Tag Archives for " guidance "

Data breach GDPR case study

The business has grown substantially over a number of years, and now has a number of different business units providing different services. Some of that growth has been through acquisitions.

There are a number of policies which impact on information security in place across the business. The business takes payment online via credit and debit card, but considers that it has appropriate security measures in place, and is working towards PCI-DSS certification. The growth of the business has resulted in fragmentation of databases across multiple servers, and the business has recently sought to move to a cloud solution. Multiple third parties have access to certain data through APIs.

Source: Global Data Hub

Is a Service Provider’s Privacy Shield Certification Good Enough?

The GDPR imposes two requirements when a company (referred to in the GDPR as a “data controller”) uses a service provider (referred to in the GDPR as a “data processor”).

The first requirement is that if a data controller is based in the EEA and is transferring personal data to a processor that is based outside of the EEA, the parties must take steps to ensure that the jurisdiction in which the data is going affords the data “an adequate level of protection.” When the GDPR refers to an “adequate level of protection” it is not talking about the security of the data. Instead, it is referring to the protections afforded by the laws of the country to which the data will be transferred.

Source: Bryan Cave – GDPR: The Most Frequently Asked Questions: Is a Service Provider’s Privacy Shield Certification Good Enough?

Data protection impact assessments and data protection by default and by design

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.

This fourth installment in the 10-part series addresses privacy risk analysis, including, importantly, formalized risk management processes such as data protection impact assessments (known as DPIAs), as well as the newly legislated principles of data protection by default and by design.

Source: Top 10 Operational Responses to the GDPR – Part 4: Data protection impact assessments and data protection by default and by design

Are the Standard Contractual Clauses Enough?

The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Source: Bryan Cave – GDPR: The Most Frequently Asked Questions: Are the Standard Contractual Clauses Enough?

Guidelines on Processing of Personal Data in Third Countries Under GDPR

Germany’s Federal Association for Information Technology, Telecommunications and New Media published its guidance on data transfers to third countries under the General Data Protection Regulation (GDPR). Guidelines aims at giving practical assistance for the day-to-day use when transferring data. In addition to a brief description of the legal framework for data transmissions, data processing in third countries with an adequate level of data protection, and without an adequate level of data protection will be explained. The different constellations are illustrated with a short case study. It also addresses data transmissions in a Group. Finally, the guide provides supplementary materials, links and references.

Download guidelines

Australia’s DPA releases data breach response

The Office of the Australian Information Commissioner (OAIC) has prepared this guide to assist Australian Government agencies and private sector organisations (entities) prepare for and respond to data breaches in line with their obligations under the Privacy Act 1988 (Cth) (Privacy Act).

The guide is in five parts:

  1. Data breaches and the Australian Privacy Act
  2. Preparing a data breach response plan
  3. Responding to data breaches — Four key steps
  4. Notifiable Data Breaches
  5. Other sources of information

Download guide

Source: Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)| Office of the Australian Information Commissioner – OAIC

GDPR: Five questions marketers must answer before May

As every marketer should be well aware, the new EU General Data Protection Regulation will be in force from 25 May – just over three months from now.

Marketers have had plenty of warnings about the penalties for breaching GDPR, and plenty of optimistic reassurances about the opportunity for improving customer relationships. But what are the most important things they actually have to do to ensure their use of personally identifiable information is within the law?

Source: GDPR: Five questions marketers must answer before May

GDPR: How to build and maintain a data governance system

While data mapping and inventory, and establishing a lawful basis for processing, are logically the first two steps on the road to GDPR compliance, these activities require coordination among many people throughout the organization to be performed by at least one person who is both knowledgeable about the GDPR and capable of project management. Whether that person’€™s title is DPO or not will depend on additional analysis of the relevant GDPR provisions.

Source: Top 10 Operational Responses to the GDPR – Part 3: Build and maintain a data governance system

French DPA publishes guidelines on connected vehicles

The compliance package has been elaborated in consultation with stakeholders from the automobile sector, businesses in the insurance and telecoms sectors, as well as public authorities, in order to constitute a sectorial reference framework and to ensure that car users enjoy transparency and control in relation to their data.

Source: Connected vehicles: a compliance package for a responsible use of data

GDPR applicability to processors

The applicability rules of the GDPR now also include processors. The reason for this inclusion is that the GDPR provides for direct obligations of processors (especially security obligations), which should be triggered independently whether or not the GDPR applies to the controller.

Source: GDPR Conundrums: The GDPR applicability regime — Part 2: Processors

1 2 3 14
>