MISP
/
misp-compliance
mirror of https://github.com/MISP/misp-compliance
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: images and metadata for LaTeX generation

pull/15/head
Alexandre Dulaunoy 2018-06-16 16:09:02 +02:00
parent 433bd92205
commit 445eb0281c
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
GDPR/information_sharing_and_cooperation_gdpr.md
View File

@ -1,3 +1,15 @@
---
title: "Information sharing and cooperation enabled by GDPR"
author: [CIRCL Computer Incident Response Center Luxembourg, MISP Project]
date: 2018-06-16
tags: [privacy, misp, information sharing, information exchange]
titlepage: true
toc-own-page: true
number-sections: true
titlepage-rule-color: EC2A3F
colorlinks: true
...
# Information sharing and cooperation enabled by GDPR # Information sharing and cooperation enabled by GDPR
@ -17,7 +29,7 @@ The GDPR explains that roughly, in the processing of personal data there are con
The concept of data controller and data processor in a sharing environment is not always trivial, but can be summarized in the below diagram, which shows how the process takes place between entities A and B. In the diagram, we take the assumption that both A and B are controllers and they are not acting on behalf of someone else. The concept of data controller and data processor in a sharing environment is not always trivial, but can be summarized in the below diagram, which shows how the process takes place between entities A and B. In the diagram, we take the assumption that both A and B are controllers and they are not acting on behalf of someone else.
<img src="./misp-compliance-gdpr-peer-to-peer-pa.svg" alt="GDPR information sharing processing activities for a peer-to-peer network" style="width: 100%;"/> ![GDPR information sharing processing activities for a peer-to-peer network](./misp-compliance-gdpr-peer-to-peer-pa.svg.png)
*FIGURE 1: PROCESSING ACTIVITIES AND DATA CONTROLLER IN THE GENERAL CASE OF INFORMATION SHARING* *FIGURE 1: PROCESSING ACTIVITIES AND DATA CONTROLLER IN THE GENERAL CASE OF INFORMATION SHARING*
@ -30,7 +42,7 @@ More generally, in a peer-to-peer network, all the peers are separate data contr
Below is a use case of information sharing using the tool MISP: Below is a use case of information sharing using the tool MISP:
<img src="./misp-compliance-gdpr-misp-pa.svg" alt="GDPR information sharing processing activities for MISP" style="width: 100%;"/> ![GDPR information sharing processing activities for MISP](misp-compliance-gdpr-misp-pa.svg.png)
*FIGURE 2: PROCESSING ACTIVITIES AND DATA CONTROLLER IN THE SPECIFIC CASE OF SHARING INFORMATION WITH MISP PLATFORM* *FIGURE 2: PROCESSING ACTIVITIES AND DATA CONTROLLER IN THE SPECIFIC CASE OF SHARING INFORMATION WITH MISP PLATFORM*
@ -56,9 +68,7 @@ It is important to notice here that the identification of a piece of information
Having this in mind, the figure below illustrates the MISP categories of data that could be exchanged through MISP which may include personal data in some cases. Having this in mind, the figure below illustrates the MISP categories of data that could be exchanged through MISP which may include personal data in some cases.
<p align="center"> ![GDPR information sharing personal data in MISP per categories](./misp-compliance-gdpr-personal-data.svg.png)
<img src="./misp-compliance-gdpr-personal-data.svg" alt="GDPR information sharing personal data in MISP per categories" style="width: 70%;"/>
</p>
*FIGURE 3: EXAMPLE OF MISP ATTRIBUTE CATEGORIES POTENTIALLY INVOLVING PERSONAL DATA (NON-EXHAUSTIVE)* *FIGURE 3: EXAMPLE OF MISP ATTRIBUTE CATEGORIES POTENTIALLY INVOLVING PERSONAL DATA (NON-EXHAUSTIVE)*
@ -90,9 +100,7 @@ The GDPR allow for six possibilities of legal grounds for a processing activity.
For example, in the case of CSIRTs sharing information, the legal ground would most likely be either Art. 6(1)(f) **“legitimate interest”** (as mentioned in Recital 49), Art. 6(1)(c) **“compliance with legal obligation”** or Art. 6(1)(e) **“public interest”**. Private or internal CSIRTs monetizing their services would probably use legitimate interest as a legal ground while CSIRTs who need to comply with the Network and Information System Directive (NISD), and/or whose mandate is defined by Law, would most likely use “public interest”. For example, in the case of CSIRTs sharing information, the legal ground would most likely be either Art. 6(1)(f) **“legitimate interest”** (as mentioned in Recital 49), Art. 6(1)(c) **“compliance with legal obligation”** or Art. 6(1)(e) **“public interest”**. Private or internal CSIRTs monetizing their services would probably use legitimate interest as a legal ground while CSIRTs who need to comply with the Network and Information System Directive (NISD), and/or whose mandate is defined by Law, would most likely use “public interest”.
<p align="center"> ![GDPR grounds to process personal data](./misp-compliance-gdpr-grounds.pdf.png)
<img src="./misp-compliance-gdpr-grounds.svg" alt="GDPR grounds to process personal data" style="width: 70%;"/>
</p>
*FIGURE 4: LEGAL GROUNDS FOR CSIRTs WHICH CAN ENABLE A DATA CONTROLLER OR PROCESSOR TO PROCESS PERSONAL DATA* *FIGURE 4: LEGAL GROUNDS FOR CSIRTs WHICH CAN ENABLE A DATA CONTROLLER OR PROCESSOR TO PROCESS PERSONAL DATA*