September 2021 – Page 2 – Privacy Design®

(in French)
https://www.cnil.fr/fr/la-cnil-propose-une-autoevaluation-de-maturite-en-gestion-de-la-protection-des-donnees

(also has additional information to go deeper)

and tool download at
https://www.cnil.fr/sites/default/files/atoms/files/auto-evaluation_de_maturite_en_gestion_de_la_protection_des_donnees.pdf

Key activities:

Define and implement data protection procedures
- Definition, updating and communication of general policies and procedures relating to the management of personal data and the protection of privacy (charter of use of the information system, standard contractual clauses, etc.), verification of their application and triggering of any measures planned in the event of a breach.
  - Definition by the legal department, risk department or information systems department, verification via internal control processes.
    - 1 Informal practice
      - Some good practices are occasionally implemented (eg minimizing the collection or erasing obsolete data, information notices).
    - 2 Practice repeatable and followed
      - Documents relating to data protection (good practices, rules, examples, etc.) are shared. There is documentation (eg: charter for the use of IT resources) including rules relating to data protection.
    - 3 defined process
      - Formal documentation (eg: data protection policy), approved by the management committee, is communicated to all staff. Procedures are formalized and sent to all staff. The rules are applied.
    - 4 Controlled process
      - An annual review of policies and procedures is carried out. Indicators are produced (eg: on the implementation of rules, on the difficulties encountered, on their effectiveness, etc.).
    - 5 Continuously optimized process
      - Policies and procedures are updated as soon as a possible improvement is identified.

Steering data protection governance

Definition, implementation, implementation, communication and improvement of the data protection strategy within the organization (governance, roles and responsibilities, including those of the data protection officer – DPO).
- General management of the company and, depending on the organization, management and implementation by the legal department, the risk department or the information systems department.
  - 1 Informal practice
    - Skills relating to protection of data are identified within of the organization (ex : Legal Department) and exploited punctually.
  - 2 Practice repeatable and followed
    - A manager of questions relating to protection of data loaded especially interactions with persons concerned (mail, etc.), is identified.
  - 3 defined process
    - A delegate to the Data protection is appointed to the national authority of Data protection personal (with a job description or engagement letter formal and known to the staff), a organization is set place and roles and responsibilities are defined
  - 4 Controlled process
    - The delegate to the protection of data takes stock annual of its actions to the leaders of the body (especially the (s) responsible for treatments).
  - 5 Continuously optimized process
    - Means are regularly allocated to implement eye action plans the balance sheet of the delegate data protection and ensure that they are implemented work and their continuous improvement.

Identify and update the list of treatments

Identification and updating of the inventory of personal data processing, data and the data flows associated with them.
- Data Protection Officer (DPO)
  - 1 Informal practice
    - The services are able to identify the treatments data personal that they implement.
  - 2 Practice repeatable and followed
    - Treatments personal data are identified and / or signaled in a way centralized.
  - 3 defined process
    - A register of activities treatment, compliant to the GDPR, is required.
  - 4 Controlled process
    - Completeness and registry quality are regularly verified.
  - 5 Continuously optimized process
    - The register serves of piloting instrument actions relating to data processing personal (e.g .: it serves census, but also an instrument of comparative management of risks and monitoring action plans).

Ensure legal compliance of processing

Assessment of existing or planned processing of personal data with regard to legal and regulatory obligations in terms of data protection (proportionality and necessity, as well as individual rights), determination of measures to improve compliance (including standard contractual clauses) , advice to the data controller and verification of the implementation of the planned measures.
- Relevant business departments, legal department, purchasing department, DPO, information systems security manager (CISO), project teams
  - 1 Informal practice
    - An information to people (ex : Legal Notice) is made on main places of collection of data personal (ex: website, forms).
  - 2 Practice repeatable and followed
    - For each treatment legal notices are carried out and a study principles fundamentals (proportionality, necessity and rights of people) is conducted. The contractual clauses are assessed and include a part relating to protection of data.
  - 3 defined process
    - Model clauses for contracts with subcontractors are formalized and used. Impact analyzes relating to protection data is carried out on likely treatments generate risks raised on people, in collaboration with departments concerned and the person in charge of Data protection.
  - 4 Controlled process
    - The planned measures are verified. Regular reviews legal notices and clauses contractual are scheduled and carried out. The quality of the analyzes of impact relating to protection of data is evaluated by indicators. Action plans (eg: in the event of non-compliance with a treatment) are created and implemented.
  - 5 Continuously optimized process
    - Data protection is taken into account from the initiation of projects, in collaboration with the delegate for the protection of data. The improvements possible are regularly studied. Legal watch and technique is carried out. From analyzes are produced and disseminated.

