GDPR Best Practices and Checklists

25
6 years ago
in
#gdpr

General Data Protection Regulation GDPR
-BEST PRACTICES and CHECKLISTS

Laura Spinaci , November 2018
https://www.linkedin.com/in/lauraspinaci/
Twitter @lallispinaci

Attribution 4.0 International (CC BY 4.0)

TABLE OF CONTENTS

  1. Introduction
  2. GDPR core principles
  3. Privacy by design
  4. Security by design
  5. Checklists: data protection, data privacy, data security
    5.1 Data Protection
    5.2 Data privacy
    5.3 Data security
  6. GDPR general data protection regulations
    6.1 Rules and Checklist
    6.2 Rules within different countries
    6.3 Regulation versus national law
    6.4 GDPR as value proposition 16
    6.5 GDPR action plan
    References
    Attribution 4.0 International (CC BY 4.0)
  1. Introduction
    Some describe GDPR as a “Digital Declaration of Rights” because it places limits on the power of software platforms and reflects a commitment to the principles of digital self-sovereignty.
    The GDPR is a welcome replacement for its predecessor — the Data Protection Directive 95/46/EC — a law that has remained essentially unchanged since its adoption in 1995.
    After the Facebook–Cambridge Analytica data scandal, and the application of the GDPR, on the 25th of May, the attention on data protection, data security and data privacy has increase exponentially and became critical within each company. Moreover, although GDPR is a EU legislation, it has been seen as a metric for the preservation of the user rights, in terms of data privacy at global level.
    Broadly speaking data protection is a general term that refers to data privacy, data security, and technically speaking the data protection. We will explain what does it means data protection technically in the Data protection checklist paragraph.
    The aim of this document is to contextualize the GDPR law, which is a set of rules that collets principles and best practices already existing since a while. We are going to break down those principles and best practices and we will identify the main rules and how to be compliant to GDPR.
    The document is split in four parts:
    • GDPR core highlights
    • best practices addressed by privacy and security by design principles,
    • practical checklist of data protection, data security and data privacy
    • GDPR rules, its value added, and concrete steps to follow in order to be compliant

This is a practical guide about how to define an internal self-regulatory framework within a company. It doesn’t substitute the work of a compliancy lawyer or a DPO (Data protection officer) that we recommend to consult if your company collect and process PII (personal identifiable information) (20), particularly, if those data are sensitive like medical record and financial data (19).
The target audience is small and medium companies that are still not well informed about GDPR and need a guide on how they could start dealing with this topic, and building up the knowledge base within the organization. Hence, this document, is for all the others that need an overview from the top, about where GDPR come from, and its implications at technical and business processes level.

  1. GDPR core principles

  1. GDPR onboarding, is about:
    • Privacy and Consent
    • Data Access
    • Data Correction
    • Data Export
    • Data Deletion

  2. GDPR: is a matter of following privacy and security by design principles, plus addressing concerns related to:
    • Data Protection
    • Data Privacy
    • Data Security

  3. Be compliant to the GDPR rules is quite challenging for every organization.
    There is an enormous gap between legislation and practice. It is recommendable to clarify which degree of compliancy your organization can achieved and why.
    Explain your choices and do a risks assessment as part of your risk management plan (identify risks and define a risks response)

  1. The organizations have to define who is the responsible of data privacy and security (responsible and accountable) (see 5.1 Rules and Checklist)
    For example in US a company with over 250 employees must appoint a DPO, data protection officer, if they especially intend to carry out large-scale systematic monitoring of individuals, like online behaviour tracking
    In Europe, under GDPR, a DPO appointment is mandatory only for those controllers and processors whose core activities consist of processing
  • operations which require regular and systematic monitoring of data subjects on a large scale or
  • of special categories of data or data relating to criminal convictions and offences.

  1. GDPR is only the skeleton of data protection regulation. Each EU country apply its own rules, it depends by the law of the specific country.

  2. Not only the EU companies are subject to the GDPR rules, but also Non-EU “established” organisations who target, or monitor, EU data subjects (5.2 Regulation within the different countries).

