PISAX enables automated and secure threat intelligence sharing. PISAX is running on the MISP threat sharing platform, which data model is composed of “events”, that usually represent threats or incidents. Often information exchange could involve personal data, meaning that the requirements of the General Data Protection Regulation (GDPR) or any other relevant privacy regulation may apply.
What personal data is shared through PISAX?
Not all cyber security information constitutes personal data. Personal data is defined as “any information relating to an identified or identifiable natural person” (Art. 4(1) of the GDPR). Incidents shared through the PISAX platform are composed of “attributes”. In some cases, attributes can consist of IP addresses, domain names or other online personal identifiers. Such information can be considered as personal data when it can be linked to a specific individual. There can be cases when, attributes within shared cyber security information would no longer include personal data if an individual cannot be identified from such information.
How information exchange is impacted by the GDPR?
Recital 49 of the GDPR states that the processing of personal data is allowed “to the extent strictly necessary and proportionate for the purposes of ensuring network and information security”. In other words, the GDPR may enable information exchange of personal data between any PISAX member to ensure the security of its network and information. According to the GDPR, this could for example include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
Information sharing is voluntary within PISAX. Any member having access to personal information is determining the purposes of processing information, which can include whether to share this information, or not. Nevertheless, collecting personal data in the first place - before sharing through PISAX - means that there are certain data protection responsibilities. For instance, it should be transparent to an individual how the personal data concerning him or her is collected, used and to what extent the personal data are or will be processed (transparency principle). In addition, data collected and processed should not be kept more than it is needed for the purpose (data minimisation principle).