GDPR requirements

2. Is it mandatory to nominate the DPO? if negative with are the cases?
every past privacy policy signed by my customers is now null? Or they have some kind of validity?
3. is it necessary that every software we use need to log every access at the DB and every action we do?(I ask this because of we’re using some software that definitely doesn’t do that…)
4. Is there any documentation or guideline about the technical specifications of the software’s database (I mean the software used that contains private’s data) like cryptography or others?

Answers:

1. The “project plan” is just a document to help you keep track of the documents that need to be drafted, published and implemented as well as the responsible persons within the organization that need to take care of this. Is not mandatory to have and it can filled in later on or you can choose not to use it whatsoever.
2. The a ppointment of a DPO is mandatory only under the EU GDPR only if:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or
- the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the legal entity of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences;
3. Not necessarily, it most likely will need to be updated to be consistent with the new EU GDPR requirements such as the need to mention the retention period pursuant to your processing activities, the new data subject rights such the “right to data portability”. Article 13 of the EU GDPR - “Information to be provided where personal data are collected from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ as well as article 14 – “Information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/) list the information you need to put in your privacy notice/policy.
4. You would need to ensure some sort of tracking of the activities that are performed upon a personal data base in order to ensure the ” resilience of processing systems “ as per EU GDPR article 32 - Security of processing https://advisera.com/eugdpracademy/gdpr/security-of-processing/ . Is not necessary that all actions are logged but some degree of logging would be required.
5. The EU GDPR does not require a specific set of technical and organizational but just require them to be “appropriate” and mentions “pseudonymisation and encryption” as examples of such security measures. So, is up to you to establish the security which are suited taking into account the personal data that is in your database as well as the purpose of the processing.

To learn more about security measures check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//