Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace:
wiki:policies:regulatory

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:regulatory [2023/10/03 20:00]
katcow 		wiki:policies:regulatory [2023/10/05 02:27]
kholub
Line 5: Line 5:
 ===== About GDPR ===== ===== About GDPR =====
  
-==== Key Concepts: ====+==== Key Terminology: ====
  
-  * **Personal data**  - name, email, phone number, location data.+  * **Personal data**  - name, email, phone number, location data, appearance, customer id.
   * **Sensitive personal data **- race, ethniticy, religous or philosophical beliefs, political affiliation, health status, union membership, data concerning a person's sexual orientation or sex life, genetic data, and biometric data.   * **Sensitive personal data **- race, ethniticy, religous or philosophical beliefs, political affiliation, health status, union membership, data concerning a person's sexual orientation or sex life, genetic data, and biometric data.
       * Biometric data uniquely identifies a person (e.g. facial id or fingerprint)       * Biometric data uniquely identifies a person (e.g. facial id or fingerprint)
   * **Controller **- Determines how data is processed.   * **Controller **- Determines how data is processed.
-  * **Processor **- Processes data on behalf of another entitied.+  * **Processor **- Processes data on behalf of another entity.
   * **Subprocessor**  - Processes data on behalf of another processor   * **Subprocessor**  - Processes data on behalf of another processor
-<WRAP left round tip 72%> \\ **Question:**  Who is the data subject, processor, controller, and subprocessor in this example? \\ Nested Knowledge orders buisiness cards for employees. A printing business, ACMEPrints, prints the business cards with the name and contact information of Nested Knowledge's employees. A cloud provider Cumulus Web Services hosts a database containing ACMEPrint's customers and their employees' contact information.+<WRAP left round tip 99%> \\ **Question:**  Who is the data subject, processor, controller, and subprocessor in this example? \\ Nested Knowledge orders buisiness cards for employees. A printing business, ACMEPrints, prints the business cards with the name and contact information of Nested Knowledge's employees. A cloud provider Cumulus Web Services hosts a database containing ACMEPrint's customers and their employees' contact information.
  
-**Answer:**  Nested Knowledge is the controller, the employees are the Data Subject, ACMEPrint is the processor, and Cumulus Web Services is the sub-processor. \\ </WRAP>+**Answer:**  Nested Knowledge is the controller, the employees are the data subjects, ACMEPrint is the processor, and Cumulus Web Services is the sub-processor. \\ </WRAP>
  
-----+**Scope: **GDPR applies to the processing or controlling (by companies in ANY location) of personal data belonging to data subjects in the EU. 
 + 
 +  * A US company **processing data on its EU users**  falls under GDPR, even when no payment is made for the company services 
 +  * A US company** handling data on employees and contractors in the EU **is bound by GDPR. 
 +      * This includes non-residents and non-citizens physically located in the EU.
  
 ===== I. GDPR Data Processing ===== ===== I. GDPR Data Processing =====
  
-Nested Knowledge is committed to processing data in a lawful, fair, and transparent manner for explicity and legitimate purposes. Nested Knowledge will do what it reasonable can do make sure data is accurate and up to date+Nested Knowledge is committed to processing data in a lawful, fair, and transparent manner for explicit and legitimate purposes. Nested Knowledge will make all reasonable effort make sure data is accurate and up to date.
- +
-**Sensitive Data **- Nested Knowledge does not process sensitive data (high-risk data) at this time. +
- +
-**Use of photos **- we have developed a [[:wiki:policies:regulatory:photos|Photo Policy]] describing our use of photos.+
  
 +  * **Sensitive Data **- Nested Knowledge does not process sensitive data (high-risk data) at this time.
 +  * **Use of Photos **- User may voluntarily upload photos (see [[:wiki:policies:regulatory:photos|Photo Policy]]).
 ==== Technical and Organizational Measures (TOMS) ==== ==== Technical and Organizational Measures (TOMS) ====
  
 We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction.
  
-**Testing **- Nested Knowledge frequently tests systems for data integrity. We undergo penetration testing annually (see [[:wiki:policies:penetration_testing|Penetration Testing Policy]]), and our developers complete web security testing (see [[:wiki:policies:security_training#developer_training|Security Awareness Training Policy]]) annually.  \\ +  * **Testing **- Nested Knowledge frequently tests systems for data integrity. We undergo penetration testing annually (see [[:wiki:policies:penetration_testing|Penetration Testing Policy]]), and our developers complete web security testing (see [[:wiki:policies:security_training#developer_training|Security Awareness Training Policy]]) annually. 
-**Security **- We encrypt personal data in transit and at rest. +  **Security **- We encrypt personal data in transit and at rest.
 ==== Data Retention and Destruction ==== ==== Data Retention and Destruction ====
  
Line 47: Line 48:
 ===== II. Data Protection Impact Assessment ===== ===== II. Data Protection Impact Assessment =====
  
-Before processing personal information that may result in a high riskt to data subjects, Nested Knowledge employees will undergo a Data Protection Impact Assessment (DPIA), as described in our [[:wiki:policies:infosec#data_protection_impact_analysis_plan|Data Protection Policy.]]+Before processing personal information that may result in a high risk to data subjects, Nested Knowledge employees will undergo a Data Protection Impact Assessment (DPIA), as described in our [[:wiki:policies:infosec#data_protection_impact_analysis_plan|Data Protection Policy.]]
  
