| GDPR Compliance Evidence
This is important | |
|---|
| GDPR Compliance Evidence | | 1. General Data Protection Regulation (GDPR) a legal obligation on every company where ICO may demand evidence of compliance and may find the company guilty until the company can provide evidence to contrary. Conformance is not a one-off project, but a continuing improvement procedure that shall be reviewed and refined into the future. | | 2. GDPR may be focused only on personal data in 2018, but privacy obligations shall include all business data in the future - GDPR are the seeds of something that is much more important. | | 3. PECR and other UK laws are critical to the business and must be fully complied with. |
| Glossary | | "GDPR" means General Data Protection Regulation with reference to articles as UK law - this is not an option. | | "ICO" means Information Commissioners Office as the UK body who enforces companies to comply with GDPR. | | "BAS" means the Bespoke Application Service belonging to the Owner as the "controller" and operated by the Application Service Provider (ASP) as the "processor". | | "Data Subject" means a person, including staff, customer contacts, supplier contacts and business associated information held in the Bespoke Application Service, personal emails, local computer files and paper documents. | | "PII" means Personally Identifiable Information as any data that can identify a specific data subject. | | "CSA" means Cloud Security Alliance as the ASP trade association with its own code of conduct. | | "PARED" means Pseudonymised and Replicated Encrypted Data like block-chain that is used to protect all data from loss or theft. | | "ASP" means Application Service Provider that is known as the processor in this document is a member of the Cloud Security Alliance (CSA) with its Code of Conduct. | | "DPO" means Data Protection Officer who reports to the ASP Board and whos essential services are part of the Bespoke Application Service. | | "DPIA" means Data Protection Impact Assessment that is shared with the ICO to demonstrate compliance with GDPR. |
| Data Protection Application Services | | 1. "DPAS" means Data Protection Application Services to provide the facilities necessary to comply with the legal obligations imposed by GDPR. It may not be practical for a company without all these application service facilities to comply with UK laws. | | 2. DPAS-PNA is the public Privacy Notice Application (PNA) with extensions to inform the data subject (and ICO) of their rights and the purpose that personal data is used. | | 3. DPAS-CUA is the public Contact Us Application (CUA) for data subjects to send messages to the controller and processor and DPO and other roles. | | 4. DPAS-DWA is a private Digital Wallet Application (DWA) for data subjects to sign-in with their unique access code and process their PII. | | 5. DPAS-DDA is a private Data Dictionary Application (DDA) providing am inventory data gathering and catalogue facility for the ASP DPO to document all relevant data that may be shared with the ICO. |
| 5. Data Dictionary Application | | 1. Article 5 imposes a legal obligation to deploy a DPAS-DDA Data Dictionary Application to cataloge and catagorises all data with reference to:- | | (1) Article 5(1a): Lawfulness, Fairness and Transparency. | | (2) Article 5(1b): Single Purpose Limitation. | | (3) Article 5(1c): Data Minimisation as adequate, relevant and limited to what is necessary. | | (4) Article 5(1d): Accurate with documented processes to keep it up to date. | | (5) Article 5(1e): Storage Limitation to be kept no longer than is necessary. | | (6) Article 5(1f): Integrity and Confidentiality with adequate security. | | 2. The processor must be able to demonstrate compliance to the controller and the ICO with regard to these GDPR Article 5 legal obligations. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and view this data dictionary of personal data processed. |
| 5. Adequate Security | | 1. Article 5(1f) imposes an obligation of "adequate security" that must be documented as:- | | (1) Information must be protected from theft. | | (2) Information must be protected from loss or damage (corruption). | | (3) Information must be protected from unlawful or unauthorised processing or access. | | 2. A data breach is reportable when any of these protection obligations fails for any reason so security measures include:- | | (1) Theft is eliminated by encryption that causes the information to be meaningless and worthless to a criminal. | | (2) Loss is eliminated by replication to a large number of secure data centers. | | (3) Unauthorised access is eliminated by continually monitored authentication using ten or more factors. |
| 7. Consent | | 1. Article 7 imposes an obligation of "consent" by a data subject that their data may be processed. When a data subject provides personal data then that data subject shall be asked to confirm that they grant consent for their personal data to be processed and that the data subject may withdraw consent at any time. | | (1) Add new customer form: Has the person granted "consent" for this personal data to be processed?. | | (2) Change customer form: Has the person withdrawn "consent" for this personal data to be processed?. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and withdraw consent to have their personal data processed. |
