Over the last few days, we have had the honor of hosting in Trento the [C3ISP] project meeting (https://www.digitalcatapultcentre.org.uk/project/c3isp/). C3ISP is an EU Commission-funded project that aims to create a collaborative and confidential information-sharing system for cyber security threats and attacks.
The project involves strong industry players such as British Telecommunications, Hewlett-Packard, SAP, together with research institutions that have a track record of delivering high quality innovation on cybersecurity such as Consiglio Nazionale Delle Ricerche – CNR, University of Kent, Digital Catapult, CEA, Istituto Superiore delle Telecomunicazioni (MISE). It also includes SMEs such us Grid Pocket, 3D Repo and us, Chino.io.
Working together with these great companies is a big step up for Chino.io: it allows us to be even more lined up with EU cybersecurity and privacy changes and novelties while contributing at building a more safer digital European Union. We can't wait to continue our work with C3ISP! To stay updated follow on Twitter @C3ISP.
The Ultimate Guide on GDPR and HIPAA compliance
Breach Notification, cyber threats detection and info sharing in real time
During our last C3ISP meeting we had the chance to discuss some of the main topics regarding the state-of-art privacy security in Europe.
If you are not up to date, you must know that EU has been drafting new legislation that already has several impacts on every business: the General Data Protection Regulation (GDPR) is the new reference text on privacy matters in EU; the Network and Information Security (NIS) Directive is already applicable and has to be implemented in most of the Member States; the ePrivacy Directive will be soon reviewed by a new EU proposal and will become a regulation.
What are the differences and main requirements of these texts? In the table below you can find a brief comparison.
According to these legal acts, a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material, or non-material damage to natural persons. That is why certain requirements must be fulfilled in case of breach or cyber attacks. Hence, great focus has to be continuously put on actual EU privacy laws and requirements.
For example, from a data processors point of view:
- Art. 33 of the new GDPR requires to notify nature and consequences of an eventual personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Art. 34 GDPR further requires notifying the data subject.
- Art. 4 of ePrivacy Directive requires the provider of a publicly available electronic
communications service (e.g. website) to inform the subscribers about data breach risk.
Furthermore:
- Art. 15 and Recital 63 of the NIS directive suggest that "competent authorities" and "data protection authorities" should cooperate and exchange information on all relevant matters to tackle any personal data breaches resulting from incidents.
The C3ISP mission is to build a breach notification, cyber threats detection, and real-time information sharing system useful for small and medium businesses subject to cyber attacks, in addition to what the NIS directive suggests.
Stay tuned for further updates on our website or follow C3ISP project!