  3. Privacy and security from customer perspective:
    Customers wants to have easier access to their own data through transparency.
    • Display why they are collecting (PII) personal identifiable information, and all the ways this data is being used (18)
    • onboarding process in an application and in any new piece of information is collected. Easy opted out

  4. The major issue to figure out in order to be GDPR compliant, is the way user data are collected. Centralized storages with personal credentials poorly protected including passwords, PINs, biometrics, credit card numbers, and other personal information, brings the following issues:

o single point of failure
o high risk of breaches
o rising it costs

  1. Privacy by design
    Privacy by design as a concept has existed for years. IT means taking into account of privacy throughout the whole engineering process (8), that practically speaking means understand how to design/implement/verify users data, and how to:
    • collect (how to get data from the Front end interfaces)
    • use (how to treat data within a DB)
    • store
    • disclosure
    • transfer
    • delete

Within the implementation of a technology, the areas of application of privacy are:
• IT systems, platforms, applications
• business practices, processes
• network infrastructure, on premises or cloud

Principles of Privacy by Design may be applied to all types of personal information, but should be applied with special vigour to sensitive data such as medical information and financial data. The strength of the privacy measures implemented, tends to be commensurate with the sensitivity of the data.
The objectives of Privacy by Design — ensuring strong privacy, and gaining personal control over one’s information, and, for organizations, gaining a sustainable competitive advantage.

Foundational principles

Privacy by design is based on seven "foundational principles" (8)

  1. Proactive not reactive; preventative not remedial (see 5.5 GDPR Action Plan)
  2. Privacy as the default setting: privacy built up into the system
  3. Privacy embedded into design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection: from start to finish
  6. Visibility and transparency – keep it open (see the right to be informed 5.1)
  7. Respect for user privacy – keep it user-centric

See 4.1 Data Protection, 4.2 Data privacy, 4.3 Data security checklists bel

  1. Security by design

Security by Design (SbD) is an approach to security that allows you to formalize infrastructure design and automate security controls so that you can build security into every part of the IT management process. In practical terms, this means that your engineers spend time developing software that controls the security of your system in a consistent way 24×7, rather than spending time manually building, configuring, and patching individual servers (10)(11).
Within the implementation of a technology, security must be applied in these three areas:

• IT systems, platforms, applications
• business practices, processes
• network infrastructure, on premises or cloud

See 4.2 Data privacy

  1. Checklists: data protection, data privacy, data security
    5.1 Data Protection
    Data protection technically speaking, refers to a company’s backup and archiving method, done for secure users data, and minimize costs.
    Network data backup plan—types of data:
    • Data files
    • Operating systems
    • Databases
    • Application programs
    • Application settings
    • Windows device drivers
    • Network settings
  1. What data can be archived to tape to free up disk storage resources, and reduce running costs.
  2. How long must data be archived?
  3. The quantity of data to be backed up
    • How much data will typically be stored in a full back-up?
    • How often will a full backup be done?
    • How much data will typically be stored in a partial backup?
    • How often will a partial backup be done?
  4. End user desktop and notebook backup scheme:
    • Desktop
    • notebook environments
    • Application programs
    • Application settings
    • Data files
    • Address books
  5. End-user data backup recommendations (copy to the network first)
  6. End-user data recovery checklist—what to do and what not to do when suspecting data loss
  7. Network administrator data recovery checklist
  8. Prioritization: Which data to back up first
  9. Data backup strategy (schedule of full and partial backups)
  10. Choice of backup hardware with an eye to automation
  11. Choice of backup software
  12. Archive strategy (on-site and off-site backup storage locations)
  13. Tape management (how many tape sets; rotation plan)
  14. Restore process actually tested prior to needing it
  15. Capital investment budget (hardware, software, implementation)
  16. Operating budget—recurring costs

5.2 Data privacy

  1. Awareness: make sure that decision-makers and key people in the organization are aware of what implies to be GDPR compliant.
    • To do: send a communication with attached information related and next steps in regards (see 6.5 GDPR Action Plan)

  2. Information to hold: document what personal data you hold, where it came from, and who you share it with. Organize an information audit across the organization or within particular business areas.
    • To do: Data audit document

  3. Individual rights: define the procedures to ensure all the rights individuals have will be covered.
    • To do: review list of rights (GDPR) and how to guarantee them (procedures) (see 6.1 Rules and Checklist)

  4. Subject access requests: consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online (see 6.1 Rules and Checklist)
    • To do: design a system that will make easy for the users to access their data

  5. Lawful basis for processing personal data: under the GDPR some individuals’ rights will be modified depending on your lawful basis for processing their personal data. For example, people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing. Lawful basis for processing personal data have to be explained on the privacy notice and when you answer a subject access request. (22)
    • To do: document your lawful bases in order to help comply with accountability requirements
    The safest lawful basis for processing is to have a consent with the individual.
    • To do: read consent guidance
    You should review how you seek, record, and manage consent, and whether you need to make any changes (24)
    • To do: review the privacy notices, read the guidance on the right to be informed in the GDPR checklist. (see 6.1 Rules and Checklist)
    Communicating privacy information: where and how to communicate your current privacy notice to end users.

  6. Data breaches: since GDPR introduces a duty on all organizations to report certain types of data breach, you may wish to assess the types of personal data you hold and document where you would be required to notify the affected individuals if a breach occurred. Larger organizations will need to develop policies and procedures for managing data breaches. Failure to report a breach when required to do so, could result in a fine, as well as a fine for the breach itself.
    • To do: put procedures in place to effectively detect, report and investigate a personal data breach (see 6.1 Rules and Checklist)

  7. Data Protection by Design and Data Protection Impact Assessments:
    A Data Protection Impact Assessment (DPIA) is required in situations where data processing is likely to result in high risk to individuals (23)

  8. Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. The appointment of a DPO under the EU General Data Protection Regulation (GDPR) is only mandatory in these situations:
    • when the organization is a public authority or body,
    • or when the organisation’s core activities consist of either:
    o Data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
    o Large-scale processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation, etc.) and personal data relating to criminal convictions and offenses.
    There is no exemption for small and medium-sized enterprises (SMEs), which has been reaffirmed by the Information Commissioner’s Office (ICO).

  9. International: If your organization operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. If you carry out cross-border processing – ie you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.

• To do: you should map out where your organization makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and
therefore your lead supervisory authority.
5.3 Data security
It’s your responsibility, whether you store your files on-premise or in the cloud. Understanding legislative obligations is critical in technology decisions. Verify your security protocols and processes for each of your use cases, including access control, metadata residency, and key management.

General best practices
• Keep your software up to date
• Educate your employees
• Implement formal security policies
• Practice your incident response plan

Security Checklist:
• Is the hardware under your control? Hardware Checklist
• Where does your data go? Network Checklist
• Where does your data live? Storage Checklist
• Who uses your data? Users & Admin Checklist
• Does it all work together? Integration Checklist

5.3.1 Hardware Checklist
Security starts with the hardware. If you give up control to a third-party, you need to confirm that security standards are being met – to your standards as well as that of governing legislation. Further, you must be
certain your service level agreements with your users will be maintained. Ultimately, you need to be able to prove at any time who has had access to your servers and why. Be sure to read the fine print, ask for proof,
and visit the facilities if you can. Do whatever you would do to certify a new facility on your own premises. In each member country of the EU, you are ultimately responsible for data security, even if it is hosted and stored on third-party hardware.

• Where does your hardware reside, and who has access?
• How is physical access granted and revoked?
• Who has administrative access, and how is it managed?
• How is access controlled, audited and logged?
• How do your governance policies line up?
• What data sovereignty laws are you subject to?
• How is the hardware backed up, patched and updated?

5.3.2 Network Checklist
Network questions are similar to the hardware issues, but even more complex.
One little understood issue is the CDN, or Content Delivery Network. It is entirely possible that a CDN will be part of a chain leading to an unencrypted file at a third party data centre. And then you have to ask the same set of questions all over again. You need to find out through the entire chain of CDNs if there could be unencrypted access at any point. Network monitoring should provide you the answers required to meet compliance requirements. Remember — you can be at risk even if no breach has occurred. Not knowing can be enough to get you in trouble.

• Where are the endpoints, and who has access?
• Where do your files go when in transit and how are they protected?
• What happens in a DR / failover situation?
• Is the network in compliance with your policies?
• How do you know when an intrusion is detected?
• What is listening to / analyzing your traffic?
• Are CDNs in use to accelerate traffic? Which ones?
• Can traffic be encrypted with your CDN?

5.3.3 Storage Checklist
Start with who owns the data. Some user license agreements make the service provider the owner of data. That means they’re obligated to turn over the data if the government asks for it. Some data sovereignty legislation puts the risk on you, even if your data is hosted with a third-party. Know your rights…and your risks. Then there are technical issues. Some cloud vendors access files for scanning and deduping,
which is actually illegal in certain countries and jurisdictions for certain types of files. Make sure key management is tightly controlled. And be careful about deletions—it is possible that some files are
not truly deleted or that components of files are left behind during de-duping, which could still leave you in breach.

