Frequently Asked Questions

Have you collected and stored the appropriate and necessary consent of the Data Subject?
  • For data processing
  • For data storage
  • To facilitate data-subject rights
  • To know if a breach has occurred
  • While ensuring that withdrawal of consent is as easy as giving it.
    Corporations can only use it for purposes that are
  • pre-defined
  • explicit
  • with the full agreement of the individual in advance
  • Have you informed the Data Subject?
  • Why we need the data specified
  • All processing that will be enacted upon it
  • When we will destroy or re-consent the data
  • Where we sourced the data
  • Precisely with whom we will send or 'share' the data
  • About their rights of access and how to effect that
  • Even if we [the controller] controls the Processor, we probably need to ask: Article 28
  • Do we have a ‘written contract’ with the processing organization?
  • Does the Contract precisely state what the processing consists of?
  • Do we completely understand the Processors’ data storage arrangements?
  • Do we have a copy of the Processor’s approved code of conduct?
  • Do we permit the Processor to make any decisions at all in managing the data?
  • Is the data Controller exercising control from outside EU? Article 26,27
  • In which country/ies is/are the EU Designated Controller(s)?
  • What is their relationship with the external Controller?
  • What is their relationship with the Data Subjects?
  • Do we have processes, in place, to ensure that: Article 24,25
  • We can show how we protect the rights of data subjects
  • We can show that only personal data which are necessary for each specific purpose of the processing are processed
  • We can show how this applies to the amount of personal data collected, the extent of their processing
  • We can justify the period of their storage and the data accessibility
  • Have you informed the Data Subject?
  • Of their different rights to “object” in various ways to, or to prevent, our different types of processing, and the automated or other methods available to them to exercise these rights
  • Of the right to be excluded from profiling and how
  • How to secure human attention to their concerns
  • If any limitations to their rights apply
  • Do we have processes, in place, to ensure that: Article 24,25
  • We can show that we have moved our processes in line with IT’s evolution
  • We can show we have dynamic processes in place to track the state-of-the-art and modify our processing accordingly
  • We can show that we implement data-protection principles, such as data minimisation, in an effective manner
  • We can show how we integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR
  • We can demonstrate an appropriate set of policies
  • [ok for now but need to revisit – also need to consider duplication with next sub-box?]
  • The GDPR impacts every company in Europe and every company that trades or communicates personal data, directly or indirectly, with Europe. Lawyers must learn new disciplines. IT people must learn new disciplines.  Management must learn new disciplines. Data Flow Processes need to be completely understood, defendable, self-disciplining and regulator-proof.