čtvrtek 28. září 2017

Can your organisation monitor employees’ personal communications?

The GDPR: Can your organisation monitor employees’ personal communications?
Author: Luke Irwin  published 27th September 2017 ( Luke Irwin
Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.)
Plné znění článku najdete na adrese: : http://tinyurl.com/yaw6z6hm
Cituji z textu:
"On 5 September, the highest body of the European Court of Human Rights (ECHR) restricted employers’ power to monitor the private messages of their employees. The ruling overturns a lower court’s decision to back an organisation that sacked one of its employees for using an instant messaging app for personal reasons.
- So what’s allowed?
The ECHR’s ruling doesn’t ban workplace monitoring altogether, but it sets very clear guidelines on the extent to how and when monitoring is allowed and organisations’ requirements for doing so....
As private communication meets the definition of personal data (as described in Article 4 of the GDPR), organisations must prove that they have a lawful ground to collect and monitor this information.
- Keeping it legal
Organisations’ monitoring policies should form part of their information security management system (ISMS), the best practice for which is described in ISO 27001....
- GDPR training
Although you probably have a team preparing your organisation for the GDPR, everyone in your organisation who handles personal data also needs to know their obligations...."

středa 27. září 2017

GDPR A BEZPEČNOSTNÍ PRODUKTY PRO OCHRANU DAT

GDPR A BEZPEČNOSTNÍ PRODUKTY PRO OCHRANU DAT 
Text přednášky najdete na portálu eGoverment.cz
Autor přednášky: Jan Strnad, presales Engineer, McAfee
Přednáška je reklamně zaměřená, ale obsahuje řadu cenných metodických poznatků.
Obsah přesnášky:
Co je GDPR
Jakých údajů se GDPR nařízení týká
Jak by měla vypadat implementace GDPR v reálném prostředí
Digitální transformace a GDPR
Ochrana dat a GDPR
Co je nutné zvážit při návrhu zabezpečení IT v souvislosti s GDPR 
Jaké nástroje nabízí McAfee na ochranu osobních údajů?
Komplexní ochrana dat s McAfee produkty
Osobní údaje definované GDPR
Jakých údajů se GDPR nařízení týká
Klasifikace dat v DLP systému
Manuální klasifikace dat uživatelem
Řízení a monitorování uživatelské aktivity s DLP systémem
Ochrana dat v Cloudu
Device Control 
Device Control – definice zařízení
Hard Drive Encryption zamezuje ztrátě dat
McAfee File & Removable Media Protection
Proaktivní ochrana dat s integrací TIE technologie
McAfee Database Security



Jak uchopit GDPR

Jak uchopit GDPR
Text je součástí rozsáhlé (33 stran) informace, publikované na portálu egoverment.cz pod názvem "Jak se poprat nejen s GDPR a eGovernmentem".
Autor ing. Václava Koudele, Microsoft, JUDr. Kateřina Černá
Text najdete na adrese: http://tinyurl.com/ycgf4plz
Doporučený postup jak uchopit GDPR
1 Mapujte - Zjistěte, jaké osobní údaje máte a kde se nacházejí
2 Spravujte - Rozhodujte o způsobech využití a udělení přístupu k osobním údajům 
3 Chraňte - Zaveďte bezpečnostní opatření k předcházení, detekování a zvládání bezpečnostních incidentů
4 Dokumentujte - Uchovávejte požadovanou dokumentaci, vč. žádostí týkajících se správy osobních údajů či případů porušení zabezpečení.

pondělí 25. září 2017

The GDPR: Planning Ahead

The GDPR: Planning Ahead
Hugh James Solicitors - "lexology.com" - http://tinyurl.com/y7ml9vz3
"The Information Commissioner’s Office has produced a 12 step checklist which highlights the key steps businesses must take now, at the eight month and counting stage. This is a summary of those 12 steps together (with recommended action points - see the full text ):
The 12 Steps:
1. Awareness 
2. Information you hold 
3. Communicating privacy information 
4. Individuals’ rights Review and revise 
5. Subject access requests 
6. Legal basis for processing personal data 
7. Consent 
8. Children Review
9. Data breaches 
10. Data protection by design and data protection impact assessments 
11. Data protection officers (‘DPO’)
12. International 

Na výklad ke GDPR si ještě chvíli počkáme

Na výklad ke GDPR si ještě chvíli počkáme
Na portálu Hospodářských novin vyšel 25.9.2017 článek Jaroslava Kramera - šéfredaktora odborného měsíčníku Právní rádce.
Článek najdete na adrese: http://tinyurl.com/yaznw4ss

Cituji z textt článku:
"Společnosti řeší, jak správně vykládat jednotlivá ustanovení nového evropského nařízení o ochraně osobních údajů.
Orgánem, který dá "jasnější" návod, je bruselská poradní skupina W29. Většina klíčových ustanovení na svůj výklad zatím čeká a skupina by měla jejich návrh zveřejnit až v průběhu října.
Většina společností, které se připravují na nové evropské nařízení o ochraně osobních údajů, takzvané GDPR, narazí dřív či později na klíčovou otázku: jak správně vykládat jednotlivá ustanovení nařízení? Na tuto otázku si bez jasných a ověřených instrukcí nemohou s klidným svědomím odpovědět. Bez doporučení v podobě výkladových stanovisek totiž řada firem nemůže například dokončit přípravu klientské dokumentace, interních pravidel nebo potřebná proškolení a aktualizaci systémů."
Cituji ze závěru:
"Z míst, která by mohla firmám s výkladem pomoci, tak vlastně zbývá jediné: Úřad pro ochranu osobních údajů. Ten je totiž hlavní českou spojkou na pracovní skupinu W29 a její výstupy průběžně zveřejňuje v češtině. Mějme s úřadem trpělivost." 
Dodatek:
SERIÁL Hospodářských novin  K OCHRANĚ DAT GDPR
27. 9. - Pověřenci od A do Z 
4. 10. - Inspirace ze zahraničí 
11. 10. - Jak na souhlasy?

