What consultations should occur prior to high-risk processing?

What consultations should occur prior to high-risk processing? Different types of consultations must occur prior to high-risk processing: Where appropriate, the views of individuals or their representatives on the intended processing must be sought as long as the commercial or public interests and the security of processing operations are protected.  When carrying out a data […]

When is a data protection impact assessment required and how is it conducted?

When a type of processing is using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, under the GDPR, the controller, prior to the processing, is required to conduct an assessment of the impact […]

Why you should have a Data Protection Policy and a Data Retention and Erasure Policy and what should be in them?

As discussed in the previous blog on security assessments, the GDPR requires the controller and the processor to implement appropriate technical and organizational measures.  Examples of organizational measures are policies and procedures, and two of the recommended security policies are: (1) a Data Protection Policy, and (2) a Data Retention and Erasure Policy. The Data […]

How is security of processing assessed?

The GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.  In order to determine the “appropriate level of security,” an assessment must be done that takes into account: The state of the art, The costs of implementation, and The nature, […]

Why you should have a Personal Data Breach Policy and what should be in it?

You should have a Personal Data Breach Policy that sets forth a plan on how to respond to a Personal Data Breach.  Having and implementing such a plan helps protect an organization from a Personal Data Breach and enable the timely response if a Personal Data Breach is suspected or occurs. Given these reasons for […]

What needs to be in a GDPR personal data breach notification?

If a personal data breach communication must be provided to an individual, it must describe in clear and plain language the nature of the personal data breach.   If a notification to a supervisory authority of a personal data breach must be given, the description of the nature of the personal data breach should include if […]

What is a data breach under the GDPR and what do you do when one happens?

Under the GDPR, the term “personal data breach” means a breach of security that leads to the: Accidental or unlawful destruction or loss of, Accidental or unlawful alteration of, or Unauthorized disclosure of, or access to, personal data that have been transmitted, stored or processed in some other way.  After becoming aware of a personal […]

What needs to be in the agreement between the controller and the processor?

Processing by a processor must be governed by an agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of individuals and obligations and rights of the controller.  That agreement must provide, in particular, that the processor: Processes the […]

What kind of agreements do you need if you are a processor or use a subprocessor?

Whenever you as a controller use a processor to process personal data for you, you need to make sure that the processor will provide appropriate technical and organizational security measures that protect the rights of individuals.  In order to do that, you must have a written agreement between you and the processor. If you are […]