A contract addendum may be required if a data processor contract does not contain all of the required data protection contractual clauses which are stated in the GDPR. This will be required in order to remain compliant with the regulation. Where a compliant contract does not exist it is recommended that a contract addendum is […]
Codes of conduct will be used by an industry body to undertake a procedure which is standardised and has controls built in, they must include safeguards which protect the rights of the data subject and must be approved by the relevant supervisory authority. Codes of Conduct for International Data Transfer CodeTransferring data internationally requires either the
Certification mechanisms will enable organisations to demonstrate compliance to other organisations through the use of data protection seals or marks. They might also demonstrate the existence of appropriate safeguards for practices required under data protection regulation, such as international data transfers. Certification mechanisms must remain voluntary and by their nature, will be a measure based
Certification Mechanisms Read More »
Binding corporate rules (BCR) are internal rules for international data transfers within multinational companies. An important distinction is that BCR are put in place between linked companies, for example subsidiaries in different countries, rather than through a commercial contract, which would instead be protected by standard contractual clauses. They are similar to a code of conduct. They
Binding Corporate Rules Read More »
Adequate countries are those countries which the European Commission has determined has data protection rules which are in line with the GDPR and whether a country outside the EU offers an adequate level of data protection. The effect of such a decision is that personal data can flow from the EU to that ‘third country’
Adequate Countries Read More »
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The most important aspect for any colleague to understand is that if they encounter what they believe to be a breach then
Personal Data Breach Read More »
Data protection regulation refers numerous times to ‘technical and organisational measures’. These relate to the measures which an organisation is taking to protect personal data and in all cases should take into account; state of the art, cost of implementation and the scope, nature and purposes of the processing. In other words, an organisation should
Technical and Organisational Measures Read More »
Pseudonymisation can be defined as “personal data which is rendered less likely to lead to the identification of the data subject without the use of additional information” Therefore as long as such additional information is kept separately, pseudonymisation offers some level of additional protection of the data. An example of weak pseudonymisation might include a
Encryption is the process of encoding a message or information in such a way that only authorised parties can access it and those who are not authorised cannot. Authorisation is often provided in the form of an alphanumerical decryption key, which can be of different lengths, often measured in ‘bits’. A 256 bit encryption key
Data retention and data management is a core strategy for meeting the minimisation principle as personal data should be retained only for as long as it is necessary. This means you will need to retain data whilst it is required for the processing which you need it for, but it also means that you might