Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR).

The guidance focuses specifically on encryption and passwords. It suggests points to be considered during implementation and offers some helpful “dos and don’ts”.

Encryption

Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption:

  1. The algorithm. This should be appropriate for its use and should be assessed regularly to ensure that it remains appropriate;
  2. The key size. This should be large enough to protect against an attack, and its appropriateness should be assessed regularly;
  3. The software. The ICO states that this should meet current standards such as FIPS 140-2 and FIPS 197; and
  4. The security of the key. The ICO provides that keys must be kept securely and businesses should have processes in place to generate new keys when necessary.

The ICO makes clear that, depending on the context of the incident, regulatory action may be pursued where data is lost or destroyed and it was not encrypted.

Continue Reading ICO publishes security guidance on encryption and passwords

As the European data protection framework evolves, big data remains a hot topic. Often, what makes up these large data sets is personal data, so it has clear data protection implications.

The Information Commissioner’s Office (“ICO”) has therefore issued guidance on “Big data, artificial intelligence, machine learning and data protection.” This recent guidance provides helpful emphasis on accountability, transparency and how to evidence compliance with the General Data Protection Regulation (“GDPR”), which is due to come into effect from 25 May 2018. The ICO’s guidance explains the ways that accountability can be evidenced by organisations (such as, through documentation, algorithms, ethics, etc.).

Continue Reading Man vs. machine: the ICO provides guidance on use of Big Data

On 2 April, 2012, after almost a year of preparation, the International Chamber of Commerce UK (“ICC”) launched its UK Cookie Guide designed to help website operators and website users comply with new EU rules on the use of cookies. The ICC hopes that if the Guide becomes widely adopted by website operators, then users