• Where are files stored, and who has access?
• Are files being scanned when they arrive?
• What sort of retention and tracking are in use?
• What if you want your files back?
• What if the government asks for your data?
• How is encryption handled? Who has the keys?
• What happens when you delete your files? De-dupe?

5.3.4 Users & Admin Checklist
You need access to user logs and the ability to incorporate them into your own tools. If you depend on the service provider to supply that, remember that their failure could be your failure in an audit. You also want to be sure that you are in control of your keys as this may determine who is ultimately in control of your data.

• How are users provisioned, authenticated? SSO?
• How are admins trained, screened and monitored?
• Do admins follow your policies, or theirs?
• How are users tracked and audited?
• What sort of user logs are available to set alerts?
• Can users or admins circumvent your IT policies?
• How are user keys maintained? Restored? Who has access to them?

5.3.5 Integration Checklist
Your IT organization may have spent years building out an organization and structure that meets regulatory requirements, retention policies, deletion processes, and your own high standards.
Further there will always be data that you can’t let out, so there will always be a separation between the cloud service and what you’re trying to do internally. Understanding how you can support future requirements will help you make the best decision for your organization today.
• Are your governance policies followed?
• Must you expose files to the cloud to access them?
• How do you leverage existing IT investments?
• How can you leverage existing IT tools and procedures?
• What databases can be used for your data?
• What storage can you work with for your files?
• Is this another silo of data you have to manage?
• How can you support future requirements?

5.3.6 Regulatory Checklist
Can you prove you are in control? If so, you are in good shape. If not, it is probably time to re-evaluate.
Regulations are all about knowledge and control. Loss of control at any given time on a given file could be a problem in an audit, and real trouble in the event of a breach. Regulatory compliance comes in many forms, and you need to be aware of how laws outside of your own country may impact your company’s data privacy. An example of this has to do with subsidiaries of US corporations. Regardless of where a company’s office is outside of the US, if the company owning the subsidiary is a US company, the US PATRIOT Act can be invoked and personal data may be at risk.

• Do you know who is responsible for securing your sensitive data?
• Are you a multinational organization, playing by different rules?
• Does your provider comply with your regulations?
• Is your provider a wholly-owned subsidiary of a US corporation?
• Is your provider EU Data Protection Directive/BDSG/PRISM/FISA/etc. proof?
• Do you own the files stored with your provider?
• Are you able to comply with data protection laws?
• Can you prove you are in control of your data?

  1. General Data Protection Regulation (GDPR)
    6.1 Rules and Checklist
    In the following checklist, there is a description of the action to take, the next steps within the implementation of a software, the person or rule responsible and accountable of the activity, and the single tasks. See: GDPR Checklist file

  2. THE RIGHT TO BE INFORMED
    This is full disclosure during the onboarding process in an application and/or written in the website Provide privacy information to users when you collect their data:
    • how you collect them, What data is collected?
    • How is this done? o How is it used?
    • Where are located? Spreadsheets, emails, DB
    • your retention periods for that personal data,
    • who it will be shared with (3rd parties) info that should be displayed on the company website)
    • How to communicate your privacy notice: using layering/ dashboards/ just-in-time notices.
    • User testing is a good way to get feedback on how effective the delivery of your privacy information is.
    • Give costumers control of their data. Log out should be easy as log in
    Breach Notifications must be done within 72 hours of first having become aware of the breach .
    • Put procedures in place to effectively detect, report and investigate a personal data breach

  3. THE RIGHT TO ACCESS
    • your customers have the right to access their data.
    • It has to be enable through a business process
    • The request should be technically satisfied by 1 month of their request

  4. THE RIGHT TO RECTIFICATION
    • your customer has the right to correct information that they believe is inaccurate
    • define a policy for how to record requests you receive and how to respond by a month
    • define a process in place on how to rectify the data

  5. THE RIGHT TO ERASURE
    • you must provide your customer with the right to be forgotten
    • define a policy for how to record requests you receive and how to respond by a month • you have a process in place on how to rectify the data

  6. THE RIGHT TO RESTRICTION OF PROCESSING
    • Individuals have the right to request the restriction or suppression of their personal data. For example in the case your information are not accurate anymore
    • define a process in place on how to rectify the data
    • define a policy for how to record requests you receive and how to respond by a month
    • this is not an absolute right and only applies in certain circumstances.
    • when processing is restricted, you are permitted to store the personal data, but not use it.
    • define how to recognise a request for restriction and you understand when the right applies.

