General Data Protection Regulation (GDPR)

During the next year compliance with EU GDPR for data protection as the EU takes another step forward in the never-ending battle to protect citizens privacy. To accomplish compliance with these statutes I recommend that you enlist the assistance of a proven Privacy and Security Professional, such as myself, who has implemented these programs for government suppliers before. This round of compliance changes promises to be an exciting one for many US based corporations attempting to do business in Europe. The new changes include the following:

?The role of the data protection officer (DPO) – including whether you need one and what they should do.

?Risk management and data protection impact assessments (DPIAs), including how, when and why to conduct a DPIA.

?Data subjects’ rights, including consent and the withdrawal of consent; subject access requests and how to handle them; and data controllers’ and processors’ obligations.

?International data transfers to “third countries” – including guidance on adequacy decisions and appropriate safeguards; the EU-US Privacy Shield; international organisations; limited transfers; and Cloud providers.

?How to adjust your data protection processes to transition to GDPR compliance, and the best way of demonstrating that compliance.

PrivacyImpact Assessment Questionnaire

The following questionnaire hasbeen designed to assist the privacy impact assessment facilitator.

Privacy Principles

# 1 –Organizational Responsibility for Personal Information

# 2 –Identifying the Purpose for Personal Information

# 3 –Limiting Data Collection to Business Objectives

# 4 –Required Consent

# 5 –Limitations on the Retention of Personal Information

#6–Accuracy of Data

# 7 –Data Security

# 8 –Training and Communication

************

Principle1– Organizational Responsibility for Personal Information

1.1. Has responsibility forOrganizational privacy oversight been assigned to a Specific individual? Y/N

1.2. Are the roles, responsibilityand reporting structure of that person documented? Y/N

1.3. Have performance requirementsbeen specified in a measurable way, and subject to management reviews? Y/N

1.4. Are independent third-partyaudits facilitated to review privacy practices? Y/N

1.5. Has Organizational retainedthe legal right to collect, use, disclose, archive and dispose of personallyidentifiable information under its custody? Y/N

1.6. Has Organizational retainedthe legal right to audit and enforce data protection principles with the Organizations external service providers? Y/N

Principle2 – Identifying the Purpose for Personal Information

2.1. Is the business purpose forthe collection, use, retention and disclosure documented? Y/N

2.2. Has the purpose for collectionbeen mapped to the business purpose? Y/N

2.3. Has the purpose for collectionbeen mapped to a specific statute or regulation? Y/N

2.4. Is the purpose for collectionbased on an exception due to debt collection, investigations or media? Y/N

2.5. Has Organizational customersbeen formally notified of the purpose for the collection? Y/N

Principle3– Limiting Data Collection to Business Objectives

3.1. Can the requirements forinformation collection be limited or reduced? Y/N

3.2. Is personally identifiableinformation collected directly from the individual? Y/N

3.3. Is personally identifiableinformation indirectly collected thou other programs? Y/N

3.4. Is personally identifiableinformation collected indirectly thru external parties? Y/N

3.5. Will the Customers onlineactivity be monitored and related information collected? Y/N

3.6. Is the information collectedfor planning, forecasting, or evaluation purposes? Y/N

3.7. Can the information collectedbe made anonymous and still meet the business purpose? Y/N

Principle4 – Required Consent

4.1. Was the consent clearly linkedto the purpose for collection and usage? Y/N

4.2. Did the consent clearly andunambiguously specify that personally identifiable Information can becollected, used and disclosed? Y/N

4.3. Did the individual implicitlyconsent to the collection of their personally identifiable information? Y/N

4.4. Was the consent to collectpersonal identifiable information implied? Y/N

4.5. Was consent gathered based onthe individual’s option to ‘opt-in’? Y/N

4.6. Was consent gathered based onthe individual’s option to ‘opt-out’? Y/N

4.7. Was personally identifiableinformation collected indirectly from an external third parties? Y/N

4.8. Does consent allow forsecondary uses like service improvements? Y/N

4.9. Has procedures been created toobtain further consent for usage not previously identified? Y/N

Principle5 – Limitations on the Retention of Personal Information

5.1. Are there specific statutoryor regulatory obligations for retaining personal identifiable information? Y/N

5.2. Has the reconciliation ofcross jurisdictional retention obligations been completed? Y/N

5.3. Have practices and/orstandards been document with respect to the retention ofPersonal information?Y/N

5.4. Do these standards include aminimum and maximum retention period? Y/N

5.5. Is there a method to log andreport on the duration which personally information has been retained? Y/N

5.6. Are there documented practicesand standards outlining the appropriate methods of destruction, erasure oranonymizing personally information? Y/N

5.7. Are disposal/destructionrecords maintained for personally information? Y/N

Principle6– Accuracy of Data

6.1. Are updates to Customerrecords recorded including date, time stamp and user account? Y/N

6.2. Have procedures beendocumented and communicated to Customers regarding Access and maintenance ofinaccurate records? Y/N

6.3. Are records kept regardingrequests for access to records? Y/N

6.4. Can Customers access theirpersonally information without disrupting regular operations? Y/N

6.5. Has field level validationbeen implemented for interactive updates to records? Y/N

6.6. Has exception reporting beenimplemented for batch file processing? Y/N

6.7. Are errors to informationprocess monitored and investigated? Y/N

6.8. Are external parties notifiedof corrections? Y/N