Ochrana osobních údajů GDPR na serveru "lepsi-reseni.cz"

Ochrana osobních údajů GDPR na serveru "lepsi-reseni.cz"
Tato moje zpráva odkazuje na server "lepsi-reseni.cz, který " provozuje "Asociace za lepší ICT řešení s.r.o.". Server přináší základní informace o GDPR v českém jazyce.
Text vztahující se k titulku této zprávy najdete na adrese: http://tinyurl.com/y753srub
Cituji z úvodu:
"Zákonem chráněné osobní údaje jsou libovolné neveřejné údaje, které lze přiřadit konkrétní osobě prostřednictvím:
- jména, bydliště, r.č. či data narození
- čísla dokladů: OP, pas, ŘP
- elektronických údajů (IP adresa, cookie, lokalizační údaje)
Nařízení se vztahuje též na automatizované zpracování osobních údajů obsažených v evidenci nebo těch, co mají být do evidence zařazeny. Zákon definuje skupinu zvláště citlivých osobních údajů. Směrnice GDPR klade zvláštní požadavky na vytváření profilů občanů EU, které umožní jejich ruční či automatické hodnocení (scoring). GDPR nařízení i s komentáři uvádíme níže."
Temata informací na serveru "lepsi-reseni.cz"
- Co musí firma dle GDPR nařízení dělat?
- Nařízení GDPR a informační systémy
- Kompletní znění GDPR česky
- Nařízení GDPR – otázky a odpovědi
- Pokyny k přenositelnosti údajů
- DPO – pověřenec pro ochranu 
- Musíme jmenovat pověřence pro ochranu osobních údajů DPO? Kdy je zanedbání ochrany osobních údajů trestný čin?
- Na jaké situace se GDPR nevztahuje?
Odkazy na další zdroje na serveru:
- GDPR-ready dodavatelé
- Přehled dodavatelů ICT, kteří vám pomohou se zavedením GDPR a seznam Informačních systémů, které mají potřebnou funkcionalitu.
- On-line audit: GDPR ano/ne
Vztahuje se na naší organizaci povinnost zavést požadavky evropské směrnice o ochraně osobních údajů v plném rozsahu? Zjistíte pomocí tohoto on-line auditu.
- On-site audit: Požadavky GDPR
Co pro naši organizaci znamená nová evropská směrnice o ochraně osobních údajů GDPR? Tento audit vám přinese detailní seznam odpovědí.
- GDPR certifikace
Evropská certifikace o plné shodě organizace s novou směrnicí o ochraně osobních údajů GDPR. Jistota pro majitele, ředitele i zákazníky.

neděle 24. září 2017

With GDPR looming, Equifax data breach is especially troubling

With GDPR looming, Equifax data breach is especially troubling
Ankur Laroia opublikoval 12. 9. 2017 článek na téma "With GDPR looming, Equifax data breach is especially troubling". Najdete hop na serveru "information-management.com" na adrese: http://tinyurl.com/y8ckcgnk
Cituji z textu článku:"The recently-revealed Equifax data breach impacts 143 million people, and with the General Data Protection Regulation set to take effect in only seven months, this is not good news."
"The theft and or compromising of vital information is becoming a fairly common phenomenon. This tends to be a two-pronged issue, there are threats from outside the company and there are also rogue actors lurking within the organization’s firewalls."
"With the advent of outsourcing and offshoring, data theft/data compromise are existing risks that organizations must mitigate against. The challenges they face relate to the increasing amount of data (the 3Vs – Volume, Variety and Velocity) that proliferate across systems across the globe."
Cituji ze závěru článku: "In my view, companies must adopt good information management practices along with modern technologies and platforms to effectively thwart bad actors. The way to achieve that is to identify, inventory, curate and manage sensitive data through its lifecycle using modern, open platforms."

What a Data Protection Impact Assessment is and isn’t

GDPR: What a Data Protection Impact Assessment is and isn’t
Na serveru "information-management.com" na adrese: http://tinyurl.com/y92phogz publikovala 21.9. 2017 Rebecca Herold článek, v kterém vyvrací 3 mylné představy o to, co je a co není splněním požadavků GDPR. 
Cituji z textu článku: "One case in point is performing a GDPR compliant data protection impact assessment (DPIA). I’ve heard and read a variety of statements made about DPIAs over the past several months, and I want to correct and clarify a few of the ones that I’ve heard that have been especially of concern."
3 mylé představy:
1. “I’ve already done a privacy impact assessment (PIA), so I’ve got the GDPR DPIA requirement already taken care of!”
2. “Our lawyers told us it was a legal activity, and that IT, privacy and information security folks don’t need to bother with worrying about doing a DPIA.
3. “I got a free 10-question GDPR readiness checklist from the Internet, so I’ll use that for my DPIA.
Cituji ze závěru článku:
"To the specific point of performing a DPIA, I recommend that organizations use a framework that not only addresses and meets the GDPR requirements, but can also meet other requirements for performing other types of privacy impact assessments. I’ve created a PIA framework, based upon the ISACA Privacy Principles, which consolidates similar privacy principle requirements and topics into the 14 ISACA Privacy Principles, and maps all the DPIA requirements within them, in addition to those DPIA questions also mapping to other standards, frameworks and regulatory data protection requirements."

3 key steps to vet cloud services for GDPR compliance


3 key steps to vet cloud services for GDPR compliance
By Robert Cruz - Published on the serve "information-management.com" September 19 2017, 6:30am EDT.
Článek najdete na adrese: http://tinyurl.com/yaerh6ar
Cituji z textu článku: "Vetting the ability of service providers to comply with GDPR before engaging them is a great way to get a jump start on ensuring a company’s entire compendium of data is up to scratch"
Nadpisy odstavců:
Getting your own house in order isn’t enough
"One of the most discussed provisions of GDPR is Article 17 – Right to Erasure – commonly referred to as the “right to be forgotten.” Under this requirement, individuals have the right to have personal data erased and to prevent processing in specific circumstances."
How to vet your cloud service providers
"The key indicators your cloud services are ready for GDPR:
1. Nitty gritty details are a good sign.
2. EU Citizen Data should be easily identifiable.
3. Search Performance and retrieval performance is critical. Cloud providers must be able to respond quickly to EU citizen inquiries who believe that their personal information may have been used inappropriately (Article 15 – “Right of Access”). Meeting this requirement is time sensitive, and providers must have the functional capabilities to quickly search and retrieve information – regardless of how much data they have stored."

A 9-step guide to prepare for GDPR compliance

Na serveru: "information-management.com", na adrese: http://tinyurl.com/y6v3bbls
najdete od 21. 9. 2017 článek, jehož autorem je Javvad Malik na téma: 
"A 9-step guide to prepare for GDPR compliance"
Cituji z textu článku:
"At 200 pages and 99 articles, the comprehensive regulation is primarily intended to strengthen security and privacy protections around individual data, which it enforces by subjecting organizations to stricter requirements, adding new requirements – such as breach notification – and increasing fines on organizations that fail to comply."
"Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance. However, GDPR doesn’t provide specific technical direction, meaning that organizations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements. With this in mind, below are nine steps to prepare for the security requirements within GDPR."
Step 1: Implement a Security Information and Event Management (SIEM) tool with log management capabilities.
Step 2: Create an inventory of all critical assets that store or process sensitive data.
Step 3: Undertake vulnerability scanning to identify weaknesses.
Step 4: Conduct risk assessments and apply threat models relevant to the business.
"Organizations must identify and evaluate all of their security risks, not just vulnerabilities. Article 35 of GDPR mandates data protection impact assessments (DPIAs), and Article 32 requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” 
Step 5: Regularly test your systems to gain assurance that security controls are working as designed.
Step 6: Put threat detection controls in place to ensure reliable and timely notification when a breach has occurred.
Step 7: Monitor network and user behavior to identify and investigate security incidents in a timely manner.
Step 8: Have a documented and practiced incident response plan.
"...the notification that organizations are required to send to the regulatory body within 72 hours must include all of the following:
- Describe the nature of the breach.
- Provide the name and contact details of the organization’s data protection officer.
- Describe the likely consequences of the breach.
- Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects..
Step 9: Have a communication plan in place to notify relevant parties.
Cituji ze závěru: "Simplifying GDPR
Preparing for GDPR can seem like a daunting task, but organizations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security – particularly their threat detection and response abilities – significantly along the way."

čtvrtek 21. září 2017

GDPR: Getting the facts straight

GDPR: Getting the facts straight - Luke Irwin  - 20th September 2017
https://www.itgovernance.eu/blog/en/gdpr-getting-the-facts-straight/
Cituji z textu: "There has been plenty of discussion about the EU General Data Protection Regulation (GDPR) over the past year or so, and – naturally – some commentary has been misleading or simply wrong. Some of those misconceptions have been collected in a blog series published by the Information Commissioner’s Office (ICO). It clarifies that the GDPR won’t lead to:
- Massive fines
- An overhaul of data protection practices
- Obligatory consent
- Unrealistic data breach notification requirements".

GDPR Report: Implementation challenges and milestones for early adopters of the GDPR

GDPR Report: Implementation challenges and milestones for early adopters of the GDPR
IT Governance Europe Ltd - 24 stran - pdf soubor - July 2017
Objednat stažení Reportu můžete na adrese: https://www.itgovernance.eu/gdpr-report
Cituji z úvodu Reportu:
"IT Governance is pleased to release the results of its first General Data Protection Regulation (GDPR) survey. The report provides GDPR practitioners and senior management with useful insight into how organisations are progressing with GDPR compliance, the challenges they face and the measures they are adopting.
It should be noted that the research reflects the issues affecting progressive organisations that have already started working towards achieving GDPR compliance and does not reflect the average organisation. It should also be emphasised that IT Governance’s clients have a higher level of awareness: since early 2016, IT Governance has continually worked to raise client awareness of the GDPR through free resources, webinars, blogs, training courses, books and other avenues, which has helped clients to initiate and manage GDPR compliance.
Stažením reportu získáte poznatky k otázkám:
- The biggest challenge for implementers
- The budget that organisations are putting aside for their projects
- How many organisations have updated their processes to comply with the GDPR
- Who is appointing a DPO
- How many are seeking formal GDPR qualifications
- Much more
"To meet GDPRs requirements, organisations need to know what personal data they currently hold or process, understand the risks to that data, adapt their business processes and infrastructure, implement tools and compliance processes, and change the way they collaborate with suppliers. In some instances, those changes could be significant and work will need to start as a matter of urgency."
Report findings
Ke každému zjištění je v textu uveden podrobnější výklad! 
1 Forward-thinking senior management are aware of the importance of the GDPR
2 Ensuring the right level of competence and expertise is one of the biggest GDPR challenges for implementers
3 50% of companies have not yet allocated a GDPR staff awareness budget
4 68% have not yet updated their processes to comply with data subject rights
5 Nearly 40% have appointed a DPO to oversee GDPR compliance
6 Almost half of those responsible for GDPR compliance lack a formal or relevant qualification
7 Compliance practitioners are planning to undertake GDPR training 
8 Most organisations have implemented, or are implementing, a breach notification procedure and an incident response plan
9 More than half of organisations rely on data protection practitioners for GDPR compliance, while 31.9% rely on lawyers
10 Most organisations are assigning the role of DPO to an existing employee
12 Organisations rely on building internal competence to assist GDPR compliance
11 The typical budget for GDPR compliance is less than L5,000/€5.800/$6,200
13 Respondents recognise that ISO 27001 improves information security compliance with the GDPR