  7. THE RIGHT TO DATA PORTABILITY
    • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
    • you need to enable machine and human-readable export of your customers' personal information
    • It allows customers to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability
    • define a process in place and methods to transmit to the customers' personal data within a month

  1. THE RIGHT REGARDING AUTOMATED DECISION MAKING
    Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data
    • your customer has the right not to be subject to a decision based solely on all automated individual decision-making and profiling..
    • carry out a data process impact assessment (DPIA) to consider and address the risks before we start any new automated decision-making or profiling.
    • tell your customers about the profiling and automated decision-making we carry out, what information you use to create the profiles and where we get this information from.
    • use anonymised data in our profiling activities.

6.2 Regulation within the different countries

(25 )Organizations which have EU sales offices, which promote or sell advertising or marketing targeting EU residents will likely be subject to the GDPR – since the associated processing of personal data is considered to be “inextricably linked” to and thus carried out “in the context of the activities of” those EU establishments (Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12)) (20)
Non-EU “established” organizations who target or monitor EU data subjects.
Non-EU established organizations will be subject to the GDPR where they process personal data about EU data subjects in connection with:
• the “offering of goods or services” (payment is not required); or
• “monitoring” their behavior within the EU.
• For offering of goods and services (but not monitoring), mere accessibility of a site from within the EU is not sufficient. It must be apparent that the organization “envisages” that activities will be directed to EU data subjects.
• Contact addresses accessible from the EU and the use of a language used in the controller’s own country are also not sufficient. However, the use of an EU language/currency, the ability to place orders in that other language and references to EU users or customers will be relevant.
• However, the use of an EU language/currency, the ability to place orders in that other language and references to EU users or customers will be relevant.

It is not clear whether non-EU organizations offering goods and services to EU businesses (as opposed to individuals) will fall within the scope of the “offering goods and services” test in article 3(2)(a).
“Monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyze/predict personal preferences, behaviors and attitudes.
Organizations subject to the GDPR’s long-arm jurisdictional reach must appoint an EU-based representative. Under the Data Protection Directive, organizations targeting EU data subjects only had to comply with EU rules if they also made use of “equipment” in the EU to process personal data. This led national supervisory authorities, who were seeking to assert jurisdiction, to develop arguments that the placing of cookies, or requesting users to fill in forms, would amount to the use of “equipment” in the EU. It will now be easier to demonstrate that EU law applies. (Although, where organizations have no EU presence, enforcement may be just as difficult as before).

6.4 Regulation versus national law
(26) As a Regulation, the GDPR will be directly effective in Member States without the need for implementing legislation. However, on numerous occasions, the GDPR does allow Member States to legislate on data protection matters. This includes occasions where the processing of personal data is required to comply with a legal obligation, relates to a public interest task or is carried out by a body with official authority. Numerous articles also state that their provisions may be further specified or restricted by Member State law. Processing of employee data is another significant area where Member States may take divergent approaches. Organizations working in sectors where special rules often apply (e.g. health and financial services) should:

  1. consider if they would benefit from such “special rules” which would particularise or liberalise the GDPR; and
  2. advocate these accordingly. They should also watch for Member States seeking to introduce “special rules” which may prove restrictive or inconsistent across Member States

National data protection authorities will continue to exist.
• They must co-operate together and with the European Commission and monitor the application of the GDPR.
• They must act independently.
• Members of supervisory authorities must be appointed in a publicly transparent way and be skilled in data protection

6.5 GDPR as value proposition

Although can be challenge to be compliant to GDPR, it brings new habits and a positive effects on an organization’s internal users and external customers.

