[IUCC-GDPR] Sending incident reports from Europe to Rest of World

Hank Nussbacher Hank at mail.iucc.ac.il
Sat Feb 24 20:54:07 IST 2018


Being forwarded from another list...

There's always been a slightly grey area about sending incident reports from
Europe to the rest of the world. Those reports contain IP and e-mail
addresses - generally considered personal data - so do they need to fit into
the legal rules for exporting personal data? And does it help that as we're
generally sending data back to where it came from?

Fortunately the Article 29 Working Party of European Data Protection
Regulators has now published draft guidance on exports that seems to be
aware, and supportive, of the practice. Though I suspect they don't realise
how often we need to do it...

Full details:
https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdpr-send
ing-incident-reports-overseas
One-line summary (not legal advice!): keep on doing it - good CSIRT practice
should be fine.

Cheers
Andrew

--
Andrew Cormack
Chief Regulatory Adviser

T 01235 822302
Skype ancormack
Twitter @JanetLegReg
Blog https://community.jisc.ac.uk/blogs/regulatory-developments
Orcid.org/0000-0002-8448-2881

Lumen House, Library Avenue, Harwell Oxford, Didcot OX11 0SG

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://noc.ilan.net.il/pipermail/gdpr/attachments/20180224/50125366/attachment.html>


More information about the GDPR mailing list