Train and raise awareness

Dissemination of knowledge and creation or strengthening of internal skills concerning data protection. Note: the training / awareness sessions must ensure that staff are familiar with the data protection policy.
- DPO, human resources department, communication department.
  - 1 Informal practice
    - Some collaborators are aware of the protection of data.
  - 2 Practice repeatable and followed
    - The staff are trained to identify and transmit the subjects related to the protection of personal data in charge (e.g .: requests from persons concerned, from the authority of control, new treatments, etc.).
  - 3 defined process
    - Awareness sessions are regularly organized for the staff.
  - 4 Controlled process
    - Indicators measure qualitatively and quantitatively the understanding of subjects related to protection of data (e.g .: survey, annual questionnaire, etc.).
  - 5 Continuously optimized process
    - Training or information sessions iare regularly offered on news technologies or issues relating to data protection.

Process requests from internal and external users

Definition, implementation, implementation and communication of the means allowing the management of requests to exercise the rights of data subjects (e.g. requests for the right of access), complaints and other internal and external claims concerning data protection .
- DPO
  - 1 Informal practice
    - Requests from users are managed on a case-by-case basis case.
  - 2 Practice repeatable and followed
    - Standard letters are created (e.g .: from models of the CNIL) to answer to requests regularly carried out.
  - 3 defined process
    - Typical responses to requests to exercise rights and questions are created and used. A procedure management of requests of exercise of rights is defined and communicated to staff. a contact form is set up on the site internet and all queries are centralized.
  - 4 Controlled process
    - The person in charge protection of data is systematically informed of each demands concerning the rights of people. Requests exercise of rights are the subject indicators that appear in the Annual Review.
  - 5 Continuously optimized process
    - The management process exercise requests rights and tools on which he rests make regularly the object improvements.

Manage security risks

Assessment of the security risks that the processing of personal data is likely to generate on the persons concerned, determination of measures contributing to the processing of them (including standard contractual clauses) and verification of the implementation of the planned measures.
- Relevant business departments, legal department, purchasing department, DPO, information systems security manager (RSSI), project teams.
  - 1 Informal practice
    - Measures of security elementary are put in place (e.g .: authorizations, securing personal work places, etc.).
  - 2 Practice repeatable and followed
    - Repositories are used to choose and set up security measures (ex .: Safety guide Datas personal of the CNIL, policy of internal security, etc.).
  - 3 defined process
    - Impact analyzes relating to protection data (DPIA) include a study security risks. One method is used to appreciate the risks of likely treatments generate risks high on people concerned and treat them so proportionate. Risk studies are the subject of plans action.
  - 4 Controlled process
    - The implementation of action plans is verified in terms effectiveness and efficiency. Residual risks are followed by indicators.
  - 5 Continuously optimized process
    - Risk studies and action plans are the subject of an annual review. An active watch is carried out on vulnerabilities related to data carriers and corrective actions are taken in the event of an impact on the system of information.

Manage data breaches

Identification, qualification, resolution of personal data breaches, notifications to data protection authorities and communication to data subjects, keeping a register of breaches.
- DPO, relevant business departments, risk department, information systems department, communications department, entities responsible for incident management and crisis management
  - 1 Informal practice
    - Incidents are reported. Corrective measures are sometimes taken. A breach notification is sometimes performed with the CNIL.
  - 2 Practice repeatable and followed
    - The management of incidents, setting work in a way centralized, includes data breaches. Corrective measurements are systematically implemented. A communication to people whose data were subject to a breach that can result in a high risk is planned.
  - 3 defined process
    - A data breach management procedure is formalized and implements a systematic approach. All data breaches are entered in a dedicated register. Following a data breach, an action plan is defined in order to reduce the risk that the breach would happen again.
  - 4 Controlled process
    - The implementation of corrective actions is verified. The follow-up to data breaches is monitored and communicated (e.g .: in the annual report).
  - 5 Continuously optimized process
    - A report on violations is regularly carried out in order identify and put implementing measures to improve the data security. The data breach management provides input to risk studies (e.g .: DPIA). Automatic monitoring systems allow the prompt detection of breaches.

Month: September 2021

Switzerland (Sep 2021): Report on the US CLOUD Act (in German)

A primer: homomorphic encryption vs. hardware enclaves

Spain/AEPD – Report on Data breach notifications received in August 2021

Singapore – Guide to Data Protection Impact Assessments (DPIA)

Quantum Computing and Post-Quantum Cryptography

France/CNIL: Privacy maturity model (with self-assessment)

Belgium – Court case of use of BYOK when processing personal data at AWS in EU

Article: What can you do with a stolen laptop? (by passing bitlocker without pre-boot authentication

David Rosenthal’s Transfer Impact Assessment (TIA) Template (for SCC)

UK (ICO) – Situation with new EU SCC (August 2021) .. as not recognized by UK