 <WRAP center round tip 90%> \\ **Question: **a new Marketing intern would like to target LinkedIn Ad campaigns based on customers' political affiliation, derived by analyzing public voting records. Can the intern do so? \\ **Answer: **No, political affiliation is sensitive personal data. To consider proceeding, the marketing team must complete and document a DPIA that evaluates the lawful basis for processing, potential harms, risk reduction, and other details. \\ </WRAP> <WRAP center round tip 90%> \\ **Question: **a new Marketing intern would like to target LinkedIn Ad campaigns based on customers' political affiliation, derived by analyzing public voting records. Can the intern do so? \\ **Answer: **No, political affiliation is sensitive personal data. To consider proceeding, the marketing team must complete and document a DPIA that evaluates the lawful basis for processing, potential harms, risk reduction, and other details. \\ </WRAP>
Line 59: Line 60:
 ==== Data Subject Rights ==== ==== Data Subject Rights ====
  
-Individual’s have a right to access any personal information that Nested Knowledge processes about them and to request information about:+Individuals have a right to access any personal information that Nested Knowledge processes about them and to request information about:
  
   * what personal data we hold about them   * what personal data we hold about them
Line 79: Line 80:
 We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.
  
-**Direct Marketing **- Our direct marketing includes clear opt-in mechanisms for marketing subscriptions and a clear notice and method for opting out on all subsequent marketing materials. +  * **Direct Marketing **- Our direct marketing includes clear opt-in mechanisms for marketing subscriptions and a clear notice and method for opting out on all subsequent marketing materials. 
- +  **Cookies**  - We do not use marketing or analytics cookies.
-**Cookies**  - We do not use marketing or analytics cookies. +
 ==== Communicating Updates ==== ==== Communicating Updates ====
  
Line 89: Line 88:
 ==== Reporting Data Breaches ==== ==== Reporting Data Breaches ====
  
-Nested Knowledge is obligated to report information on data breaches and mitigations to the required government agencies as well as reporting information of data breaches to the affected parties. Our [[:wiki:policies:incident|Incident Response]] policy ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible. +Nested Knowledge is obligated to report information on data breaches and mitigations to the required government agencies as well as reporting information of data breaches to the affected parties. Our [[:wiki:policies:incident|Incident Response]] policy ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible. We inform clients of breaches in accordance with our [[:wiki:policies:escalation|Escalation Policy]].
- +
-===== V. Statement on Sub-processors ===== +
- +
-==== Amazon Web Services (AWS) ==== +
- +
-AWS is used for cloud hosting of the Nested Knowledge platform, including its servers, services, and databases. All user accounts and data generated on the NK application are stored in databases in AWS, behind a firewall (VPC). This data, including personal information, is not shared with AWS in a structured or meaningful way, instead only being processed by NK application code within the VPC. +
- +
-==== Auth0 ==== +
- +
-Auth0 provides authentication of users for the NK application. As such, Auth0 holds: +
- +
-  * User email and password or social login account identifiers +
-  * Login history +
- +
-No further data is shared with Auth0. +
- +
-==== HubSpot ==== +
- +
-HubSpot Inc. is used to notify users via email of new software releases that will interrupt their workflow. Users can opt out of emails at any time. We also use HubSpot to handle inbound sales inquiries, onboarding communication, and technical support requests. +
- +
-HubSpot stores the full name and email addresses of users. Users can have their personal or organizational data deleted at any time. All user data is deleted from HubSpot if an account is deleted. +
- +
-HubSpot may employ additional third-party sub-processors, which are listed in Annex 3 of their [[https://legal.hubspot.com/dpa|Data Protection Agreement]]. +
- +
-===== VII. GDPR Roles and Employees ===== +
- +
-==== Data Protection Officer ==== +
- +
-See the [[:wiki:policies:infosec#data_protection_officer_dpo|Data Protection Officer]] section of our Information Security policy. Nested Knowledge's Data Protection Officer is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR compliance, identifying any gap areas and implementing the new policies, procedures and measures. +
- +
-==== Employee Training ====+
  
-Nested Knowledge trains employees on GDPR compliance at least annually.+===== VStatement on Subprocessors =====
  
-==== GDPR Audit Record ====+As described in the[[:wiki:policies:third_party|Third Party Policy]] Nested Knowledge maintains a [[:wiki:policies:third_party#summary_of_sub-processors|List of Subprocessors]] and Third Party providers. We update the list on an ongoing basis when a change in subprocessors occurs. \\ 
 + \\ 
 +New contracts with subprocessors and subcontractors will incorporate data protection and data breach notice requirements.
  
-Nested Knowledge began an internal audit in September 2023+===== VI. GDPR Roles and Accountability =====
  
 +  * **Data Protection Officer**  - See the [[:wiki:policies:infosec#data_protection_officer_dpo|Data Protection Officer]] section of our Information Security policy. Nested Knowledge's Data Protection Officer is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR compliance, identifying any gap areas and implementing the new policies, procedures and measures
 +  * **Employee Training**  - Nested Knowledge trains employees on GDPR compliance at least annually
 +  * **GDPR Audit Record -**  Nested Knowledge began an internal audit in September 2023
 ===== Contact ===== ===== Contact =====
  
Line 137: Line 110:
 |K. Cowie|05/21/2023|Minor revisions| |K. Cowie|05/21/2023|Minor revisions|
 |K. Cowie|01/24/2022|Minor revisions| |K. Cowie|01/24/2022|Minor revisions|
-|K. Holub|01/11/2022|Sub-processors|+|K. Holub|10/04/2023|Copy edits|
 |K. Kallmes|11/19/2021|2021 version finalized and signed off| |K. Kallmes|11/19/2021|2021 version finalized and signed off|
  
wiki/policies/regulatory.txt · Last modified: 2023/10/05 02:27 by kholub

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki