РЕГЛАМЕНТ (ЕС) 2016/679 и ISO 27001
ОБУЧЕНИЕ И КОНСУЛТАЦИИ ПО ИЗГРАЖДАНЕ НА
Система за управление на защитата на личните данни,
в съответствие с изискванията на РЕГЛАМЕНТ (ЕС) 2016/679
Обхвата
на предлаганите обучение и консултации са специфични за различните организации
и се определят основно от следващите два фактора:
1. Наличие на регистрация на организацията, като Администратор на лични данни по ЗЗЛД;
2. Наличие на изградена, функционираща и сертифицирана Система за
управление на информационната сигурност (ISO 27001);
При
всички случаи обучението и консултациите включват:
1.
Преглед на изискванията на РЕГЛАМЕНТ (ЕС) 2016/679 ;
2.
Преглед на основни дейности, които трябва да се свършат от организацията при
изграждането на Система за управление на защитата на личните данни;
3. Подход за избор на контролни / защитни механизми, изискващи се за изпълнение на изискванията на РЕГЛАМЕНТ
(ЕС) 2016/679
4.
Подход за изграждане на Система за управление на защитата на личните данни
-
като подсистема на Система за управление на информационната сигурност (ISO 27001);
-
като самостоятелна система за сигурност.
5. Преглед на основните изисквания към Служителя по защитата на личните данни.
6. Разработване на изискващите от Регламента документи,свързани със защитата на личните данни.
5. Преглед на основните изисквания към Служителя по защитата на личните данни.
6. Разработване на изискващите от Регламента документи,свързани със защитата на личните данни.
За въпроси и допълнителна информация:
Пламен Каменов
0886 655 315
E-mail: infosecservicebg@gmail.com
Забележка:
В
следващата таблица са представени в обобщен вид изискванията в Регламент(ЕС) 2016/679 за зашита на
личните данни и възможни контролни механизми (определени в ISO 27001) за тяхното изпълнение.
№
|
Изискване по Регламент 2016 / 679
№ на клауза
|
Изпълнение на изискването с внедряването на
контрол, съгласно ISO 27001 / 27002
|
ОБХВАТ
|
||
1
|
Article 3 (territorial scope) and 27 (representatives)
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable
information)
|
2
|
Article 4, section 1, subsection 1 (personal data)
|
A.8.2.1
(classification of information)
|
ОБРАБОТКА НА
ЛИЧНИТЕ ДАННИ
|
||
1
|
Article 6 (common personal data) and 9 (sensitive data)
|
A.8.2.1
(classification of information)
|
2
|
Article 4, section 1, subsection 2 (processing)
|
A.8.1.3
(acceptable use of assets)
|
3
|
Article 4, section 1, subsection 7 (controller)
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable
information)
|
4
|
Article 4, section 1, subsection 8 (processor)
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable
information)
|
5
|
Article 6 (common person data - lawfulness of
processing), 9 (sensitive data), 85 (processing and freedom of expression and
information (journalistic, academic, artistic and literary purpose)), 86
(public access to official documents), 87 (national
identification number), 88 (employment) 89 (public interest, scientific, historical and statistical purposes)
and 90 (secrecy)
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable
information)
|
6
|
Article 4, section 1, subsection 16 (main
establishment), 60 (cooperation between supervisory authorities,
one-stop-shop and the consistency mechanism) and 55 (competence of
the supervisory authority)
|
A.6.1.3
(contact with authorities)
|
ПРИНЦИПИ
|
||
1
|
Article 5 (principles)
|
A.8.2.3
(handling of assets)
|
2
|
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6, section 1, subsection a
(consent) and Article 7 (consent), 8 (consent for children) and article 9,
section 2, subsection a (consent)
|
A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
A.12.1.1 (documented operating procedures)
|
3
|
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6, section 1, subsection f
(legitimate interests)
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
A.12.1.1 (documented operating procedures)
|
4
|
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6, section 1, subsection b
(contract) or subsection c (legal obligation)
|
A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
|
5
|
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6 (Lawfulness of processing), 9 (sensitive information), 85 (processing and freedom of expression and information (journalistic, academic, artistic and literary purpose)),
86 (public access to official documents), 87 (national identification number),
88 (employment law), 89 (public interest, scientific, historical and
statistical purpose) and 90 (secrecy)
|
A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
A.12.1.1 (documented operating procedures)
|
6
|
Article 5, section 1, subsection a (lawful, fair and
transparent)
|
A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
|
7
|
Article 5, section 1, subsection b (purpose limitation)
|
A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
|
8
|
Article 5, section 1, subsection c (data
minimisation)
|
A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
A.12.1.1 (documented operating procedures)
|
9
|
Article 5, section 1, subsection d (accuracy) (see
also Article 16-21)
|
A.12.1.1 (documented operating procedures)
|
10
|
Article 5, section 1, subsection d (accuracy) (see
also Article 16-21)
|
A.12.1.1 (documented operating procedures)
|
11
|
Article 5, section 1, subsection e (storage
limitation)
|
A.12.1.1 (documented operating procedures)
|
12
|
Article 5, section 1, subsection f (integrity and confidentiality) (see
also article 32)
|
A.5.1.1 (policies for information security)
A.6.1.5 (information security in project management)
A.14.1.1 (security requirements analysis and specification)
A.14.2.5 (secure system engineering principles)
|
ПРАВА НА ОБЕКТИТЕ НА ЛИЧНИТЕ
ДАННИ
|
||
1
|
Article 12, section 2 (transparency)
|
A.12.1.1 (documented operating procedures)
|
2
|
Article 12, section 3 (transparency)
|
A.12.1.1 (documented operating
procedures)
|
3
|
