In homage to Halloween, GÉANT has spent this week focusing on one of the big monsters facing all of our community over the next 8 months – the General Data Protection Regulation (GDPR). The fact that there are only 205 days until the GDPR comes into effect on 25th May 2018 is enough to scare anyone, but the GÉANT Community Programme is on hand to help our members get ready.
We began the week with the first formal meeting of the newest GÉANT task force – TF-DPR. The group started with brief highlights of planning to date within each represented organisation, with reports from DeiC, CERN, GÉANT, SURFnet, HEAnet, Belnet, DFN and the AARC project. Most of the organisations had developed a process for reviewing their internal and external services – which can be usefully divided into employee services, services offered by the organisation and services brokered by the organisation. We identified that for many NRENs the services and privacy requirements would be similar – most of us run a Filesender instance, use eduroam, use eduGAIN and offer cloud services. TF-DPR would like to share privacy notices and stories about classification and considerations to reduce the workload across our members.
The group then engaged in a practical exercise to have an attempt at classifying the GÉANT services as advertised on the GÉANT website. From this exercise, several common issues arose:
- There are still many open questions and areas that are difficult to answer for GDPR regarding network traffic and data processing.
- Many services need breaking down into smaller components to be able to assess the requirements properly – the eduroam operational team has already made a good start in showing how this might be done.
- There are many services we offer that might not be immediately obvious when carrying out an inventory – for example, event management systems and mailing list services.
- It will be useful to have conversations with software development teams about standard defaults for data retention and how privacy by design can be built into development – but we will need to have a clear set of requirements to communicate to developers.
In the afternoon, the group focused on discussions around key areas of the GDPR that will impact organisations. It has become increasingly clear with the GDPR that consent will be a very difficult justification for processing as the consent must be completely unambiguous and must not be coerced – if you refuse access to a service because the user won’t release certain data, then you cannot use consent. Most of the organisations in the room had already moved away from using consent for data processing, with examples such as the REFEDS use of legitimate interests on how to justify data release and processing.
Moving towards GDPR
On Tuesday, GÉANT and Jisc hosted an online seminar on GDPR as part of the IAMOnline series of events. Over 170 people signed up for the event, showing the breadth of interest in this challenging topic.
The webinar, conveyed by Andrew Cormack (Jisc), explained the new approach taken by the GDPR (and the proposed ePrivacy Regulation), the main areas of difference and the changes it will require to how organisations think about processing of personal data. Universities, service providers, organisations, NRENs and public network operators will all have to deal with GDPR regardless of jurisdiction. The webinar covered the main areas in the GDPR, namely, accountability, data protection by design/default, consent, user rights and security, and provided information on how to approach these aspects. On the positive side, R&E identity federations are already equipped, as they have been doing data minimisation for years! Legitimate interest, which is one of the underlying foundations for federated access, will continue to be a valid instrument. See more about legitimate interests in the article written by Andrew.
There are still several grey areas (e.g cloud services) that may not be clarified before the regulation enters into force. We should expect to be working on GDPR well after the “go live” date of the 25th May 2018.
The recording of the webinar is online on the IAMOnline channel.
We encourage all NRENs and other interested parties to join the conversation at TF-DPR and share approaches, policies, templates and experiences of your plans for GDPR. You can find out more on the TF-DPR wiki pages and sign-up for the mailing list. The group is planning meetings in January and April 2018 and will also hold virtual meetings if necessary.
GÉANT would also like to collate contacts for all GDPR leads within NRENs so we can share information. If you have an identified contact or contacts within your organisation, please let Nicole or Charlie know.
The TF-DPR group is considering a response to the recent consultation from the Article 29 Working Party on individual decision making and profiling advice. There are recommendations around automation that might cause difficulties for many organisations. We urge you to read the document and join the TF-DPR discussion on how to influence the direction of this document.
(with thanks to HowManyDaysTill for the clock, you can get an up-to-date countdown here).