Privacy

 

Privacy - Authorized Process of PII (Personally Identifiable Information)

Process mapping the data and markets.

California Privacy CCPA

GDPR 

Requires a DPO for data controllers and data processors. An independent position, not swayed by the business, not allowed to be a data controller.

Min tenure 2 years max up to 5 renewals and 10 years.

Must advise to GDPR rules

Handle questions and complaints

Article 24 of a data controller

1. Have measures in place (processes, documentations, audit mechanisms)

2. Understand the data being process. Why do you have this data.

3. Protect the data, need a policy

4. Code of Conduct - a written policy, must adhere to Article 40.

Article 28 of a data processor 

Implement Security Measures

Use of subprocessors (consent must be explicit by the data controller)

contracts with the controller, who's data is being processed, what is the data, and how is is being used. use a RACI. 

Model Clause (SCC) - addendum used for the measures 

Only process in scope data, and have logs

Having a runbook - a routine of procedures of system. Security and Access controls, system configuration, operational tasks. process flow, RTO timelines. 

PIA - Privacy Impact Assessment analyzes how PII information is used. 

DPIA - Data Protection Impact Assessment - must be conducted if a high risk process could impacts an individuals rights. e.g. automated decisions. Outlines mitigation, assess potential threat area.


Basis - lawful basis, justified by the law in place. GDPR has 6 rules.

1. Consent

2. Contractual Necessity

3. Compliance with Legal Obligations

4. Protect Vital Interests of Data Subjects

5. Legitimate Interest

6. Public Interest

Article 35 - execute an impact analysis of the data (PIA)

    Tagging using classifications of data (public, internal, restricted, secret).

    Data Collection Lifecycle

    Data Mapping - Heatmaps

Data in Transmit - TLS 

NIST 800 53 Information Security

Certifications for Privacy: FedRamp, ISO

Data Inventory / Catalog - for Automated Data Deletion





Comments

Post a Comment

Popular posts from this blog

GDPR Online Privacy Notice

A GDPR (General Data Protection Regulation) online privacy notice, also known as a privacy policy or data protection policy, should include certain components to ensure compliance with the GDPR requirements. While the specific content may vary depending on the organization and its data processing activities, here are the key components typically found in a GDPR online privacy notice: 1. Introduction: Provide an introduction to the privacy notice, explaining its purpose and scope. 2. Data Controller Information: Clearly state the identity and contact details of the data controller, which is the organization responsible for determining the purposes and means of processing personal data. 3. Data Protection Officer (DPO) Information (if applicable): If your organization is required to appoint a Data Protection Officer under the GDPR, provide their contact details. 4. Types of Personal Data Collected: Explain the types of personal data you collect, such as names, email addresses, or financi...
Read more

Business Continuity Policy

A business continuity policy outlines an organization's approach to ensuring the continued operation of critical business functions during disruptive events. While the specific components may vary depending on the organization and industry, here are some key elements typically included in a business continuity policy: 1. Policy Statement: Begin the policy with a clear and concise statement that demonstrates the organization's commitment to maintaining business continuity and resilience. 2. Objectives: Define the objectives of the business continuity policy, such as minimizing disruption, protecting critical assets, ensuring employee safety, and maintaining customer service. 3. Scope: Clearly define the scope of the policy, specifying the departments, functions, and processes to which it applies. 4. Roles and Responsibilities: Identify the roles and responsibilities of key individuals involved in implementing and managing the business continuity program, including the business c...
Read more

Business Continuity Plans

What are the components of a business continuity plan? A business continuity plan typically includes the following components: Risk assessment: An evaluation of the potential risks and threats to the business, including natural disasters, cyberattacks, and pandemics. Business impact analysis: An analysis of the potential impact of various risks on the business, including financial loss, operational disruption, and reputational damage. Emergency response procedures: Detailed instructions for responding to a crisis, including procedures for activating the plan, communicating with stakeholders, and managing critical functions. Alternate site arrangements: Plans for relocating critical operations to an alternate site, if necessary. Data backup and recovery: Procedures for backing up and recovering critical data, including financial records, customer information, and operational databases. Personnel and resource allocation: Plans for assigning responsibilities and allocating resources, incl...
Read more