12 May 2021 #Data Protection
In this month’s Data Protection Round-Up: key takeaways from the ICO Data Protection Practitioners Conference, guidance on anonymisation, and a government response to new cyber security legislation.
ICO’s data Protection Conference key takeaways
Last week I attended the ICO’s annual Data Protection Practitioners Conference. The conference, usually held in Manchester, was instead delivered online. The all-day conference covered myriad of topics, below I have summarised my two key takeaways:
European Data Protection Supervisor publishes anonymisation misunderstandings guidance
In partnership with the Spanish Data Protection Agency the EDPS have sought to address the 10 biggest misunderstandings that relate to the process and results of anonymising data. Seeking to raise public awareness and debunk any myths associated with anonymisation, the guidance lists 10 common misunderstandings and details techniques for ensuring GDPR compliance. Whilst this guidance is primarily focused on the processing of personal data by the EU administration, the advice is likely to be applicable to UK organisations too as the principles and observations remain the same.
The guidance notes that there have been several major examples of poor anonymisation by major organisations, actions that have led to serious data breaches. The guidance sites the publishing of a data sheet by the New York City Taxi and Commissioner of 173 million taxi trips that supposedly anonymised the taxis’ license numbers. Due to poor anonymisation practices, it was quickly established that not only where the license numbers easy to identify but so were the individual drivers of those taxis.
Amongst the misunderstandings listed are:
The full guidance can be found here: 10 Misunderstandings related to anonymisation
Government publishes next steps on consumer connected product cyber security legislation.
Between 16 July 2020 and 6 September 2020, the government ran a 'call for views' on new proposals for UK domestic cyber security legislation. Specifically, this new legislation will seek to ensure appropriate measures are in place to protect consumers whose devices, such as televisions, smart speakers, connected doorbells, cameras and household appliances, that connect to the internet are safe and secure. The security of smart speakers, for example, has long been criticised; there is an endless array of horror stories of inadvertent data sharing or inappropriate access.
The Government have now published their response to the 'call for views' recognising that such legalisation will become increasingly important in the wake of ever-integrated 5G- households becoming the new normal. Whilst laptops will be exempt (due to their sophisticated construction and sophisticated security integration, any regulations will apply to all consumer connected products including smartphones.
The Government hopes to legislate as soon as possible, although there is no telling when any parliamentary time will be allotted. It is anticipated that the new security requirements will align with international standards and the Government will set up a specific enforcement body equipped with the necessary powers to investigate allegations of non-compliance. Read the Government's full proposals