The time line should be at least as long as it would be required of the controller to be able to undertake and interact with the processor about the new sub-processor of the controller; like reviewing the VDD they have done and any or all of the DPIA's / LIA's etc as part of that exercise so they caRead more
The time line should be at least as long as it would be required of the controller to be able to undertake and interact with the processor about the new sub-processor of the controller; like reviewing the VDD they have done and any or all of the DPIA’s / LIA’s etc as part of that exercise so they can amend their own records and make the decision if they are happy with the risk change.
I have seen time periods in Controller to Processor agreements that vary from a minimum of 30 days to 90 day for changes in processing supply chain scope within the DSA (Data Sharing Agreements)
It also depends how much the Processor (Controller in their own right) has their own house in order with respect to Vendor due diligence and notification to parties that they process on behalf of .. but as you mention they should be taking a risk based approach to the activities of the new processor … more lead time for more risk and sensitive personal data sets .. that are in scope.
I would suggest pitching this question at Tim Turner of 2040training who is very knowledgeable on all aspects of FOI. Sadly i am not much of an expert in this area. Sorry.
I would suggest pitching this question at Tim Turner of 2040training who is very knowledgeable on all aspects of FOI.
Sadly i am not much of an expert in this area. Sorry.
.. And definitely don't consider GA and classify as essential cookies .... like a lot of people seem to do ... As i always say to clients... it is not what you as a business think is essential ... :)
.. And definitely don’t consider GA and classify as essential cookies …. like a lot of people seem to do …
As i always say to clients… it is not what you as a business think is essential … 🙂
Definitely you have to do the info gathering yourself from whatever public facing materials you can find. Definitely more of a generic legal positioned response rather than an understanding trust interaction and addressing your concerns around your VDD. The only way that you do get the info and an eRead more
Definitely you have to do the info gathering yourself from whatever public facing materials you can find. Definitely more of a generic legal positioned response rather than an understanding trust interaction and addressing your concerns around your VDD.
The only way that you do get the info and an ear to the ground is if you have the size and might and financial concern to them as the requesting entity, and have an account manager that can push for you on the inside to get specific questions or concerns answered.
If anyone has any questions around the best way to configure DPOrganizer and complex relationships scenarios, then definitely speak to Chris Roberts @chrrob on here as he has done some amazing things in this regard recently.
If anyone has any questions around the best way to configure DPOrganizer and complex relationships scenarios, then definitely speak to Chris Roberts Chris Roberts on here as he has done some amazing things in this regard recently.
As an update to this: You may want to have a look at Richard Merrigold (iStorm : Data Protection Diaries) You Tube channel : How to pick the right Privacy Management Software : https://youtu.be/YrXUcSFqflE You may also want to speak to Tash who is very knowledgeable about the options and systems outRead more
As an update to this:
You may want to have a look at Richard Merrigold (iStorm : Data Protection Diaries) You Tube channel :
There are definitely check lists of suggested provisions and clauses that should appear in the Terms of Engagement and specifically the DPA that expands that that stipulate clearly all eventualities from a Data Protection perspective ; both in the instances of expected (normal) and unexpected (excepRead more
There are definitely check lists of suggested provisions and clauses that should appear in the Terms of Engagement and specifically the DPA that expands that that stipulate clearly all eventualities from a Data Protection perspective ; both in the instances of expected (normal) and unexpected (exception) scenarios (Incidents, breaches, take overs, mergers etc).
Couple this with the Vendor Due Diligence processes in on boarding any new parties you intend to engage to ensure all the information that you need to create and validate the detail of the DSA, will ensure that holistically you are covered.
Retention is an area that often trips people up and they find hard to implement. The key to this is actually to remember that retention must be tied to the PURPOSE that the data is being processed for. Once that guiding principle is understood, it becomes obvious that it is not as simple as it may sRead more
Retention is an area that often trips people up and they find hard to implement. The key to this is actually to remember that retention must be tied to the PURPOSE that the data is being processed for. Once that guiding principle is understood, it becomes obvious that it is not as simple as it may seem. You need to consider all the touch points that the data that is being considered under that purpose, is implicated in; systems, access points, legal entities (processors, controllers, joint controllers) etc etc. It will soon become evident that it is difficult to implement a one size fits all approach; fully automated, semi automated, manual as the chances are that it will be a blend of all three. Ideally the ROPA that has been constructed should help in this regard.
Nature of Relationship
Dave_Wylie
This is definitely an area of expertise of @chrrob who specialises in the GDPR implications of sporting institutions and their supply chains !
This is definitely an area of expertise of Chris Roberts who specialises in the GDPR implications of sporting institutions and their supply chains !
See lessNotification of changes to data processors
Dave_Wylie
The time line should be at least as long as it would be required of the controller to be able to undertake and interact with the processor about the new sub-processor of the controller; like reviewing the VDD they have done and any or all of the DPIA's / LIA's etc as part of that exercise so they caRead more
The time line should be at least as long as it would be required of the controller to be able to undertake and interact with the processor about the new sub-processor of the controller; like reviewing the VDD they have done and any or all of the DPIA’s / LIA’s etc as part of that exercise so they can amend their own records and make the decision if they are happy with the risk change.
