GDPR | eIDAS Requirements and Roadmap

icon picker
GDPR Checklist

These are all high-level items that are required or recommended to roll out in the E.U. or areas where GDPR is prevalent.
Last edited 29 days ago by Jamie Heindl

Principles:

Lawfulness, fairness and transparency.
Purpose limitation.
Data minimization
Accuracy
Storage limitations
Integrity and Confidentiality
Accountability.
image.png

Resources:

Useful Resource:

Trust Service Providers:

Checklist:

Item
Notes
Required
Expected
Suggested
Needs Review
Implemented
1

Legal and Regulatory Compliance







2
Record of Processing Activities (ROPA) documentation (Data Mapping and other processes for website, product and resource centers, etc.)
Should include all activities from the time the data is acquired through deletion. Includes what categories of data are processed, legal basis, how, why, where data is transferred and retention policies.





3
Data Protection Impact Assessment (DPIA)





4
Data Retention Policy





5
International Data Transfer (Standard Contractual Clauses, Binding Corporate Rules, etc.)





6
Security Audit Protocols Plan





7
Data Breach Response Plan





8
Develop and Implement Cybersecurity Policy
is the authority on this. This is very important considering the remote work environment.





9
Employee Training and Awareness Documentation and Plan





10
Establish confidentiality and access privilege protocols (need to know) access rights to housed data.





11

Data Privacy and Security (Website and Product)

12
GDPR Compliant Privacy Policy





13
Cookie Declaration





14
Explicit Consent for data collection on web and product





15
Data Portability Process





16
Cybersecurity threat analysis





17

Organizational and Staffing

18
Appoint a Data Protection Officer
Contingent on several factors - I believe if we intend on doing things as basic as marketing retargeting or tracking product behaviors we will fall into the "required" category. This needs to be vetted by someone who understand the finer details of this requirement.





19
Legal Advisor (Regional)
This person could also be the DPO





20
Requirements for local staffing?





21





22

Technology and Infrastructure

23
Consent Management and Cookie Banner
Website and Product





24
Method to notify and require acceptance of changes to policies, cookies, etc.
Website and Product





25
Data Center Locations





26
TLS Certificate (or SSL but TLS likely preferred)





27
Right to be Forgotten Implementation





28
Data Erasure Request Process (Support stations and Product)





29
User Data Encryption in transit and at rest
See Art. 32 GDPR Security of Processing





30
Establish ongoing testing schedules for security, processes, services and systems.





31
Simple Electronic Signature





32
Advanced Electronic Signature (AdES)
(See Detailed Requirements Here)
uniquely linked to and capable of identifying the signatory; created in a way that allows the signatory to retain control; linked to the document in a way that any subsequent change of the data is detectable. The most commonly used technology able to provide these features is the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys





33
Qualified Electronic Signature (QES)
(See Detailed Requirements Here)
created by a qualified signature creation device; and is based on a qualified certificate for electronic signatures.





34





35

Contractual and Partner Management

36
Data Processing Agreements (as applicable) (PSPDFKit, FreshDesk/Sales, Sendgrid, etc.)





37





38

Risk Management and Insurance

39
Data Brach Protocols





40
Security Audit Protocols





41





42

Marketing and Customer Relations

43
Data Subject Request Handling
Product and Web





44





45

Financial Planning and Management

46
Establish Bank Accounts





47





48





There are no rows in this table
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.