>Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
Data Classification
>a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
Data Classification
>b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
Asset Inventory
>2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
Privacy Impact Assessment
>3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Privacy Impact Assessment
>a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
Privacy Impact Assessment
>b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
Asset Inventory
>c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
Access Control
>4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
Data Retention
>5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
Data Collection
>6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
>7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
Breach Escalation
>a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
Backup
>a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
Log Review
>c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
Security Awareness Training
>8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security.
I'm sorry, but this comment reads like something written by an academic with no real world experience of data protection issues and running businesses at all.
You should be able to provide this from a SQL query.
Please tell us all what that query should be, then, and how it's going to cover the relevant data stored in log files, emails, remote services used for payment processing, off-site backups, etc.
That's just a very minimal set of other places that almost any new online business is likely to be working with on day one.
Data Classification Plan
Asset Inventory Plan
Privacy Impact Analysis
Privacy Impact Assessment
Access Control Plan
Data Retention Plan
Data Collection Plan
Breach Escalation Plan
You're suggesting that in order to handle this kind of request -- which none of my businesses has ever received from anyone in many years of trading -- we should write up 8 different formal policies? These businesses probably don't have 8 different formal written policies in total at the moment. This is just totally detached from the realities of running small businesses, though it does reinforce my point about disproportionate burdens.
[The parent comment appears to have been edited after I wrote this. The terms above were in the original.]
You're making the parent's point. This is disproportionately burdensome to companies that don't have people dedicated to writing policies or lawyers dedicated to reviewing them.
How is that a useful solution to anything? Almost any business will handle some form of personal data, and as such will have some degree of compliance overhead.
More overheads are generally bad for business. In the run up to Brexit, and given figures from the Chancellor's statement just this week showing relatively low productivity and growth in the UK economy, it's remarkable how many people don't seem to have a problem with increasing those overheads and thus negatively affecting the creation and growth of businesses.
There is a balance to be struck here. Protecting privacy is important, but not regulating in a way that introduces excessive burdens is also important.
An ISO audit takes how long and costs how much? Do you expect every company that handles email addresses (that's PII) to perform an ISO or SOC2 audit before accepting customers?
Data Classification
>a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
Data Classification
>b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
Asset Inventory
>2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
Privacy Impact Assessment
>3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Privacy Impact Assessment
>a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
Privacy Impact Assessment
>b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
Asset Inventory
>c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
Access Control
>4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
Data Retention
>5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
Data Collection
>6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
>7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
Breach Escalation
>a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
Backup
>a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
Log Review
>c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
Security Awareness Training
>8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security.
Get an ISO audit.