SlideShare une entreprise Scribd logo

GDPR most actionable cheatsheet and checklist by cyberstratg

C
Cyber StratG

1) The document provides an action plan for organizations to comply with the requirements of the General Data Protection Regulation (GDPR) by outlining key areas that need to be addressed and specific actions under each area. 2) It identifies areas like data governance, accountability, consent, records of processing, privacy by design, contracting, data breaches, and data exports that organizations need to review and update processes and documentation to meet GDPR requirements. 3) For each area, it lists articles of the GDPR that are relevant and provides a brief description of the GDPR requirements to provide guidance on the types of actions needed for compliance.

Direction et management
1  sur  3
Télécharger pour lire hors ligne
Action Points GDPR Article(s) Data Governance  Have a documented Privacy Governance Model with clear roles and responsibilities and reporting lines to embed privacy compliance into the organization operating model.  Consider if a statutory DPO is required.  If no EU presence, then appoint a local representative.  Develop and roll out training across all staff.  Check for insurance coverage and consider if it needs to be updated in light of higher fines and penalties under the GDPR. 5, 27, 37-39 Accountability  Develop a global overarching data protection policy, which brings together all underlying related policies including processes for 'privacy by design' and the creation and maintenance of a record of processing activities.  Integrate privacy compliance into the audit framework 5, 24, 25, 30 Fair Processing & Consent  Review existing grounds for lawful processing and confirm that these will still be sufficient under the GDPR e.g. can you still rely on consent given the new requirements?  Consider whether your organization is processing any sensitive personal data and ensure the requirements for processing such data are satisfied  Where consent is relied upon as the ground for processing personal data, review existing consents to ensure they meet the GDPR requirements, and if not implement a process to seek new consents  Ensure systems can accommodate withdrawal of consent 5, 6, 7, 9, 10, 85- 91 Notices / Vetting - HR  Review and update, where necessary, employee notices to be GDPR compliant  If you currently conduct criminal records checks, review national laws to ensure you can continue to do so. Description of GDPR Requirement One of the key principles of GDPR is to ensure that organizations place data governance at the heart of what they do. As a result, the GDPR introduces a number of requirements to ensure that compliance is a core focus for companies. Within the organization, it is important to raise awareness of privacy issues to embed privacy compliance into the mind-set of employees so that the business is proactive not reactive. One of the key concerns emphasized in GDPR is the requirement for organizations to have documentation to be able to demonstrate how they comply with the GDPR. Compliance should be integrated within existing audit framework to ensure policies, processes and controls are working. In order to lawfully process personal data, one of the conditions of processing, as set forth in the GDPR, must be satisfied. While the grounds for processing are broadly the same as those set out in the current Data Privacy Directive, the GDPR imposes new requirements to gain valid consent. Consent can be withdrawn at any time and systems must be able to handle withdrawal requests. Under the GDPR, privacy notices must state the processing ground relied upon, and if relying on legitimate interests, state the nature of the legitimate interest. Consider whether the specific requirements relating to consent from children apply to your organization (see Children). There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Employees must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Criminal records can no longer be processed unless authorized by member state law. 10, 12-14 ACTIONABLE CHEATSHEET FOR GDPR COMPLIANCE CyberStratG- A Game of Cyber Strategy with adaptation available for GDPR. Areas
