Inventory of processing activities and retention schedule
Do you have generic lists with 1) the most used processing activities (i.e. for the processing inventory) and 2) general documents for the retention schedule? I had hoped these two documents in particular came pre-populated so that they would be easy to adapt by deleting non-relevant and adding company specific.
Data retention policy
The template for data retention policy and schedule seems to cover all types of documents and information in the company. Is that necessary according to GDPR, or is it only necessary to have a policy and retention schedule for documents containing personal data? Managing all documents seems to be a significantly larger task than only those with personal data?
GDPR Documentation Requirements
I am determining critical path for our company at this time and reviewing the related documentation. As I understand based on reviewing the EU GDPR Documentation Toolkit, our critical path would include only those items that are in the column "Mandatory according to GDPR" on the documentation toolkit list. Can you please confirm if this is a good approach?
Applicability of GDPR
We have very few customers in Europe and actually we wanted to know whether GDPR is applicable to us. We operate from India. We don't have any offices in Europe. Based on the applicability factor we would like to proceed further.
Storing backup and server image data
What are my obligations given that I don’t know the exact content of the data and also what type of clause should I include in a contract?
Implementation of the EU GDPR
Implementation of the new EU GDPR standard. Where are the "quick wins" to realize? How do you approach the project in the best way? Is external help necessary? In what time period can the project realistically be finished?
EU GDPR courses
I want help in becoming GDPR expert in a way like there are Lead Auditor for ISO standards so that I can offer such services in my portfolio as I am working as ICT consultant.
As it relates to the data processing for a data subject under the age of 16, does the GDPR require specific/implicit parental consent in a case where that child is listed by the parent(s) as a beneficiary to an insurance policy, investment, etc?
Does GDPR require that a company be certified under a particular security framework like ISO 27001, NIST, etc. to be considered GDPR compliant? Or, can a company still be GDPR compliant if they follow the standards set by those frameworks but not actually be officially certified by that framework?
Is there a recommendation on how to properly secure data that’s been pseudonymized? For example, if not using encryption, does having the “real” data separated by a firewall and restricted access control from the pseudonymized data considered an acceptable security measure? Bottom line, what is considered “appropriate technical security measures” when it comes to pseudonymization?