I realise, this braindump will never be finished, so come back once in a while to check for updates. Work in progress…
But let’s turn around the thing a bit, you certainly must have smart ideas or articles on GDPR for starters that belong on this list! Let me know and I’ll add it to the list.
Of course, with the proper credits!
DISCLAIMER: These resources are provided / authored by different people, companies, vendors, each of them copyrighted by the original owner.
The resources below are just a collection or interesting documentation, need to have, without any preference or commercial interest for any party.
Table of contents
First of all, before you start with GDPR you must have read the GDPR text.
It’s not as bad (you mean: legalese) as you might suspect.
GDPR official text
You might want to have it a bit more condensed to start.
Vocabulary / Grammar
Do not get confused: European Council vs Council of the European Union vs Council of Europe
More info at:
GDPR Table of contents
Once you get through the legal texts… you’ll quickly understand that the GDPR text itself at least lacks 1 important thing: A table of contents (TOC).
This TOC by Intersoft Consulting might help: bookmark https://gdpr-info.eu/
It provides a nice overview of the GDPR Recitals (= reasons the articles of the GDPR have been adopted).
There are 173 recitals, the and the TOC provides a quick topic overview at https://gdpr-info.eu/recitals/.
Also the site provides an overview of the GDPR structure
- 11 Chapters
- Sections per chapter
- 99 Articles (spread over sections / chapters
GDPR Adequacy decisions
Working Party 29
“The composition and purpose of Art. 29 WP was set out in Article 29 of the Data Protection Directive, and it was launched in 1996.”
The European Data Protection Board (EDPB) will replace the Article 29 Working Party under the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
Newsroom overview: http://ec.europa.eu/newsroom/article29/news.cfm
WP 29 Advisory
The Article 29 Working Party Issues Final Guidelines on Data Protection Officers (“DPO”) is available here.
- Bird & Bird article, explaining
- Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime
- No “a la carte” DPO appointments
- Big data now an example of ‘regular and systematic monitoring’
- Preferably, the DPO should be located within this EU
- There can only be one DPO, but supported by a team
- Duty to ensure the confidentiality of communications between the DPO and employees
- Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO
- The GDPR does not prevent the DPO from maintaining records of processing
- For a redline comparison with the earlier draft, click here.
ISO Standards related to GDPR
ISO29100 (Privacy Framework)
PIA: ISO 29134
ISO27001 (Information Security)
Mandatory ISO27001 documents: ISMS mandatory documentation checklist
Mapping GDPR to ISO27001 schema
Implementing GDPR with ISO27001
GDPR at a glance
https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf (Credits for ).
Data access request
As published on LinkedIn: The Nightmare Letter: A Subject Access Request under GDPR (By: Constantine Karbaliotis)
You can download the docx Word version in EN (here) and in NL translated version (here).
Monarc – Risk Assessment: http://Monarc.lu
CNIL – DPIA Tool
CNIL guides for PIA: https://www.cnil.fr/en/PIA-privacy-impact-assessment-en
Have a look what Jonas Holdensen has published, a marvelous sheet to provide a visualization on GDPR.
Also he has provided a nice overview on the DPO requirements & tasks under GDPR.
If you prefer the file in pdf or word, then download the file here: www.kortlink.dk/rhpx
GDPR Privacy Courses (work in progress)
And some more