SlideShare a Scribd company logo

Gdpr contracts and data sharing

A
Andy Willams

GDPR - Contracts

Technology
1 of 3
Download to read offline
GDPR Accountability Contracts and Data Sharing Data Sharing Policies and Procedures Your organisation's policies and procedures make sure that you appropriately manage data sharing decisions. 7.1.1 You have a review process, through a DPIA or similar exercise, to assess the legality, benefits and risks of the data sharing. 7.1.2 You document all sharing decisions for audit, monitoring and investigation purposes and you regularly review them. 7.1.3 Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so. 7.1.4 Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately. Data Sharing Agreements You arrange and regularly review data sharing agreements with parties with whom you regularly share personal data. 7.2.1 You agree data sharing agreements with all the relevant parties and senior management signs them off. 7.2.2 The data sharing agreement includes details about: the parties' roles; the purpose of the data sharing; what is going to happen to the data at each stage; and sets standards (with a high privacy default for children). 7.2.3 Where necessary, procedures and guidance covering each organisation's day-to-day operations support the agreements. 7.2.4 If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement, and you provide appropriate privacy information to individuals. 7.2.5 You have a regular review process to make sure that the information remains accurate and up-to- date, and to examine how the agreement is working. 7.2.6 There is a central log of the current data sharing agreements. Restricted Transfers Your organisation has procedures in place to make sure that restricted transfers are made appropriately. 7.3.1 You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs). 7.3.2 If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the GDPR. Processors 7.4.1 You have written contracts with all processors.
GDPR Accountability You have appropriate procedures in place regarding the work that processors do on your behalf. 7.4.2 If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively. 7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract. 7.4.4 Each contract (or other legal act) sets out details of the processing including the: • subject matter of the processing; • duration of the processing; • nature and purpose of the processing; • type of personal data involved; • categories of data subject; and • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR. 7.4.5 You keep a record or log of all current processor contracts, which you update when processors change. 7.4.6 You review contracts periodically to make sure they remain up-to-date. 7.4.7 If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor. Controller-Processor Contract Requirements All of your controller- processor contracts cover the terms and clauses necessary to comply with data protection law. 7.5.1 The contract or other legal act includes terms or clauses stating that the processor must: • only act on the controller’s documented instructions, unless required by law to act without such instructions; • make sure that the people processing the data are subject to a duty of confidence; • help the controller respond to requests from individuals to exercise their rights; submit to audits and inspections. 7.5.2 Contracts include the technical and organisational security measures the processor will adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system). 7.5.3 The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage. 7.5.4 Clauses are included to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.
GDPR Accountability Processor Due Diligence Checks You carry out due diligence checks to guarantee that processors will implement appropriate technical and organisational measures to meet GDPR requirements. 7.6.1 The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor. 7.6.2 The due diligence process includes data security checks, eg site visits, system testing and audit requests. 7.6.3 The due diligence process includes checks to confirm a potential processor will protect data subject's rights. Processor Compliance Reviews Your organisation reviews data processors' compliance with their contracts. 7.7.1 Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions. 7.7.2 You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements. Third Party Products and Services Your organisation considers 'data protection by design' when selecting services and products to use in data processing activities. 7.8.1 When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind. Purpose Limitation Your organisation proactively takes steps to only share necessary personal data with processors or other third parties. 7.9.1 Your organisation only shares the personal data necessary to achieve its specific purpose. 7.9.2 When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.

