Privacy - Authorized Process of PII (Personally Identifiable Information) Process mapping the data and markets. California Privacy CCPA GDPR Requires a DPO for data controllers and data processors. An independent position, not swayed by the business, not allowed to be a data controller. Min tenure 2 years max up to 5 renewals and 10 years. Must advise to GDPR rules Handle questions and complaints Article 24 of a data controller 1. Have measures in place (processes, documentations, audit mechanisms) 2. Understand the data being process. Why do you have this data. 3. Protect the data, need a policy 4. Code of Conduct - a written policy, must adhere to Article 40. Article 28 of a data processor Implement Security Measures Use of subprocessors (consent must be explicit by the data controller) contracts with the controller, who's data is being processed, what is the data, and how is is being used. use a RACI. Model Clause (SCC) - addendum used for the measures ...