Article 13, section 1 and 2 (information to be provided when personal data is collected from the data subjects), Article 14, section 1 and 2 (information to be provided when personal data
is not obtained from the data subject)
Article 15, section 1 (Right of access by the data subject)
|
A.12.1.1 (documented operating procedures)
A.6.1.1 (information security roles and responsibilities)
A.18.1.4 (l) (compliance with privacy and protection of personal identifiable information)
A.8.2.1 (classification of information)
A.13.2.1 (information transfer policies and procedures)
|
4
|
Article 16 (rectification), Article 17 (Right to erasure) and Article 18
(Right to restriction of processing)
|
A.12.1.1 (documented operating procedures)
|
5
|
Article 19 (Notification obligation)
|
A.12.1.1 (documented operating
procedures)
|
6
|
Article 20 (data portability)
|
A.12.1.1 (documented operating procedures)
|
7
|
Article 21 (Right to object)
|
A.12.1.1 (documented operating
procedures)
A.18.1.4 (l) (compliance with the privacy and protection of personal data)
|
8
|
Article 22 (profiling)
|
A.12.1.1 (documented operating procedures)
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
|
ЗАДЪЛЖЕНИЯ НА ОРГАНИЗАЦИЯТА
|
||
1
|
Article 24, section 1 (responsibility of the controller)
|
A.5.1.1 (policies for information security)
A.5.1.2 (review of the policies for information security)
A.18.2.2 (compliance with security policies and standards)
|
2
|
Article 24, section 2 (responsibility of the controller)
|
A.5.1.1 (policies for information security)
A.5.1.2 (review of the policies for information security)
|
3
|
Article 25, section 1 (data protection by
design and by default) and section 2 (data protection by design
and by default)
|
A.5.1.1 (policies for information security)
A.6.1.5 (information security in project management)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
|
4
|
Preamble 78 (data protection by design in tendering procedure)
|
A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.13.2.2 (agreements on information transfer)
|
5
|
Article 28, section 1 (processor)
|
A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.13.2.1 (information transfer policies and
procedures)
A.13.2.2 (agreements on information transfer)
|
6
|
Article 28, section 2 (processor)
|
A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.13.2.1 (information transfer policies and procedures)
A.13.2.2 (agreements on information transfer)
|
7
|
Article 28, section 3 (processor)
|
A.9.2.2 (user access provisioning)
A.9.4.1 (information access restriction)
A.12.1.1 (documented operating procedures)
A.13.2.2 (agreements on information transfer)
A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.16.1.3 (reporting information security weaknesses)
|
8
|
Article 30, section 1 (records of processing activities)
|
A.12.1.1 (documented operating procedures)
|
9
|
Article 30, section 2 (records of processing activities)
|
A.12.1.1 (documented operating procedures)
|
10
|
Article 32, section 1 and section 2 (security of processing)
|
A.5.1.1 (policies for information security)
A.6.1.5 (information security in project management)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
|
11
|
Article 32, section 1, subsection a (security of processing)
|
A.10.1.1 (policy on the use of cryptographic controls)
A.9.4.1
(information access restriction)
|
12
|
Article 32, section 1, subsection b (security of processing)
|
A.5.1.1 (policies for information security)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
|
13
|
Article 32, section 1, subsection c (security of processing)
|
A.12.3.1 (information backup)
A.17.1.1 (planning information security continuity)
A.17.1.2 (implementing information security continuity)
|
14
|
Article 32, section 1, subsection d (security of processing)
|
A.14.2.8 (system security testing)
A.14.2.9 (system acceptance testing)
A.12.7.1 (information systems audit controls)
A.15.2.1 (monitoring and review of supplier services)
A.18.2 ( information
security reviews)
|
15
|
Article 32, section 4 (security of processing)
|
A.5.1.1 (policies for information security)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
|
16
|
Article 33, section 1 and section 3 (notification of security incidents to the supervisory authority)
|
A.16.1.1 (responsibilities and procedures)
A.16.1.5 (response to information security incidents)
A.6.1.3
(contact with authorities)
|
17
|
Article 33, section 5 (notification of security
incidents to the supervisory authorities)
|
A.16.1.7 (collection of evidence)
A.12.4 (logging
and monitoring)
|
18
|
Article 33, section 2 (notification of security incidents to the supervisory authorities)
|
A.16.1.3 (reporting information security weaknesses)
|
19
|
Article 34 (data breach is to be communicated to data subjects)
|
A.16.1.5 (response to information security incidents)
|
20
|
Article 35, section 1 (data protection impact
assessment)
|
A.6.1.5 (information security in project management)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
|
21
|
Article 36, section 1 (prior consultation)
|
A.6.1.3
(contact and regulatory
authorities)
|
22
|
Article 37 (designation of the data protection officer)
|
A.6.1.1 (information security roles and responsibilities)
|
СПЕЦИАЛНИ СЛУЧАИ
|
||
1
|
Article 44 (general principle for transfers)
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
|
2
|
Article 44 (general principle for transfers)
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
|
3
|
Article 46 (transfer)
|
A.15.1.2 (addressing security with supplier agreements)
|
4
|
Article 46 and article 47 (transfers)
|
A.15.2.1 (monitoring and review of supplier services)
|
5
|
Many articles in the Regulation allows for national interpretation/ implementation
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
|
6
|
Many articles in the Regulation make it possible for national interpretation / implementation.
|
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
|
Няма коментари:
Публикуване на коментар