  1. Improving data consistency, user are more conscious of the data they want to provide. They will understand the value of their data….“If you’re not paying for the product, you are the product.” consumers will soon realize that businesses see their data as a capital asset.
  2. GDPR mandates that users data are portable. If consumers wants to switch service providers all they have to do is ask you for a copy of their data in a portable format, which they can then pass on to their new provider.
  3. Collecting data on an opt-in, means that the data collected belongs to the target segment interested in your product/service. No spray and pray effect.
  4. The need of GDPR compliancy force allocate budget wiser
  5. GDPR force to embrace the concept of data privacy as part of corporate identity and competitive advantage
  6. GDPR, businesses that want to be competitive will have to give consumers more options, possibly with varying combinations of pricing and data sharing. The winners will be the ones that give consumers the most value from the exchange.

6.6. GDPR action plan

In order to create a self-regulatory framework

  1. Awareness: send a communication within your organization with attached information related GDPR implementation and next steps

  2. Data Audit
    • Create a document where it is written how to collect, store, process, delete, transfer and disclose user data through your IT system/platform/application and Infrastructure

  3. Data privacy checklist

  4. GDPR rules and business processes creation
    • Go through the eight GDPR rules. Following the checklists identify
    • the list of tasks to do
    • relatives business processes
    • who is responsible and who is accountable

  5. Security Audit
    • On IT systems and Infrastructure
    • Hardware Checklist
    • Network Checklist
    • Storage Checklist
    • Users & Admin Checklist
    • Integration Checklist
    • Regulatory Checklist

  6. Data protection checklist
    • Review the data protection checklist and see what can apply to your infrastructure IT system

  7. Risks assessment
    Create a Risks Registry spread-sheet with the following fields:
    • Risk ID
    • Risk Description
    • Impact
    • Risk level
    • Risk Owner
    • Risk Response

References
1 Data protection, privacy and cybersecurity – http://www.nortonrosefulbright.com/uk/our-services/technology-and-innovation/data-protection-privacy-and-cybersecurity/
2 GDPR website - https://www.eugdpr.org/the-regulation.html
3 The Very Strong Business Case for Complying - https://www.entrepreneur.com/article/313221
4 Preparing for the General Data Protection Regulation (GDPR) 12 - https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
5 Preparing for the General Data Protection Regulation (GDPR) 12 - https://buff.ly/2BTowip
6 General Data Protection Regulation (GDPR) - https://gdpr-info.eu/
https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
7 Privacy by design - https://gdpr-info.eu/issues/privacy-by-design/
8 Privacy by design - https://en.wikipedia.org/wiki/Privacy_by_design
9 Privacy by Design Centre of Excellence (also videos): The Seven Foundational Principles
https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/
10 Security by design- https://www.logicworks.com/blog/2017/01/what-is-security-by-design/
11 Security by Design Principles: https://www.owasp.org/index.php/Security_by_Design_Principles
12 Guide to general GDPR\Legacy Systems\bird--bird--guide-to-the-general-data-protection- regulation.pdf
13 GDPR Compliance Guide - Blinking Team - https://medium.com/blinking/gdpr-compliance-guide-2071bbed2558
14 Individual rights - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/individual-rights/
15 GDPR Compliance: The Information & Insights You Need -https://www.isaca.org/info/gdpr/index.html
16 GDPR’s Impact in Hospitality, Incorporating NIST Cybersecurity Framework Concepts
http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=968&_
rsc=31b743cc- b231-4d19-bda4-4bcc642f1906
17 All data type from Michigan University -https://www.safecomputing.umich.edu/dataguide/?q=all-data
18 The blinding identity taxonomy initiative https://dativa.com/blinding-identity-taxonomy/
19 Making risk management work https://www.projectmanagement.com/blog- post/19611/Making-risk-management-work---the-final-step
20 Cross-border issues under EU data protection law with regards to personal data protection https://www.tandfonline.com/doi/full/10.1080/13600834.2017.1330740
21 PSD2 and GDPR
https://www2.deloitte.com/lu/en/pages/banking-and-securities/articles/psd2-gdpr-friends-or-foes.html
22 Lawful basis for processing
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
23 Data protection impact assessments
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
24 Why is consent important?
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/why-is-consent-important/
25 Guide to the General Data Protection Regulation
Bird & Bird
https://www.lexology.com/library/detail.aspx?g=fe64fbad-d514-492f-b4b2-2b6b204da0da
26 Regulation versus national law https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/11--guide-to-the-gdpr--material-and-territorial-scope.pdf?la=en

gdpr
regtech
checklists
bestpractices
6 years ago
lauraspinaci25
via steemit
$ 0.072
3
H2
H3
H4
3 columns
2 columns
1 column
Join the conversation now