I have seen time periods in Controller to Processor agreements that vary from a minimum of 30 days to 90 day for changes in processing supply chain scope within the DSA (Data Sharing Agreements)
It also depends how much the Processor (Controller in their own right) has their own house in order with respect to Vendor due diligence and notification to parties that they process on behalf of .. but as you mention they should be taking a risk based approach to the activities of the new processor … more lead time for more risk and sensitive personal data sets .. that are in scope.
Hope that helps.
See lessUnder a FOI request? Please can someone show me in the legislation where the “less than 5” rule applies?
Dave_Wylie
I would suggest pitching this question at Tim Turner of 2040training who is very knowledgeable on all aspects of FOI. Sadly i am not much of an expert in this area. Sorry.
I would suggest pitching this question at Tim Turner of 2040training who is very knowledgeable on all aspects of FOI.
Sadly i am not much of an expert in this area. Sorry.
See lessCan MS Teams Chat be included within a SAR?
Dave_Wylie
Absolutely
Absolutely
See lessGoogle Analytics
Dave_Wylie
.. And definitely don't consider GA and classify as essential cookies .... like a lot of people seem to do ... As i always say to clients... it is not what you as a business think is essential ... :)
.. And definitely don’t consider GA and classify as essential cookies …. like a lot of people seem to do …
As i always say to clients… it is not what you as a business think is essential … 🙂
See lessUS big providers and due dilligence
Dave_Wylie
Definitely you have to do the info gathering yourself from whatever public facing materials you can find. Definitely more of a generic legal positioned response rather than an understanding trust interaction and addressing your concerns around your VDD. The only way that you do get the info and an eRead more
Definitely you have to do the info gathering yourself from whatever public facing materials you can find. Definitely more of a generic legal positioned response rather than an understanding trust interaction and addressing your concerns around your VDD.
The only way that you do get the info and an ear to the ground is if you have the size and might and financial concern to them as the requesting entity, and have an account manager that can push for you on the inside to get specific questions or concerns answered.
See lessHotels and employee personal data
Dave_Wylie
If anyone has any questions around the best way to configure DPOrganizer and complex relationships scenarios, then definitely speak to Chris Roberts @chrrob on here as he has done some amazing things in this regard recently.
If anyone has any questions around the best way to configure DPOrganizer and complex relationships scenarios, then definitely speak to Chris Roberts Chris Roberts on here as he has done some amazing things in this regard recently.
See lessMaster Privacy Management Tool
Dave_Wylie
As an update to this: You may want to have a look at Richard Merrigold (iStorm : Data Protection Diaries) You Tube channel : How to pick the right Privacy Management Software : https://youtu.be/YrXUcSFqflE You may also want to speak to Tash who is very knowledgeable about the options and systems outRead more
As an update to this:
You may want to have a look at Richard Merrigold (iStorm : Data Protection Diaries) You Tube channel :
How to pick the right Privacy Management Software : https://youtu.be/YrXUcSFqflE
You may also want to speak to Tash who is very knowledgeable about the options and systems out there: (https://watercooler.community/profile/tash/)
Hope that helps all
See lessdata processor agreements vs. general information security requirements for suppliers
Dave_Wylie
There are definitely check lists of suggested provisions and clauses that should appear in the Terms of Engagement and specifically the DPA that expands that that stipulate clearly all eventualities from a Data Protection perspective ; both in the instances of expected (normal) and unexpected (excepRead more
There are definitely check lists of suggested provisions and clauses that should appear in the Terms of Engagement and specifically the DPA that expands that that stipulate clearly all eventualities from a Data Protection perspective ; both in the instances of expected (normal) and unexpected (exception) scenarios (Incidents, breaches, take overs, mergers etc).
Couple this with the Vendor Due Diligence processes in on boarding any new parties you intend to engage to ensure all the information that you need to create and validate the detail of the DSA, will ensure that holistically you are covered.
Hope that helps.
See lessWhat is the best way to set up a feasible retention policy?
Dave_Wylie
Retention is an area that often trips people up and they find hard to implement. The key to this is actually to remember that retention must be tied to the PURPOSE that the data is being processed for. Once that guiding principle is understood, it becomes obvious that it is not as simple as it may sRead more
Retention is an area that often trips people up and they find hard to implement. The key to this is actually to remember that retention must be tied to the PURPOSE that the data is being processed for. Once that guiding principle is understood, it becomes obvious that it is not as simple as it may seem. You need to consider all the touch points that the data that is being considered under that purpose, is implicated in; systems, access points, legal entities (processors, controllers, joint controllers) etc etc. It will soon become evident that it is difficult to implement a one size fits all approach; fully automated, semi automated, manual as the chances are that it will be a blend of all three. Ideally the ROPA that has been constructed should help in this regard.
See less