Recommended

GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic
Ermine Amies
 
12 steps to prepare for GDPR
12 steps to prepare for GDPR12 steps to prepare for GDPR
12 steps to prepare for GDPR
Gary Chambers
 
How does GDPR affect the design of user experiences?
How does GDPR affect the design of user experiences? How does GDPR affect the design of user experiences?
How does GDPR affect the design of user experiences?
Exove
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
Shane Gray
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to Know
Rachel Roach
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
Peter Witsenburg
 

Recommended

GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic
Ermine Amies
 
12 steps to prepare for GDPR
12 steps to prepare for GDPR12 steps to prepare for GDPR
12 steps to prepare for GDPR
Gary Chambers
 
How does GDPR affect the design of user experiences?
How does GDPR affect the design of user experiences? How does GDPR affect the design of user experiences?
How does GDPR affect the design of user experiences?
Exove
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
Shane Gray
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to Know
Rachel Roach
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
Peter Witsenburg
 
Getting It Right
Getting It RightGetting It Right
Getting It Right
Scott Sehlhorst
 
Data protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionData protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protection
Aujas Networks Pvt. Ltd.
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)
Exove
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
Personal data Protection Act Singapore How-to Perform Assessment
Personal data Protection Act Singapore How-to Perform AssessmentPersonal data Protection Act Singapore How-to Perform Assessment
Personal data Protection Act Singapore How-to Perform Assessment
Jean Luc Creppy
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
GDPR and technology - details matter
GDPR and technology - details matterGDPR and technology - details matter
GDPR and technology - details matter
Exove
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
DAMA Ireland
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
Bharath Rao
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so far
PECB
 
Microsoft sql-and-the-gdpr
Microsoft sql-and-the-gdprMicrosoft sql-and-the-gdpr
Microsoft sql-and-the-gdpr
Reham Maher El-Safarini
 
GDPR - what you need to know
GDPR - what you need to know GDPR - what you need to know
GDPR - what you need to know
Maddie Malling-May
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
ekyklos Κύκλος Ιδεών για τη Εθνική Ανασυγκρότηση
 
IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance Primer
IAB Europe
 
Trust in the Cloud: Legal and Regulatory Framework
Trust in the Cloud: Legal and Regulatory FrameworkTrust in the Cloud: Legal and Regulatory Framework
Trust in the Cloud: Legal and Regulatory Framework
Francoise Gilbert
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdfNymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
António Mendes
 
GDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgGDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratg
Cyber StratG
 

More Related Content

What's hot

The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so far
PECB
 
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
ekyklos Κύκλος Ιδεών για τη Εθνική Ανασυγκρότηση
 

What's hot (17)

Getting It Right
Getting It RightGetting It Right
Getting It Right
 
Data protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionData protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protection
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
Personal data Protection Act Singapore How-to Perform Assessment
Personal data Protection Act Singapore How-to Perform AssessmentPersonal data Protection Act Singapore How-to Perform Assessment
Personal data Protection Act Singapore How-to Perform Assessment
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
GDPR and technology - details matter
GDPR and technology - details matterGDPR and technology - details matter
GDPR and technology - details matter
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so far
 
Microsoft sql-and-the-gdpr
Microsoft sql-and-the-gdprMicrosoft sql-and-the-gdpr
Microsoft sql-and-the-gdpr
 
GDPR - what you need to know
GDPR - what you need to know GDPR - what you need to know
GDPR - what you need to know
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
 
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
14.3.2018, Παρουσίαση Κώστα Γκρίτση στην εκδήλωση «Προστασία Προσωπικών Δεδομ...
 

Similar to Gdpr contracts and data sharing

How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx
oswald1horne84988
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
amit657720
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
mccormicknadine86
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational Measures
MRS
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
Peister
 

Similar to Gdpr contracts and data sharing (20)

IAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance PrimerIAB Europe's GDPR Compliance Primer
IAB Europe's GDPR Compliance Primer
 
Trust in the Cloud: Legal and Regulatory Framework
Trust in the Cloud: Legal and Regulatory FrameworkTrust in the Cloud: Legal and Regulatory Framework
Trust in the Cloud: Legal and Regulatory Framework
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdfNymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
 
GDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgGDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratg
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service Overview
 
Ethics for lawyers in the cloud
Ethics for lawyers in the cloudEthics for lawyers in the cloud
Ethics for lawyers in the cloud
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Privacy KPIs.pdf
Privacy KPIs.pdfPrivacy KPIs.pdf
Privacy KPIs.pdf
 