středa 20. září 2017

Preparing for GDPR compliance: Guidance & recommendations

Preparing for GDPR compliance: Guidance & recommendations
By Thomas Fischer June 13, 2017 
Najdete na portálu itproportal.com na adrese: http://tinyurl.com/y7f4fumz
Cituji z obsahu článku:
"A shocking 52 per cent of companies believe they will not be ready for GDPR enforcement and will end up paying fines! In order to avoid this it’s important to prioritise resources, processes, and people to ensure you are not only preparing for GDPR, but are also establishing an ongoing program that will eventually evolve into routine business operations.
- Getting started: Appointing GDPR stakeholders
Gaining executive leadership and stakeholder cooperation is the first step in complying with GDPR.
- The data protection officer 
There are many questions about the role of the data protection officer (DPO). GDPR only requires the appointment of a DPO by companies in limited cases, namely when the company’s core activities consist of the following:
1) Data processing operations which require regular and systematic monitoring of data subjects on a large scale;
2) Processing on a large scale of special categories of data, i.e., sensitive data such as health, religion, race, sexual orientation, etc., and personal data relating to criminal convictions and offenses. 
Public authorities are always required to appoint a DPO under GDPR. In general, a DPO will be required if your company processes and manipulates personal data (e.g. banks, healthcare, credit companies), but if the company only has HR data they are not required to have a DPO. 
It is recommended that organisations start evaluating potential DPO candidates now so they can determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team. Start by looking for candidates within your organisation, as they have the best understanding of your business.
- Technology recommendations for GDPR compliance
It’s recommended to start with a visibility assessment of what data exists within your environment and what types of personal data – particularly GDPR-regulated data – you are collecting, handling, and storing so you can have a deep understanding of your risk exposure and prioritise further compliance efforts from there
Advertisement
• Data Discovery and Classification 
• Access Control, Identity Management, and Privileged User Management
• Encryption and Pseudonymisation
• Auditing and Forensics 
GDPR and managed services: An alternative solution 
Cituji zte závěru článku:
"While organisations are going through their GDPR compliance program and determining the impact the new regulation will have from a people, process, and technology perspective, some may find it more cost-effective to outsource to a managed security program (MSP) that handles the process for them. With the current dearth of IT security talent, this may become a more viable option for organisations who lack the internal resources and headcount but need to be compliant with GDPR. 

Software development life cycle under the GDPR

How to navigate the software development life cycle (SDLC) under the GDPR - Jan 24, 2017
Inventory of 16 areas of pertinent GDPR Recitals and Articles that influence the SDLC’s Functional and Technical Planning and Requirements for IT departments
Článek najdete na portálu iapp.com na adrese: http://tinyurl.com/ydgph47t
Cituji z textu článku:
"In addition to the location of data, the GDPR deeply and significantly impacts the software development life cycle and corresponding IT-development processes for organizations that plan to rollout information systems’ projects within the EU.
But generally, we find the following common IT systems’ modules in most technologies that we use today
- The data transport and security layers
- The database and data architecture layers
- The application and logic layers; and
- The presentation and portal layers.
The SDLC, whichever type is used, manages and controls the information technology project, from planning to rollout, across these different layers or modules."
"Here is an inventory of 16 areas of pertinent GDPR Recitals and Articles that influence the SDLC’s Functional and Technical Planning and Requirements for IT departments. This list will be helpful to general counsels, CIOs and leaders of IT as they compile their system’s requirements for their EU groups.
One thing is certain; each of the above 16 points will have a place in the SDLC’s functional and technical design documentation for systems, and each will add some complexity to the overall system’s planning and design phases. In addition, many will impact the company’s overall customer support processes, as well, as the GDPR not only demands certain "pure" technical requirements but also business-functional requirements that are supported by both technology and business process."
Cituji ze závěru článku:
"The GDPR’s text contains both explicit and implicit systems’ functional and technical requirements that both affect and influence the SDLC of organizations that plan on rolling out systems into the EU. The impact of the GDPR on the software development begins at the data architecture and data transport layers and progresses well up into the portal and presentation layers. The underlying key to IT development success is planning for these requirements during the initial SDLC phases; while they may add some complexity during the SDLC initial planning and design phases, the overall development costs will be greatly minimized if considered as early as possible in IT systems’ build process."

BUILDING GDPR IMPLEMENTATION PLAN IN 10 STEPS

BUILDING GDPR IMPLEMENTATION PLAN IN 10 STEPS
Get ready for more transparency, more informed consent and more rights for data subject
Článek je publikován na portálu: comsuregroup.com
Najdete ho na adrese: http://tinyurl.com/yafgwc5l
10 Steps:
( Poznámka: cituji první odstavce popisu jednotlivých kriků )

Step 1 is to audit the organisation core activities toward data protection requirements and compliance. Broad overview of operations shall emcompass DP principles recognized under Directive 1995 and reinforced under GDPR:
Step 2 – Define a plan and personal data flow mapping
Following the readiness assessment, we need to develop a gap analysis and define a plan to address issues prioritized considering possible risks involved toward level of effort and available resources.
Step 3 – Build a plan and strike a consensus
Building consensus up-front is critical to the success of any GDPR project within an organization, especially when considering the complexity. It needs to be rehearsed from the CEO/managing director downwards. It’s about the company’s image and reputation.tep 
4 – Implementation of GDPR
With Data Protection Officer (DPO) appointment/assignment (Art 37) the implementation into your organisation will be kick-started. DPO may be an employee or a third party service provider (e.g., consulting or law firm), but should be a direct report to the Board/managing director. He/she shall enjoy significant independence for performing compliance monitoring.
Step 5. Address Sub-contracting and personal data transfer
Sub-contractor monitoring will be an integral part of compliance and accountability practice. This will start from review/update of existing contracts (Data Processor, storage and cloud services etc.) to assess and confirm the counterparts are GDPR complying too. The contract will have to reflect new requirements for example timely Incident Response and Management. Adherence to code or conduct (Art 41) and/or Certification mechanisms (Art 42) will be supportive tools for compliance proof.
Step 6. Data inventory
This step of identifying and listing personal data by DC and DP (and possible subprocessors) is essential for effective GDPR compliance. Organizations are more equipped to secure/manage personal data when listing which data are collected, where they are stored, who shares them, and how long they are retained/stored. Moreover, the loss of protected and sensitive data is a serious threat to business operations. 
Step 7. Security & Data Breach Plan
Data Loss Prevention tools are available on the IS market to detect suspicious activities and possible data exfiltration tentative. System must be robust and able to identify and detect sensitive data being transferred outside your organisation’s system per Network file transfer or portable media
Step 8. Developing an accountability framework: DPIA and Consent mechanisms
Data Protection Impact Assessment
Recital 90 GDPR demands:”That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation”.
DPIA will be based on 3 aspects
• Data Subject’s Consent logs
This has been largely debated within the privacy community. Alike the transparency requirement GDPR put more stringent rules for obtaining data subjet’s consent.
Step 9 Address “Right to be forgotten” and “Data Portability Rights”.
Next to breach notification obligation GDPR has developped new features for example data erasure and data portability rights. Profiling restrictions have been dealt with above. Data protection by design and by default concept must be implemented by data controller and data processor into their business model. Data protection culture must obtain support and adherence of organisations processing personal data.
Step 10 Data Storage Limitation and Solution
According to Tech UK around 90% of global data available today was generated in just the last 2 years and that amount is predicted to grow year on year over the next decade. We are all exposed to Big Data. According to Art 23 DC should only store personal data for as long as is necessary for the specific purpose for which it was obtained.

