Does GDPR apply for volatile data

GDPR aims to set standards (and requirements) on how sensitive data should be stored. Although, I couldn’t find any information on how (or if even) GDPR applies for sensitive data in a volatile state.

As an example, what if we are in the process of collecting data about users (with their consent) to store it. Although, this data goes through the machines RAM (as everything else that runs on the computer) where it could potentially be intercepted by malware therefore potentially enable leakage of sensitive information.

Is there a section in GDPR that addresses sensitive data in a volatile form or is it a potential loophole? (Mainly thinking about if the data should be encrypted while in-memory)

Is Apple’s default Privacy settings GDPR compliant?

I recently realized that some apps were able to “link” my identity to Facebook. I checked my off facebook activity and could see some apps that I’ve never given my email.

Investigating further, I believe it boils down to a setting that’s set under Settings > Privacy > Advertising on my iPhone. There’s a way to either reset the advertising identifier, or Limit Ad Tracking, which I believe prevents this completely (perhaps generating a unique identifier each time?)

“Solving” this was easy obviously by limiting ad tracking, but I’m wondering: How come it’s not limited by default? Shouldn’t GDPR protect me from this kind of default? Shouldn’t Apple get my explicit consent for something like this? I don’t recall having given such consent…

UK EU GDPR Security Laws

I am the lead on IT, however, as it is a fairly small company, the managing partner holds the purse strings. If I have notified him about possible ways that we could be breached, is he legally obligated to have them tested and corrected?

What ramifications are there, if there is a breach and it comes out that we were aware of these possible vulnerabilities?

GDPR Privacy Policy 1 day delivery for $5

A Simple but effective privacy statement that includes the following details. Adsense Compliant GDPR Compliant Third Party Sharing Information Collected Information Use of Cookies Links SSL Protocol COPPA Children Online Protection Act Email Communications Changes to statement notice Contact Information Be sure that the information you provide in the next series of questions is accurate. I do not allow revisions because this gig is so affordable. If you need a revision, you will need to re-purchase my services. So please be sure your information is accurate. This is Not an HTML File this is a word document, and you will receive it as such. Normally turnaround is 24 hours, I do have 3 day’s listed just incase things get in my way

by: jtosus
Created: —
Category: Legal
Viewed: 129

Active Directory GDPR classification

GDPR classifies data into Non-personal, Personal and Sensitive personal. Sensitive personal is further broken down to Genetic and biometric, Racial and ethnical, Religion and Philosophical etc.

Coming to implement a new Active Directory I want to present my stakeholders with the different options that they have, with GDPR in mind.

Reading the Microsoft white paper I cannot see mapping of attributes to the GDPR classifications, or a bottom line of how to implement any of the 3 approaches.

I would ideally like to see something along these lines:

  • to class as non-personal: 1. use employee ID in userPrincipalName and sAMAccountName; 2. only use corporate mobile phone in homePhone/otherPhone etc.; 3. use office address in streetAddress, targetAddress etc.
  • avoid these to class as sensitive: 1. biometrics (unless stored on the device such as Windows Hello); 2. distribution lists for religion communities (e.g. prayer room, even if multi-faith)

There are of course extension attributes which will have to be considered on case by case basis.

Has anyone been through this process and can share from their work?

User research survey & GDPR

I’m hoping to create and ask some user research surveys shortly and wanted to ask how people are treating the GDPR regulations in this area.

At a high level, I want to capture personally identifiable data (PID) to understand the demographics of the respondents. I’m aware I also need to get a signed acceptance to use their data.

I know that I’m under an obligation to remove PID both on request and when it’s not reasonably needed. Do people generally follow this and discard results? or do people tend to use the signed acceptance to override this?

Email under GDPR

I am aware that email is considered as PII and should be used and stored under strict security guidelines as per GDPR. If we use email in any our communications and in what cases it might not be considered as PII under GDPR?