| 13. Information to be Provided | | 1. Article 13 imposes an obligation to share certain information with a data subject when they consent to have their personal data processed as:- | | (1) Article 13(1a): The identity and contact details of the controller. This is deployed with an online "contact us" facility. | | (2) Article 13(1b): The identity and contact details of the Data Protection Officer (DPO). This is deployed with an online messaging facility for the DPO. | | (3) Article 13(1c): The purpose and legal basis for processing the personal data provided. The business purpose of the data controller is known to to both customer contacts and supplier contacts. | | (4) Article 13(1d): The legitimate interests of the controller to process the personal data provided. Processing of personal data is where the person has been nominated as the contact person for the customer or supplier. | | (5) Article 13(1e): The recipients approved to process the personal data provided. When the customer or supplier confirms they wish to be a customer or supplier, then the customer or supplier is invited to nominate their appointed contact person. | | (6) Article 13(1f): A formal statement is that the personal data provided shall not be transfered across national borders. | | (7) Article 13(2a): The time duration that the personal data will be stored or criteria used to determine the time duration. In general, business data is stored for seven years after it was last used to ensure that evidence exists for any product-service liability. | | (8) Article 13(2b): The access code to their personal data with the (1) right to access, (2) right to rectification, (3) right to erasure, (4) right to restriction and (5) right to portability. A private digital wallet application is provided to enable any customer or supplier contact person to process their own information. An access code is provided to the person upon request and with evidence of who they are. | | (9) Article 13(2c): The right to withdraw consent at any time. The digial wallet application grants a person the right to view, download, process, change and delete any of all of their information. | | (10) Article 13(2d): The right to lodge a complaint with the ICO. The public contact-up application includes a complaint procedure that is managed in a respectful way. | | (11) Article 13(2e): The contractural requirement to provide the personal data and the consequence of not providing any personal data. Customer contact information may need to be shared with suppliers and supplier contact information may need to be shared with customers - that is the nature of brokerage. | | (12) Article 13(2f): The existence of automated decision making such as profiling, credit checks, third party involvement as well as the consequences of these automated decision making processes. People have the right to restrict such processing. No automated decision making processing is undertaken. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and view how their personal data is processed. |
| 15. Right of Access | | 1. Article 15 imposes an obligation to share personal data with a data subject as:- This includes data in all databases, documents, spread-sheets, reports, emails, files stored on local computers and paper files. | | (1) Article 15(1a): The Purpose of the processing. This tends to be self evident by the business relationshp where the person is a customer contact, a supplier contact or an approved business associate such as an employee or contractor. | | (2) Article 15(1b): The Categories of personal data involved. By design, minimisation is used to avoid holding any data that is not essential to the business. Gender has been avoided as it could be used to discriminate. Religion, sports, interest, ethnicity, culture and such data have been avoided. | | (3) Article 15(1c): The Recipients to whom personal data will be disclosed and their location. Personal data is only processed by employees and contractors acting as employees of the data controller. | | (4) Article 15(1d): The time duration that the personal data will be stored or the criteria used to determine that period. Business data is stored for seven years from when the data was last processed then it is automatically destroyed. | | (5) Article 15(1e): The access code to their personal data with the (1) right to access, (2) right to rectification, (3) right to erasure, (4) right to restriction and (5) right to portability. | | (6) Article 15(1f): The right to lodge a complaint with the ICO. | | (7) Article 15(1g): The origin or source of the personal data. | | (8) Article 15(1h): The existence of automated decision making such as profiling, credit checks, third party involvement as well as the consequences of these automated decision making processes. People have the right to restrict such processing. | | 2. Article 15(2) does not apply because personal data shall never be transfered to another country or to another third party. | | 3. Article 15(3) requires the processor to provide the controller to provide the data subject with a copy of all their personal data. | | 4. Article 15(4) requires that the copy of data provided by Article 15(3) does not adversly affect the right and freedoms of others. All reference to any other party must be redacted. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and access their personal data. |
| 15b. Search and Retrieval | | 1. It is a business requirement to be able to search and retrieve every instance of data pertaining to a data subject. This includes all databases, documents, spread-sheets, reports, emails, files stored on local computers and paper files. | | 2. Article 15 is a very popular transaction that must legally be processed in a reasonable time and without omissions. This implies very high levels of automation to find all instances of information pertaining to a data suhject and making that information available to the data subject. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and view all their personal data and data about them. |