Adopting a Risk-Based Approach to GDPR Compliance

Adopting a Risk-Based Approach to GDPR Compliance
Článek na uvedené téma najdete na portálu fairdata.org.uk
http://www.fairdata.org.uk/risk_based_GDPR_compliance
Cituji z testu:
"In this brief blog we’ll highlight some of the key points to help you appreciate what this means for your organisation in fulfilling GDPR obligations."
Hlavní otázky:
( cituji část textu odpovědí )
"- What are risky processing activities?

Although the concept of risk runs throughout the GDPR, it is not specifically defined. Some examples cited in the Regulation that are more likely to result in a high risk include:
· systematic automated profiling
· large scale monitoring of sensitive data
· systematic monitoring of a publicly accessible area on large scale. 
- What are the implications of the risk level?
Certain obligations and/or exemptions under the GDPR flow directly from the level of risk.
- How do I mitigate risk?
Certain obligations and/or exemptions under the GDPR flow directly from the level of risk.
To examine processing activities take a three prong approach
- What next?
Build on your organisation’s awareness of the significance of the data protection reforms and your information about the type of personal data that your organisation collects and processes, to go ahead with planning and prioritisation of GDPR compliance based on risk assessment."

Preparing for the General GDPR - 12 steps to take now

Preparing for the GDPR - 12 steps to take now 
This checklist highlights 12 steps you can take now to prepare for the GDPR which will apply from 25 May 2018. - 11 stran
Najdete na adrese:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Cituji z úvodu:
"It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications.
The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance with all the areas listed in this document will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations."
12 kroků:
Jednotlivé body jsou v slajdech podrobněni popsány. 

1. Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.
8. Children
You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO's code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
12. International
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

GDPR Complaint-Process Map

GDPR Complaint-Process Map
Článek a interaktvní mapu najdete na adrese:
https://iapp.org/resources/gdpr-tool/
Cituji:"This map consolidates the GDPR’s enforcement provisions into a visual tool, illustrating how supervisory authorities may pursue complaints administratively. The final installment of the IAPP’s Top 10 operational impacts of the GDPR series discusses the consequences for GDPR violations in more depth. (To use the map, click any process step for more information.)"

GDPR guide by chapter/topic

Na portálu "Bird and Bird" www.twobirds.com najdete pozoruhodný obsah, vztahující se k metodologii aplikace GDPR.
Adresa 
GDPR guide by chapter/topichttp://tinyurl.com/y8mddk3w
Metodologická doporučení jsou v GDPR guide by chapter/topic rozdělena podle odstavců GDPR.
1. Scope, timetable and new concepts
2. Principles
3. Individual rights
4. Accountability, security and breach notification
5. Data transfers
6. Regulators
7. Enforcement
8. Special cases
9. Delegated acts and implementing act
(Select your desired chapter from the drop-down list below to download a specific topic.)
Ukázky vnitřního členění průvodce:4. Accountability, security and breach notification
a. Data governance obligations
b. Personal data breaches and notification
c. Codes of conduct and certifications
6. Regulators
a. Appointment of supervisory authorities
b. Competence, tasks and powers
c. Co-operation and consistency between supervisory authorities
d. European Data Protection Board
Po zvolení dílčího tématu se nabídne stránka se 2 sloupci: "At a Glance" a "To do List".
Příklad metodického doporučení::
At a glance
Supervisory authorities are given specific > competence to act on their own territory.
A lead-authority has competence in cross-border cases (see section on co-operation and consistency between supervisory authorities for
further details).
• Supervisory authorities are given an extensive list of specific powers and tasks.
To do list:
Familiarise yourself with the comprehensive powers and tasks of the supervisory authorities.
If you carry out cross-border processing, get to understand the lead-authority system, (for which see section on cooperation and consistency between
You might wish to consider working towards compliance with a recognised Code of Conduct or Certification which will require supervisory authority approval.

Six-Step GDPR Preparation Methodology

CNIL’s Six-Step GDPR Preparation Methodology
The French data protection authority, the CNIL, has published a six-step method to help organizations comply with GDPR in time for its May 2018 effective date, including tools and further reading on the steps.
Článek najdete na adrese: http://tinyurl.com/kybweyw
6 kroků při zavádění GDPR:
1. DÉSIGNER UN PILOTE
2. CARTOGRAPHIER VOS TRAITEMENTS DE DONNÉES PERSONNELLES
3. PRIORISER LES ACTIONS À MENER
4. GÉRER LES RISQUES
5. ORGANISER LES PROCESSUS INTERNES
6. DOCUMENTER LA CONFORMITÉ

Deloitte Risk Advisory – Vision and Approach

Deloitte - GDPR
Deloitte Risk Advisory 2017 – Vision and Approach
Reklamní, ale - z hlediska metodologie zavádění GDPR - cenná
Slideshow
- 24 slajdů v PDF souboru
Najdete na adrese: http://tinyurl.com/ycktsqry