Notices - Customers  Review and update, where necessary, customer notices to be GDPR compliant  Consider whether your notices have to accommodate “child- friendly requirements” (see Children) 12-14 Children  Identify whether you process personal data of children  Seek local counsel advice regarding applicable local law restrictions, codes and guidance  If data relating to a child will be processed, ensure that notices directed at that child are “child-friendly” and if consent is relied upon, you have implemented a mechanism to seek parental consent  Consider alternative protections, e.g. age-gating 8, 12 Data Subject Rights and Procedures  Update data privacy policy and internal processes for dealing with requests.  Ensure technical and operational processes are in place to ensure data subjects’ rights can be met, e.g. right to be forgotten, data portability and the right to object (see Governance and Accountability) 16, 17, 18, 19, 20, 21, 22, 23 Record of Processing  Identify all data processed in a detailed Record of Processing  Implement and maintain processes for updating and maintaining Record of Processing 30 Privacy by Design and Default  Ensure processes are in place to embed privacy by design into projects (e.g. technical and organizational measures are in place to ensure data minimization, purpose limitation and security) There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Customers must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Notices must also be compliant with the new Consent requirements where relying on consent as your lawful ground of processing. The GDPR requires parental consent for the processing of data related to information society services offered to a “child” (ranging from 13 to 16 years old depending on member state). The GDPR leaves a lot to the discretion of the member states as to how children must be treated under this provision. Data subjects are given more extensive rights under the GDPR. The current rights to request access to data or require it to be rectified or deleted have been expanded to include a much broader right to require deletion ("the right to be forgotten"), a right not just to access your data but have it provided to you in a machine readable format ("data portability"). Versions of the existing right to object to any processing undertaken on the basis of legitimate interests or for direct marketing and the right not to be subject to decision based on automated processing are also included and expressly refer a right to object to profiling. These must be clearly communicated in the notices given to data subjects, e.g. privacy policy. The GDPR requires organizations to maintain a detailed record of all processing activities, including purposes of processing, a description of categories of data, security measures, comprehensive data flow map, etc. A number of stakeholders will need to be involved in creating and maintaining this data record. In keeping with the GDPR’s objective of bringing privacy considerations to the forefront of organizations’ decision making, the GDPR requires data protection requirements to be considered when new technologies are designed or on boarded 25, 35, 36
 Put in place a privacy impact assessment protocol Compliant Contracting and Procurement  Develop compliant contract wording for customer agreements and third-party vendor agreements  Identify all contracts that require relevant contract wording, prioritize and develop process for amending  Ensure procurement process has controls to ensure privacy by design (e.g. security diligence, data minimization, visibility of onwards data flows) N/A Data Breach Procedures  Review and update (or develop where not in existence) Data Breach Response Plan  Review insurance coverage for data breaches and consider whether it needs to be updated in light of the higher fines and penalties under the GDPR  Review liability provisions in agreements for breaches caused by service providers and other partners 32-34 Data Export  Identify all cross-border data flows and review data export mechanisms  Update cross border mechanisms if necessary or new projects using data are being considered. Privacy impact assessments should be used to ensure compliance; these are required for projects that involve processing, on a large scale, of sensitive personal data or criminal convictions, monitoring of a public area or systematic and extensive evaluation by automated means including profiling. Procurement processes and vendor contracts will need to be updated to ensure they reflect the new GDPR requirements and flow down obligations which must be complied with by parties processing European personal data on your behalf. The GDPR introduces a new data breach notification regime. The process requires organizations to act quickly, mitigate losses and, where mandatory notification thresholds are met, notify regulators and affected data subjects. The GDPR only permits exports of data to entities of its group and third-party vendors outside the European Economic Area if the country in which the recipient of such data is established offers an adequate level of protection. 44-50 Legends for functions that might need to be involved during GDPR implementation.