| 16. Right to Rectification | | 1. Article 16 imposes an obligation to grant a data subject the right to rectify personal data that is inaccurate or not complete. It is a business requirement to keep personal data accurate and up to date. | | 2. A data subject may add a supplementary statement to their personal data to explain a discrepancy. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and rectify their personal data. |
| 17. Right to Erasure (Right to be Forgotten) | | 1. Article 17 imposes an obligation to grant a data subject the right to have their personal data erased without undue delay where:- | | (1) Article 17(1a): The personal data is not longer necessary in relation to the purpose it was provided. | | (2) Article 17(1b): The data subject withdraws consent for the personal data to be processed. | | (3) Article 17(1c): The data subject objects to their personal data being processed. | | (4) Article 17(1d): The personal data was unlawfully processed. | | (5) Article 17(1e): The personal data is erased in compliance with a legal obligation (court order). | | (6) Article 17(1f): The personal data applied to an offer to a person who is not an adult. | | 2. Article 17(2) obliges the controller who has made personal data public (lost) to take reasonable steps to inform controllers which are processing the personal data that the data subject has requested erasure of that personal data. | | 3. Article 17(3) identifies a number of exceptions to paragraphs 1 and 2 above ralating to defence of legal claims. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and erase (change to space) their personal data. |
| 18. Right to Restriction | | 1. Article 18 imposes an obligation to grant a data subject the right to restrict processing where:- | | (1) Article 18(1a): The accuracy of the personal data is contested by the data subject. This restriction is limited to the time period the controller needs to verify the accuracy of the personal data. | | (2) Article 18(1b): The processing was unlawful and the data subject opposed the erasure of the personal data and requests a restriction on how it is processed in the future. | | (3) Article 18(1c): The controller no longer needs the personal data but it is required for defence of legal claims. | | (3) Article 18(1d): The data subject has objected to thepersonal data being processed, but the controller has legitimate grounds to override those of the data subject. | | 2. Article 18(2) imposes an obligation to only process such personal data for legal purposes. | | 3. Article 18(3) imposes an obligation to inform the data subject when a restriction is lifted. | | * Every data subject record has a "perferred contact method" that may be set to "None" when no processing is permitted for that data subject. When a "perferred contact method" is set to "None" for a data subject, then all personal data for that data subject is treated as if it did not exist. |
| 20. Right to Portability | | 1. Article 20 imposes an obligation to grant a data subject the right to data portability of their personal data. | | 2. Machine readable formats such as CSV and HTML are permitted, but PDF is not an open source format. | | 3. Data may be transmitted directly from one controller to another controller, where technically feasible. | | 4. The right to portability must not adversly affect the rights and freedoms of others. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and download a copy of their personal data. |
| 21. Right to Object | | 1. Article 21 imposes an obligation to grant a data subject the right to object to the processing of their personal data. | | 2. Processing will stop unless or until the controller can demonstrate that processing is legitimate and can override the data subjects objections. | | 3. Where processing involves profiling or direct marketing then the personal data shall no longer be used for those purposes. | | 4. The data subject must be informed before their personal data is processed that they have the right to object. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and object to their personal data being processed. |
| 22. Profiling | | 1. Article 22 imposes an obligation to grant a data subject the right not to have their personal data used by automated individual decision making such as profiling which produces legal effects concerning them. | | 2. This does not apply where it is necessary for entering into a contract between the data subject and the controller such as a credit check. | | 3. This does not apply where UK law has provided suitable measures to safeguard the data subjects rights. | | 4. This does not apply where it is based on the data subjects explicit consent. | | 5. The data subject may ask for human intervention or ask for their point of view to be used to contest an automated decision. | | * Every data subject has the right to sign-in to DPAS-DWA with their unique access code and request their personal data is not used for profiling. |
| 24. Controller Responsibility | | 1. The controller must be able to demonstrate compliance with GDPR. | | 2. The controller may adopt Codes of Conduct that are monitored by a Certification body. |