- What changes does the GDPR bring? Facts and figures
- What changes does the GDPR bring? Changes compared to the 1995 Directive (95/46/EC)
- Deloitte point of view on the GDPR
- Deloitte Privacy Services is dedicated to help organizations navigate privacy risk, staying within the rules of the game, while allowing privacy to be a business enabler and to use personal data to increase customer trust.
-  We outline some major points from our experience that can help organizations getting the most from these changes. Cituji:
1. Proper (meta) data management is essential to comply to the GDPR;
2. GDPR compliance will also help you build trust with clients and safeguard personal data;
3. Make GDPR compliance your top priority for the coming months. Following these principles will greatly help you getting the most value  from pro cessing personal data, while minimizing the risk
XXX  Deloitte point of view on the GDPR, (Meta)data management is essential to comply with the GDPR
- 1. (Meta)data management is essential to comply to the GDPR. 
There will be more emphasis on knowing what personal data you have and how you process it. Tooling to manage (personal) data is increasingly becoming available – and will prove vital in the future.
- 2. GDPR compliance will help you build trust with clients and safeguard personal data Complying with the GDPR will help you greatly in building trust with data subjects, which will improve your relationship with them. In addition, complying with the GDPR principles helps mitigate supervisory risk and reputation damage.
- 3. Make GDPR compliance your top priority for the coming months. Many principles of the GDPR are already included in EU legislation. GDPR compliance will cover many of these principles. The deadline for enforcement is quickly coming closer. If you take a risk-based view, you will conclude that you need to prioritize the GDPR over assessments of current legislation
- We can help turn the headache into opportunity
Actions to take to prepare for the GDPR
- Deloitte Privacy Services is dedicated to help organizations navigate privacy risk, staying within the rules of thegame, while allowing privacy to be abusiness enabler and to use personal data to increase customer trust
- Five main services to help you prepare for the GDPR
- GDPR Maturity Assessment - GDPR Roadmap
What is the GDPR Maturity Assessment & Roadmap?
- GDPR transformation program
- Privacy Impact Assessment services
- GDPR Stress Testing
- GDPR Managed Services
Managed privacy services 
- Benefits
SHORT TERM
o Determining a common strategic approach
to the GDPR within your organization;
o Realise current initiatives while delivering
the tools to ensure GDPR compliance.
MEDIUM - LONG TERM
o Efficient and effective GDPR privacy framework;
o Using customer data as a business enabler; 
o  Conscious compliance: balancing costs and benefits; i Privacy as a strategic asset, entice your customers with clear privacy policy;
o Be prepared for the GDPR as it will enter into force in May 2018.
About Deloitte Privacy Services 
- Things that make our team unique
- A global practice, able to serve you locally

úterý 19. září 2017

K některým povinnostem, které pro správce přináší Obecné nařízení o GDPR

K některým povinnostem, které pro správce přináší Obecné nařízení o GDPR
Článek na portálu Právní prostor  https://www.pravniprostor.cz 
Adresa článku: http://tinyurl.com/y9jd2fnu
Cituji z úvodu: "Kromě základních informací týkajících se této normy v následujícím textu naleznete srovnání se stávající právní úpravou a popis některých základních povinností, které dopadnou na subjekty odpovědné za zpracování osobních údajů, tj. správce a zpracovatele osobních údajů."
Osnova článku::
- Na úvod stručně k vývoji problematiky
- Co přináší nová právní úprava
- Nařízení a vnitrostátní předpisy
- Povinnosti správců a zpracovatelů
Cituji části textu: "Co se týče definice subjektů odpovědných za zpracování, tedy správců a zpracovatelů osobních údajů, nové definice obsažené v nařízení se od těch současných neliší, nařízení tyto definice dokonce přímo přebírá ze směrnice. V praxi tudíž nadále zůstává zachován původní koncept, kdy je pro určení či rozlišení správce od zpracovatele prvořadým znakem to, zda daný subjekt určuje účel zpracování."
- Oznamovací povinnost a její modifikace dle GDPR
Cituji části textu: "Jak bylo již výše naznačeno, jednou z výhod, kterou má dle navrhovatelů nové nařízení oproti stávající úpravě přinést, je odbourání nadměrné byrokratické zátěže, např. tím, že správci již nebudou muset plnit oznamovací povinnost, která údajně znamenala přílišnou administrativní i finanční zátěž pro správce.[7] Nařízení tak sice na jedné straně zbavuje správce jedné byrokratické zátěže, avšak další, a ve svém důsledku mnohem komplikovanější, přináší."
- Nyní tedy blíže k jednotlivým institutům, které obecné nařízení upravuje.
1. Povinnost provádět posouzení dopadu na ochranu osobních údajů
2. Předběžné konzultace
3. Povinnost vést záznamy o zpracováních osobních údajů
4. Povinnost ohlašovat případy narušení bezpečnosti
5. Povinnost jmenovat inspektora ochrany údajů
- Další povinnosti
Cituji části text: "Nařízení fyzickým osobám poskytuje snazší přístup k jejich osobním údajům tím, že správci či zpracovatelé je budou muset důkladněji informovat o způsobu zpracovávání jejich osobních údajů, přičemž tyto informace mají být dostupné v jasné a srozumitelné podobě. Uvedené se odráží také v nových požadavcích, které jsou kladeny na souhlas subjektu údajů se zpracováním svých osobních údajů, jehož prokázání je odpovědností správce. "
- Stručné shrnutí
Cituji části textu: "Jaké okruhy rizikových zpracování členské státy vymezí, a tedy podrobí tzv. předběžné konzultaci, a jaká procesní pravidla pro takové přezkoumání zvolí, však není zcela evidentní."
- Na úplný závěr
Cituji části textu:" Dopady nařízení však v žádném případě nelze podceňovat a především obchodní korporace provádějící rozsáhlejší zpracovávání osobních údajů by mu měly věnovat zvýšenou pozornost. Na jeho implementaci do vnitřních procesů a systémů korporací je proto vhodné se začít připravovat již nyní. "
Autoři: "Mgr. David Burian je zaměstnancem Úřadu pro ochranu osobních údajů a Mgr. Zuzana Radičová je zaměstnaná jako právník/compliance v Raiffeisen stavební spořitelně, a.s. Příspěvek vyjadřuje osobní názory autorů, nikoliv jejich zaměstnavatelů."