Recommandé

Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
Sarah Fox
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to Know
Piwik PRO
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Information classification
Information classificationInformation classification
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
내부정보유출방지 대책 및 방안
내부정보유출방지 대책 및 방안내부정보유출방지 대책 및 방안
내부정보유출방지 대책 및 방안
시온시큐리티
 

Recommandé

Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
Sarah Fox
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to Know
Piwik PRO
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Information classification
Information classificationInformation classification
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
내부정보유출방지 대책 및 방안
내부정보유출방지 대책 및 방안내부정보유출방지 대책 및 방안
내부정보유출방지 대책 및 방안
시온시큐리티
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
Donald E. Hester
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
Owako Rodah
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Maximo Anywhere product update Nov 2017
Maximo Anywhere product update Nov 2017Maximo Anywhere product update Nov 2017
Maximo Anywhere product update Nov 2017
BrandonWilhelm4
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
SaimaRafiq
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
IT Governance Ltd
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
Andrew Sharpe
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
Jim Wilson
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
Gerson Trigueiros
 

Contenu connexe

Tendances

skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
SaimaRafiq
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 

Tendances (20)

GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Maximo Anywhere product update Nov 2017
Maximo Anywhere product update Nov 2017Maximo Anywhere product update Nov 2017
Maximo Anywhere product update Nov 2017
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 

Similaire à GDPR most actionable cheatsheet and checklist by cyberstratg

GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
Jim Wilson
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational Measures
MRS
 

Similaire à GDPR most actionable cheatsheet and checklist by cyberstratg (20)

GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
ICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPRICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPR
 
GDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-stepsGDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-steps
 
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdfNymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow Mapping
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
How will GDPR affect small businesses?
How will GDPR affect small businesses?How will GDPR affect small businesses?
How will GDPR affect small businesses?
 
Top 10 GDPR Requirements
Top 10 GDPR RequirementsTop 10 GDPR Requirements
Top 10 GDPR Requirements
 
IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance Primer
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational Measures
 
GDPR
GDPRGDPR
GDPR
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 

Dernier

W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
William (Bill) H. Bender, FCSI
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
SandaliGurusinghe2
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
Aaron Stannard
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
Nimot Muili
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
guptaswati8536
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Riyadh +966572737505 get cytotec
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
AllTops
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
alinstan901
 

Dernier (17)

W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysis
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 