| 25. Protection By Default | | 1. Article 25 imposes an obligation to deploy data protection by design and by default. The article specifically identified pseudonymisation as a recommended protection mechanism to protect the rights of data subjects. | | 2. Only the personal data that is necessary to be processed should be provided by default. All personal data should not be provided when normal processing is taking place by most approved people. | | * Personal data is fragmented to many records and only those recorded needed by a process are provided. No one process and no one person has access to all personal data for a data subject at any point in time. |
| 26. Processor Responsibility | | 1. Article 26 requires the controller to only use a processor providing sufficient guarantees to implement appropriate technical and organizations measures in such a way the processing will meet the requirements of GDPR. | | 2. The processor shall not engage another processor - this excludes the need for contracts to impose identical obligations on other processors. | | 3. Processing by the processor shall be governed by a contract the is binding on the processor with regard the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and obligations and rights of the controller. The contract shall include:- | | (1) Article 26(3a): The processor shall only process personal data on documented instructions from the controller. The processor shall not transfer personal data to any other country | | (2) Article 26(3b): The processor shall ensure that the persons authorised to process personal data have commited themselves to confidentiality and have a service agreement. | | (3) Article 26(3c): The processor takes all measures required pursuant to Article 32 Security of Processing. | | (4) Article 26(3d): The processor shall not engage another processor. | | (5) Article 26(3e): The processor shall provide the controller with facilities to fulfil the controllers obligations to deliver data subject rights as in chapter III Rights of the Data Subject as Articles 13 to 23. | | (6) Article 26(3f): The processor shall assist the controller to ensure compliance with obligations in Articles 32 to 36 as Security of Processing, Notification of a Breach and DPIA. | | (7) Article 26(3g): The processor shall at the choice of the controller, erase or return all the personal data to the controller after the end of the provision of services. | | (8) Article 26(3h): The processor shall provide the controller with access to all the documentation necessary to demonstrate compliance with the obligations of Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or auditor mandated by the controller. The processor shall immediately inform the controller if an instruction infringes on GDPR or any other legal provision. | | 4. The processor shall not engage another processor. | | 5. Adherence of the processor to ISO 27001 Information Security Standard and ISO 20000 ITIL Codes of Conduct shall be used to demonstrate compliance with this article. | | 6. The contract between the controller and process shall include standard clauses as advised by GDPR, ICO and certification bodies. | | 7. Any standard contract clauses laid down by GDPR as referenced in Article 93(2) shall be included in the contract. | | 8. Any standard contract clauses laid down by ICO shall be included in the contract. | | 9. The contract between the controller and processor shall be in writing and available to view in electronic form via DPAS. | | 10. If the processor infringes GDPR, the processor shall be considered to be a controller in respect to that processing. | | . | | ??? In a business-to-business supply chain such as marine transport insurance, who is the controller and who are the processors??? | | ??? In a private block-chain of shared financial transactions, who is the conttroller and who is the processor??? | | ??? Will codes of conduct bodies become all powerful with greater annual fees that become a mandated cost of compliance??? | | ??? ASP is a member of the Cloud Security Alliance (CSA) that has a code of conduct??? |
| 29. Processing Under Authority | | 1. Article 29 imposes an obligation to deploy shared support requests that are authored by the data controller and actioned by the data processor. | | 2. The processor and any person acting under the authority of the controller or the processor, who has access to personal data, shall not process that data except on instructions from the controller, unless required to do so by law. | | 3. Only a few Second Level Support team people working under the direction of the Request Fulfilment Manager as authentication rights to sign in and process any business data. Every action taken by the Second Level Support team is recorded as immutable evidence that is shared with all other approved people. |