Complying with the GDPR - Callenges and project

Complying with the GDPR 
Uplatnění GDPR vyžaduje projektové řízení. Níže uvádím jeden příklad, jak může být projekt členěn do 6-ti milestounů a v čem může pomoci v jednotlivých etapách poradenská firma. Tou je v tomto příkladě firma Stibbe.
Článek najdete na adrese: http://tinyurl.com/ycvlgxt2
What and how? How Stibbe could assist
Because of the implications, companies should adopt a project-based approach to implementation across the company. Fact finding, objective gap analysis, realistic milestones, clearly defined roles, tasks and responsibilities will help you break down such an implementation into easily manageable units
What are the challenges?
1. Many new requirements
2.Very process-driven
3.Very tangible and visible/verifiable functions and steps need to be realized
4.Increased fines and sanctions
5.A moving target
6.Need for a company-wide project
---
Milestone 1: Initiation

Goal: Position the project, explain the rationale and secure internal support
Action items:
- Create (C-level) awareness within your company
- Set project boundaries, milestones, budget and tooling
- Assign a project leader and select project team members
How Stibbe could assist:
Provide an outline of the key focus points of the GDPR
Conduct on-site awareness session(s) 
Assist in scoping the project in light of the company/group profile
Milestone 2: Analysis and assessment
Goal: Identify the “as-is” and the “to-be” situations and conduct a gap analysis
Action items:
- Review and obtain a clear understanding of the “as is”, particularly in terms of (i) all types of data processed, (ii) data lifecycle management strategies (e.g. storage, retention, anonymisation) (iii) use of third party processors, (iv) all data flows inside and outside the EU, iv) technical and organizational security measures taken, and (vi) all underlying contracts and policies
- Determine the applicable GDPR requirements (e.g. the presence of high risk processing, sensitive data, the need for a DPO)
How Stibbe could assist:
Provide a due diligence toolkit
Conduct interviews with key users
Review the related documents
Prepare Privacy Impact Assessment (PIA) as required, including gap analysis
Assist in appointing and setting up the DPO or data protection role (if no formal DPO needed)
Milestone 3: Design your future state
Goal: prepare a blue print for future GDPR compliance
Action items:
- Reconcile the assessment findings with the relevant GDPR obligations
- Design required process improvements, measures and steps required
- Forecast the timeline and estimate the level of effort and amount of resources needed
How Stibbe could assist:
Prepare pre design notes and schemes setting forth the new architecture
Prepare the blueprint
Suggest improvement measures (e.g. the pseudonymization)
Milestone 4: Development (in agile modus)
Goal: Transform the blueprint into compliant products, services, and processes
Action items:
- Make sure to embrace privacy by design/by default requirements
- Implement procedures to meet new/enhanced data subject rights
- Adjust/draft appropriate contracts, notices and policies
- Incorporate approved codes of conduct and/or earn certification
How Stibbe could assist:
Provide guidance on implementation of processes (e.g. obtaining consent, data portability, right to be forgotten…)
Identify best practices
Drafting of the required documents (e.g. information notices towards data subjects and data breach notification form)
Work in various iterations, seeking interim validation from key users
Liaise with the supervisory authorities and/or the certification bodies, as the case may be
Milestone 5: Implementation
Goal: Launch the new processes, policies and tooling
Action items:
- Present the new processes, policies, documents and contracts
- Familiarize the key users with the new tooling
- Introduce training materials and train users
How Stibbe could assist:
Presentation of new state to C-Level
Conduct key user training sessions
Prepare manuals and detailed documentation
Conduct Q&A
Milestone 6: Run/maintenance mode
Goal: maintain compliance, ensure regulatory, corrective and evolutive maintenance
Action items:
- Conduct regular reviews (e.g.: the evolving “state-of-the-art” requirement for data security)
- Capture further guidance coming from the regulators (from the European Data Protection Board, which replaces the Art29 Working Party, and others)
- Monitor training of new users
How Stibbe could assist:
Provide briefing notes on new regulatory guidance or legal developments
Set up a helpline
Provide on-site support if needed
Keep contracts, policies and notices updated
Conduct regular updates with DPO or data protection contact on FAQs and overall state of GDPR compliance

How to support our clients to get ready for GDPR

Pozvánka na webcast - Co a jak nabízí na pomoc v oblasti GDPR
Capgemini: How to support our clients to get ready for GDPR

Webcast: 26 September 2017 at 11:00 a.m. CEST - Duration: 1 hour
Cituji z nabídky: "In this webcast Capgemini will explain possible implications of the GDPR. We will also present how the combined set of services and technological solutions offered by Capgemini and Oracle can help our clients get ready for the GDPR. We will talk about the main challenges our customers face and how we can support them. This includes:
1) gaining insight into their GDPR readiness
2) providing solutions to help ensure adequate protection of personal data
3) helping them adequately handling customer requests, and
4) training staff to be ready for GDPR. We will provide examples and lessons learned.
Featured Speaker - Maxwell Keyte
Lead Cyber Security Continental Europe Capgemini "
Informaci o webcastu najdete na adrese: http://tinyurl.com/yc4lxqwg

