Identifying and fixing problems with the security of computers and networks is essential to protect the data they contain and the privacy of their users. However, these incident response activities require additional processing of personal data, so may themselves create a privacy risk. Current laws have created diverse interpretations of this processing – from encouragement to prohibition – creating barriers to incident response and challenges for collaboration between incident responders. The EU’s new General Data Protection Regulation explicitly recognises the need for processing to protect the security of networks and information. It also, through rules on processing for “legitimate interests”, suggests a way to identify an appropriate balance between risks. Consistent use of these provisions could provide a common legal approach for incident response teams, enabling them to work more effectively. This article builds on analysis by the Article 29 Working Party to develop a framework for assessing the benefit and impact of incident response activities. This is applied to a range of practical detection, notification and information sharing techniques commonly used in incident response, showing how these do, indeed, protect, rather than threaten, the privacy and data protection rights of computer and network users.