| 30. Records of Processing Activities | | 1. Article 30 requires the controller (or the controllers representative as the processor) to maintain a record of processing activities under its responsibility to include:- | | (1) Article 30(1a): The name and contact details of the controller and the data protection officer - on online message application service. | | (2) Article 30(1b): The purpose of the processing. | | (3) Article 30(1c): A description of the categories of data subjects and categories of personal data. | | (4) Article 30(1d): The categories of recipients to whom the personal data is disclosed including the country. | | (5) Article 30(1e): The time duration before personal data is erased or the criteria to determine the time duration. | | (6) Article 30(1f): A general description of the security measures deployed in compliance with Article 32. Pseudonymised and replicated encrypted data (PARED) using a private block chain is deployed. | | 2. Article 30 requires the processor to maintain a record of all categories of processing activities under carries out to include:- | | (1) Article 30(2a): The name and contact details of the processor and the data protection officer - on online message application service. | | (2) Article 30(2b): The categories of processing carried out. | | (3) Article 30(2c): The processor shall not transfer any personal data to any other country or any other processor. | | (6) Article 30(2d): A general description of the security measures deployed in compliance with Article 32. Pseudonymised and replicated encrypted data (PARED) using a private block chain is deployed. | | 3. The records identified above must be in writing and the information shared via the DPAS with approved people. | | 4. The controller or the processor shall make the record information available to the ICO upon request. | | 5. Article 30 may only apply when a Data Protection Officer is appointed, but may be requested following any data breach. | | * Any such documentation that may be requested by the ICO should be available in HTML format - safe and secure. |
| 32. Security of Processing | | 1. Article 32 imposes an obligation to deploy state of the art data protection measures such as:- | | (1) Article 32(1a): Pseudonymisation and encryption - these are deployed. | | (2) Article 32(1b): The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing services - continually monitored authentication is deployed. | | (3) Article 32(1c): The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident - replication to a large number of data centers is deployed. | | (4) Article 32(1d): A process to regularly test, assess and evaluate the effectiveness of the technical and organisational measures for ensuring the securrity of processing - external security audit every February and August. | | 2. Article 32 requires risk management to assess the cost of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data when communicated, stored or processed. | | 3. Compliance with a code of conduct and certification mechanism may be used to demonstrate compliance with Article 32. | | 4. The controller and process shall take steps to ensure that an approved person acting under the control of the controller or processor who has access to personal data, does not process except on instructions from the controller. |
| 33. Notification of a Data Breach | | 1. Article 33 imposes an obligation to notify the ICO in not later than 72 hours after becoming aware of a data breach, unless the data breach is unlikely to result in a risk to the rights of any person. Because all personal data is strongly encrypted then a stored data breach will not have any risk to personal data. Because all communications are encrypted then a communication data breach will not have any risk to personal data. Because all authentication is continually monitored with multiple factors then a sign-in data breach will be stopped. | | 2. The processor shall inform the controller without undue delay after becoming aware of a personal data breach. | | 3. The notification to the ICO shall include:- | | (1) Article 33(3a): Describe the nature of the personal data breach, including the categories and number of data subjects concerned and the categories and number of personal records concerned. | | (2) Article 33(3b): Communicate the name and contact details of the Data Protection Officer where more information can be obtained. | | (3) Article 33(3c): Describe the documented risk consequences for the personal data breach. There shall be no risk consequences for a personal data breach because any lost data is replicated and any stolen data is unreadable. | | (4) Article 33(3d): Describe the measures taken to address the personal data breach and measures to mitigate the possible adverse effects. Multiple layers of different encryption methods have been used to ensure that person data is meaningless to a criminal. | | 4. A standard notification procedure has been provided and will be used without delay because the consequences are negligible. | | 5. An online application service is provided to document each and every data breach, its effects and the remedial action taken. This document may be shared with the ICO to verify compliance with article 33. | | Note: Encrypted data cannot be personal data because it cannot be identified as personal data - it is plausible to state that the encrypted data is music or an image or made up test data. |
| 34. Notify Breach to Data Subject | | 1. Article 34 imposes an obligation to notify each data subject without undue delay of a high risk to their rights following a data breach. Because all personal data is strongly encrypted then a stored data breach will not have any risk to any data subject. Because all communications are encrypted then a communication data breach will not have any risk to any data subject. Because all authentication is continually monitored with multiple factors then a sign-in data breach will be stopped. | | 2. The communication to each data subject must be in plain language and highlight the actual personal data that has been lost or stolen or accessed. | | 3. The communication with the data subject will not be required if any of:- | | (1) Article 34(3a): Appropriate technical and organisation measures were implemented such as encryption that cause the personal data to be unintelligible. | | (2) Article 34(3b): The controller has taken measures to ensure that high risks are no longer likely to materialise. | | (3) Article 33(3c): It would involve a disproportionate effort. A public communication may be equally effective. | | 4. The ICO can order the controller to notify each data subject of the data breach. |