GDPR: a strategic business and information management challenge

GDPR: a strategic business and information management challenge (interview)
Článek z portálu https://www.i-scoop.eu.
Najdete ho na adrese:  http://tinyurl.com/ycaxgdws
Úvod: "In this interview we dive deeper in some strategic, enterprise information management (EIM) and Enterprise Content Management (ECM) aspects with EIM expert Rick Gruijters."
Hlavní myšlenky z odpovědí Ricka Gruijterse
A) With a strategic plan that looks at the highest risks first, the impact of your GDPR actions in turn will be the highest"
B) In a risk analysis you identify all the gaps and build a matrix with a specific degree of risk for each missing piece"
C) The 3 stages in the end-to-end GDPR approach of IRIS Group
1. An awareness stage to empower your people and users, the weakest link in any ECM and security project.
2. An assessment and methodology stage to detect the risks and make a plan to solve them.
3. An implementation stage: rolling out, monitoring and improving.
D) Privacy by design requires your organization to move from an ‘open unless’ to a ‘closed unless’ security approach on the ECM application level"
E) The right of erasure: GDPR, retention schemes and records management
F) Metadata are a must for the GDPR and a retention scheme. Yet, users don’t like the hassle. Automation of metadata classification is the solution."
G) Automatic classification beyond ECM: documents, data and PII across the full information landscape
Cituji z úvodu:
"If you are only in the GDPR awareness stage (more about that below) when you read this, you’ll pretty likely be “too late” to become GDPR compliant by May 25th, 2018. Yet, that date is not the end. After reading this interview you’ll understand why, what you need to do and why in reality you can’t really be fully “GDPR-ready”"
Obsah - názvy částí interview
- Why the GDPR is a business challenge and a GDPR strategy is essential
- A strategic GDPR plan prioritizes the highest risks and delivers the highest impact of your GDPR projects
- GDPR awareness as a strategic quick win that shows you act
- Risk analysis: from awareness and gaps to demonstrable GDPR action
- Privacy by design and information management in the GDPR: from ‘open unless to closed unless’
- Taking information management to the next GDPR compliance level: automatic classification
Stránka obsahuje i video: 4 EIM solutions that help organizations prepare for GDPR.
Cituji z obsahu odpovědí:
"There are several reasons why the GDPR is first and foremost a strategic business challenge. One of them is that, despite the fact we’re an information management and IT company, we always start from business challenges. And that corresponds with the market reality: today most challenges de facto come from the business instead of from IT. A project needs a solid business case and as a company you try to respond to it with partners and solutions.
"If you don’t have an overall strategy to begin with, you can’t demonstrably prove that you tried to do what you had to and have a plan of action going forward."
"What management needs to do, however, is make sure that all employees are aware of the GDPR and what it means for their work: explaining what the GDPR is, what is coming their way as a consequence, how they are supposed to deal with it and, importantly, that they are not alone in all of it."
"Iven if it’s just the first step, the awareness stage is very important."
"In that second stage, assessment and methodology, you first conduct a thorough risk analysis and look at everything: your people, your information management and other processes, your technologies and so forth."
"On top of the fact that you started a project you can now show that 1) your staff has been educated and has started thinking about how to deal with information and 2) you have a documented plan that shows you know where you are, where you go and which actions you took and will take."
"The third and final stage is the implementation stage where you effectively start the projects which you found in your analysis and defined in your plan. This also means that you’ll need to monitor and evaluate if what you wanted to achieve has been achieved, how you can optimize the project if needed and move on with the next project."
"Privacy by design is indeed a key element of the GDPR and the regulation also says that systems and new applicators by default need to support it. In practice this means that your platforms, information management systems and others, at least need to be able to support a security model whereby only people who really need access to personal data, get it do their job."
"You need to map your entire system and authorization structure and ask yourself if you know who has access to a specific folder today."
"That brings us to records management. According to the GDPR, you shouldn’t retain information longer than necessary so that means you need to have a retention plan."
"The right of erasure requires records management and the design of retention schemes to delete personal information"
"Automatic classification of your full information landscape, including the identification of PII on the deepest level, brings you close to GDPR complian"

Dopady nařízení GDPR na systémy ECM/DMS

Článek Radoslava Ongera na portálu systemonline.cz.
Autor článku působí jako Software Architect ve společnosti Datasys.
Cituji z obsahu článku:
"Na úvod trochu teorie
Nejdřív si musíme říci, co jsou vlastně osobní, resp. citlivé údaje. "
"Také si musíme říci, kde a v jaké formě tyto údaje mohou být uloženy."
"Co je třeba v rámci GDPR zabezpečit?
Při implementaci GDPR je třeba zabezpečit naplnění práv subjektů osobních údajů a povinností správce"
"Z pohledu ECM/DMS a nestrukturovaných dat je třeba": následuje výčet úkolů
"Jak se GDPR dotýká ECM/DMS systémů a nestrukturovaných dat?
Odpověď není úplně triviální. Hodně závisí na tom, jak je ECM/DMS implementován a jaká data jsou v něm uložena. Zkusme se na data podívat z různých pohledů. První pohled je podle toho, jaké dokumenty jsou v ECM/DMS uloženy."
"Další pohled je ten, který bere v úvahu, jak se ECM/DMS používá, resp. jak je implementován. Pro mnohé business cases je ECM/DMS pouze podpůrný systém k základnímu informačnímu systému."
"Samostatnou kapitolou jsou dokumenty, které nejsou uloženy v ECM/DMS, případně jako nejjednodušší DMS je používán file server a sdílené adresáře. Tady bude mimořádně těžké identifikovat, které dokumenty obsahují osobní, nebo dokonce citlivé údaje, resp. bude třeba implementovat SW, který identifikaci zabezpečí. "
"Může ECM/DMS podpořit implementaci samotného GDPR?
"Setkal jsem se s myšlenkou, že implementace GDPR bude realizována pomocí ECM/DMS systému. Já to nedoporučuji. Nemyslím si, že ECM/DMS je vhodný pro podporu implementace GDPR, za takový spíš považuji Information Governance System. "
"Hrozby a otevřené oblasti GDPR
"Za největší hrozbu považuji GDPR v případě, pokud se zneužije pro konkurenční boj. Je jednoduché si představit, že budou posílána oznámení na konkurenční společnosti o tom, že nesplnily některé z práv nebo povinností."
"Jak se tedy připravit na GDPR?
V první řadě pro naplnění práv a povinností bude muset každá organizace posoudit, zda pracuje s osobními, resp. citlivými, daty. Klíčová bude analýza dat a procesů za účelem identifikace, kdo, jak a s jakými daty pracuje. Do datové analýzy je třeba zahrnout všechny formy dat, to znamená strukturovaná data, ale i nestrukturovaná data a stejně tak fyzické dokumenty."
Článek najdete na adrese: http://tinyurl.com/y9nk83e2