectively. You can access the course here. https://lnkd.in/gYMQbjqf