| 35. Data Protection Impact Assessment | | 1. Article 35 imposes an obligation to create, review and revise a Data Protection Impact Assessment (DPIA) for the Bespoke Application Service by the Data Protection Officer. | | 2. The DPIA is owned by the Data Protection Officer as a strategic statement of direction. | | 3. The DPIA should focus where profiling and automated decision making is involved, where large scale categories of special data such as criminal convictions (driving license points) and systematic monitoring of publicly accessible data. | | 4. The ICO will publish a list of processing operations that are subject to DPIA. | | 5. The ICO will publish a list of processing operations where a DPIA is not needed. | | 6. Pending the establishment of such ICO lists, it may be of benefit to create a DPIA. | | 7. The DPIA must include:- | | (1) Article 35(7a): A systematic description of the processing operations and purposes of the processing including the legitimate intests of the controller. | | (2) Article 35(7b): An assessment of the necessary and proportionality of te processing operations in relation to the purposes. | | (3) Article 35(7c): An assessment of the risks to the rights of data subjects. | | (4) Article 35(7d): The measures deployed to address the risks including safeguards, security measures and mechanisms to ensure the protection of personal data. This is used as a demonstration of adequate security measures when evaluated by the ICO. | | 8. Compliance with codes of conduct are taken into account. ASP is a member of CSA and compliant with ISO 27001 ISM. | | 9. The controller may take into account the views of data subjects regarding the intended processing. | | 10. A DPIA may be a legal requirement for certain industries. | | 11. The DPIA and the Bespoke Application Service must be tested to access compliance and reviewed each time the Bespoke Application Service is improved or new security threats are identified. |
| 37. Data Protection Officer | | 1. Articles 37, 38 and 39 impose an obligation to appoint a qualified, skilled and experienced Data Protection Officer (DPO). | | 2. The DPO role reports to the processor Board of Directors. The DPO role cannot be fired for doing their job. The DPO role is governed by secrecy and confidentiality. | | 3. The contracted services of the DPO role is part of the service provided by the processor to the controller. The controller and the processor cannot dictate the tasks that the DPO must undertake and cannot have a conflict of interest. | | 4. The DPO role manages the strategic DPIA document on behalf of the processor and controller and ICO - without favour. It has been said that the DPO works on behalf of the ICO. | | 5. The DPO role is a strategic appointment and has no direct relationship with the Information Security Manager or Compliance Manager. | | 6. The Information Security Manager deploys applicable security measures that are applicable to the protection measures identified in the DPIA by the DPO. | | 7. The DPO role is the single point of contact for the ICO in the event of a data breach. | | 8. The DPO role is the single point of contact for a data subject who wants to ask a question. |
| 40. Codes of Conduct | | 1. Article 40 impose an obligation to comply with codes of conduct to be drawn up by GDPR, ICO and trade associations to match the requirement sof industry sectors and the needs of different sized organisations. | | 2. Associations representing controllers and processors will prepare codes of conduct with regard to:- | | (1) Article 40(2a): Fair and Transparent processing. | | (2) Article 40(2b): Legitimate interests pursued by controllers in specific contexts. | | (3) Article 40(2c): The collection of personal data. | | (4) Article 40(2d): The pseudonymisation of personal data. | | (5) Article 40(2e): The information provided to the public and data subjects. | | (6) Article 40(2f): The exercise of the rights of data subjects. | | (7) Article 40(2g): The issue of dealing with personal data about people who are not adult. | | (8) Article 40(2h): The measures and procedures for articles 24 (controller), 25 (protection by default) and 32 (security). | | (9) Article 40(2i): The notification of data breaches. | | (10) Article 40(2j): The transfer of personal data to other countries. | | (11) Article 40(2k): Dispute resolution, complaints and out-of-court procedings. | | * A new world order may emerge as the body to monitor and enforce compliance. This could become a very expensive means to ensure compliance. |
| ? Staff awareness, education and training - did I miss it? | | ? Should the contract include the processor providing educational tutorial information to the controller as a fundamental part of the Bespoke Application Service? |
| Document Control | | 1. Title: Compliance Evidence. | | 3. Key Words: GDPR, policy, process, compliance, procedure, business rules. | | 4. Description: GDPR is a legal obligation where every clause must be deployed. | | 5. Privacy: Public shared for the benefit of humanity. | | 2. Reference: 162728. | | 6. Edition: 1.3. | | 7. Issued: 22 Aug 2017. |
|
|