Ivan Horodyskyy - Сloud and GDPR Legal and Organizational Steps to be Taken
Ivan Horodyskyy - Сloud and GDPR Legal and Organizational Steps to be TakenIvan Horodyskyy - Сloud and GDPR Legal and Organizational Steps to be Taken
Ivan Horodyskyy - Сloud and GDPR Legal and Organizational Steps to be Taken
 
1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx
 
ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy Development
 
GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365 GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational Measures
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay Agile
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 

Recently uploaded (20)

Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 

Gdpr contracts and data sharing

  • 1. GDPR Accountability Contracts and Data Sharing Data Sharing Policies and Procedures Your organisation's policies and procedures make sure that you appropriately manage data sharing decisions. 7.1.1 You have a review process, through a DPIA or similar exercise, to assess the legality, benefits and risks of the data sharing. 7.1.2 You document all sharing decisions for audit, monitoring and investigation purposes and you regularly review them. 7.1.3 Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so. 7.1.4 Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately. Data Sharing Agreements You arrange and regularly review data sharing agreements with parties with whom you regularly share personal data. 7.2.1 You agree data sharing agreements with all the relevant parties and senior management signs them off. 7.2.2 The data sharing agreement includes details about: the parties' roles; the purpose of the data sharing; what is going to happen to the data at each stage; and sets standards (with a high privacy default for children). 7.2.3 Where necessary, procedures and guidance covering each organisation's day-to-day operations support the agreements. 7.2.4 If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement, and you provide appropriate privacy information to individuals. 7.2.5 You have a regular review process to make sure that the information remains accurate and up-to- date, and to examine how the agreement is working. 7.2.6 There is a central log of the current data sharing agreements. Restricted Transfers Your organisation has procedures in place to make sure that restricted transfers are made appropriately. 7.3.1 You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs). 7.3.2 If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the GDPR. Processors 7.4.1 You have written contracts with all processors.
  • 2. GDPR Accountability You have appropriate procedures in place regarding the work that processors do on your behalf. 7.4.2 If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively. 7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract. 7.4.4 Each contract (or other legal act) sets out details of the processing including the: • subject matter of the processing; • duration of the processing; • nature and purpose of the processing; • type of personal data involved; • categories of data subject; and • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR. 7.4.5 You keep a record or log of all current processor contracts, which you update when processors change. 7.4.6 You review contracts periodically to make sure they remain up-to-date. 7.4.7 If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor. Controller-Processor Contract Requirements All of your controller- processor contracts cover the terms and clauses necessary to comply with data protection law. 7.5.1 The contract or other legal act includes terms or clauses stating that the processor must: • only act on the controller’s documented instructions, unless required by law to act without such instructions; • make sure that the people processing the data are subject to a duty of confidence; • help the controller respond to requests from individuals to exercise their rights; submit to audits and inspections. 7.5.2 Contracts include the technical and organisational security measures the processor will adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system). 7.5.3 The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage. 7.5.4 Clauses are included to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.
  • 3. GDPR Accountability Processor Due Diligence Checks You carry out due diligence checks to guarantee that processors will implement appropriate technical and organisational measures to meet GDPR requirements. 7.6.1 The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor. 7.6.2 The due diligence process includes data security checks, eg site visits, system testing and audit requests. 7.6.3 The due diligence process includes checks to confirm a potential processor will protect data subject's rights. Processor Compliance Reviews Your organisation reviews data processors' compliance with their contracts. 7.7.1 Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions. 7.7.2 You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements. Third Party Products and Services Your organisation considers 'data protection by design' when selecting services and products to use in data processing activities. 7.8.1 When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind. Purpose Limitation Your organisation proactively takes steps to only share necessary personal data with processors or other third parties. 7.9.1 Your organisation only shares the personal data necessary to achieve its specific purpose. 7.9.2 When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.