EDPS: Guidelines on the protection of personal data processed through web services provided by EU institutions (Nov 2016)

https://edps.europa.eu/sites/edp/files/publication/16-11-07_guidelines_web_services_en.pdf

incl. also interesting links to other EU papers (e.g. on cloud)
Sadly from Nov 2016, so with GDPR in mind, but not in force, yet.

Covered technologies include
 Cookies
 Scripts (such e.g. JavaScript code) and components (such as browsers plugins) to be executed on the client side.
 Web caching mechanisms
 HTML5 local storage
 “Device fingerprinting”
 “Canvas fingerprinting” and “Evercookies”
 Web beacons

GDPR certification criteria from Luxemburg

https://cnpd.public.lu/dam-assets/fr/actualites/national/2018/GDPR-CARPA-Criteria-v10.pdf

” This document was prepared by the Commission Nationale Pour la Protection des Données (‘CNPD’) in collaboration with representatives from the audit profession. It contains the criteria for the “GDPR-CARPA” certification mechanism. This document should be read in conjunction with the “GDPR-CARPA” certification mechanism document. These certification criteria are a mandatory requirement to evaluate and report on controls over organizational and technical data protection measures, to be eligible for certification. Evaluation and reporting needs to follow the ISAE 3000 standard. Certification can only be granted by certification bodies that have been accredited by CNPD. “

State of the art – Guidelines by ENISA and TeleTrusT

ENISA and TeleTrusT – IT Security Association Germany have published their guidelines in English.

“The document published on the “state of the art” in IT security provides concrete advice and recommendations for action. These guidelines are intended to provide companies, providers (manufacturers, service providers) alike with assistance in determining the “state of the art” within the meaning of the IT security legislation. The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures implemented. They are not a replacement for technical, organisational or legal advice or assessment in individual cases. “

https://www.enisa.europa.eu/news/enisa-news/what-is-state-of-the-art-in-it-security

CNIL guide 2018 – “Security of Personal Data”

in English, incl.

  • Raising user awareness
  • Authenticating users
  • Access Management
  • Logging access and managing incidents
  • Securing workstations
  • Securing mobile data processing
  • Protecting the internal network
  • Securing servers
  • Securing websites
  • Ensuring continuity
  • Archiving securely
  • Supervising maintenance and data destruction
  • Managing data processors
  • Securing exchanges with other organisations
  • Physical security
  • Supervising software development
  • Encrypting, guaranteeing integrity and signing
  • Assess the security level of the personal data in your organisation

https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle_gb_web.pdf