Implementation of the new EU GDPR standard. Where are the "quick wins" to realize? How do you approach the project in the best way? Is external help necessary? In what time period can the project realistically be finished?
EU GDPR courses
I want help in becoming GDPR expert in a way like there are Lead Auditor for ISO standards so that I can offer such services in my portfolio as I am working as ICT consultant.
Parental consent
As it relates to the data processing for a data subject under the age of 16, does the GDPR require specific/implicit parental consent in a case where that child is listed by the parent(s) as a beneficiary to an insurance policy, investment, etc?
Security Framework
Does GDPR require that a company be certified under a particular security framework like ISO 27001, NIST, etc. to be considered GDPR compliant? Or, can a company still be GDPR compliant if they follow the standards set by those frameworks but not actually be officially certified by that framework?
Pseudonymization
Is there a recommendation on how to properly secure data that’s been pseudonymized? For example, if not using encryption, does having the “real” data separated by a firewall and restricted access control from the pseudonymized data considered an acceptable security measure? Bottom line, what is considered “appropriate technical security measures” when it comes to pseudonymization?
Consent required
Where a company has an existing mailing list for emails, is consent required? If they're already doing business with the company, is consent required? Is consent required before sending an initial email?
Documents to be produced.
So in the toolkit, document 01.2 there is a (long) list of documents to be produced during the project.
Should all documents be produced in every situation? E.g. are they all relevant for a SAAS software developer which is basically only a data processor and not a data controller?
Data Subject Access Form
I have bought the GDPR toolkit. Which document(s) cover the data subject's right to be forgotten / right to erasure?
Security policy
I have a technical question about the documents. In document 7.2 ANNEX 2 1a "Processor must document a security policy ", what document is "security police"? I can not find a document with this name.
Legal grounds
Help me identify the following: Which legal grounds are available besides the legitimate interests of business?