GDPR most actionable cheatsheet and checklist by cyberstratg

  • 1. Action Points GDPR Article(s) Data Governance  Have a documented Privacy Governance Model with clear roles and responsibilities and reporting lines to embed privacy compliance into the organization operating model.  Consider if a statutory DPO is required.  If no EU presence, then appoint a local representative.  Develop and roll out training across all staff.  Check for insurance coverage and consider if it needs to be updated in light of higher fines and penalties under the GDPR. 5, 27, 37-39 Accountability  Develop a global overarching data protection policy, which brings together all underlying related policies including processes for 'privacy by design' and the creation and maintenance of a record of processing activities.  Integrate privacy compliance into the audit framework 5, 24, 25, 30 Fair Processing & Consent  Review existing grounds for lawful processing and confirm that these will still be sufficient under the GDPR e.g. can you still rely on consent given the new requirements?  Consider whether your organization is processing any sensitive personal data and ensure the requirements for processing such data are satisfied  Where consent is relied upon as the ground for processing personal data, review existing consents to ensure they meet the GDPR requirements, and if not implement a process to seek new consents  Ensure systems can accommodate withdrawal of consent 5, 6, 7, 9, 10, 85- 91 Notices / Vetting - HR  Review and update, where necessary, employee notices to be GDPR compliant  If you currently conduct criminal records checks, review national laws to ensure you can continue to do so. Description of GDPR Requirement One of the key principles of GDPR is to ensure that organizations place data governance at the heart of what they do. As a result, the GDPR introduces a number of requirements to ensure that compliance is a core focus for companies. Within the organization, it is important to raise awareness of privacy issues to embed privacy compliance into the mind-set of employees so that the business is proactive not reactive. One of the key concerns emphasized in GDPR is the requirement for organizations to have documentation to be able to demonstrate how they comply with the GDPR. Compliance should be integrated within existing audit framework to ensure policies, processes and controls are working. In order to lawfully process personal data, one of the conditions of processing, as set forth in the GDPR, must be satisfied. While the grounds for processing are broadly the same as those set out in the current Data Privacy Directive, the GDPR imposes new requirements to gain valid consent. Consent can be withdrawn at any time and systems must be able to handle withdrawal requests. Under the GDPR, privacy notices must state the processing ground relied upon, and if relying on legitimate interests, state the nature of the legitimate interest. Consider whether the specific requirements relating to consent from children apply to your organization (see Children). There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Employees must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Criminal records can no longer be processed unless authorized by member state law. 10, 12-14 ACTIONABLE CHEATSHEET FOR GDPR COMPLIANCE CyberStratG- A Game of Cyber Strategy with adaptation available for GDPR. Areas
  • 2. Notices - Customers  Review and update, where necessary, customer notices to be GDPR compliant  Consider whether your notices have to accommodate “child- friendly requirements” (see Children) 12-14 Children  Identify whether you process personal data of children  Seek local counsel advice regarding applicable local law restrictions, codes and guidance  If data relating to a child will be processed, ensure that notices directed at that child are “child-friendly” and if consent is relied upon, you have implemented a mechanism to seek parental consent  Consider alternative protections, e.g. age-gating 8, 12 Data Subject Rights and Procedures  Update data privacy policy and internal processes for dealing with requests.  Ensure technical and operational processes are in place to ensure data subjects’ rights can be met, e.g. right to be forgotten, data portability and the right to object (see Governance and Accountability) 16, 17, 18, 19, 20, 21, 22, 23 Record of Processing  Identify all data processed in a detailed Record of Processing  Implement and maintain processes for updating and maintaining Record of Processing 30 Privacy by Design and Default  Ensure processes are in place to embed privacy by design into projects (e.g. technical and organizational measures are in place to ensure data minimization, purpose limitation and security) There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Customers must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Notices must also be compliant with the new Consent requirements where relying on consent as your lawful ground of processing. The GDPR requires parental consent for the processing of data related to information society services offered to a “child” (ranging from 13 to 16 years old depending on member state). The GDPR leaves a lot to the discretion of the member states as to how children must be treated under this provision. Data subjects are given more extensive rights under the GDPR. The current rights to request access to data or require it to be rectified or deleted have been expanded to include a much broader right to require deletion ("the right to be forgotten"), a right not just to access your data but have it provided to you in a machine readable format ("data portability"). Versions of the existing right to object to any processing undertaken on the basis of legitimate interests or for direct marketing and the right not to be subject to decision based on automated processing are also included and expressly refer a right to object to profiling. These must be clearly communicated in the notices given to data subjects, e.g. privacy policy. The GDPR requires organizations to maintain a detailed record of all processing activities, including purposes of processing, a description of categories of data, security measures, comprehensive data flow map, etc. A number of stakeholders will need to be involved in creating and maintaining this data record. In keeping with the GDPR’s objective of bringing privacy considerations to the forefront of organizations’ decision making, the GDPR requires data protection requirements to be considered when new technologies are designed or on boarded 25, 35, 36
  • 3.  Put in place a privacy impact assessment protocol Compliant Contracting and Procurement  Develop compliant contract wording for customer agreements and third-party vendor agreements  Identify all contracts that require relevant contract wording, prioritize and develop process for amending  Ensure procurement process has controls to ensure privacy by design (e.g. security diligence, data minimization, visibility of onwards data flows) N/A Data Breach Procedures  Review and update (or develop where not in existence) Data Breach Response Plan  Review insurance coverage for data breaches and consider whether it needs to be updated in light of the higher fines and penalties under the GDPR  Review liability provisions in agreements for breaches caused by service providers and other partners 32-34 Data Export  Identify all cross-border data flows and review data export mechanisms  Update cross border mechanisms if necessary or new projects using data are being considered. Privacy impact assessments should be used to ensure compliance; these are required for projects that involve processing, on a large scale, of sensitive personal data or criminal convictions, monitoring of a public area or systematic and extensive evaluation by automated means including profiling. Procurement processes and vendor contracts will need to be updated to ensure they reflect the new GDPR requirements and flow down obligations which must be complied with by parties processing European personal data on your behalf. The GDPR introduces a new data breach notification regime. The process requires organizations to act quickly, mitigate losses and, where mandatory notification thresholds are met, notify regulators and affected data subjects. The GDPR only permits exports of data to entities of its group and third-party vendors outside the European Economic Area if the country in which the recipient of such data is established offers an adequate level of protection. 44-50 Legends for functions that might need to be involved during GDPR implementation.