This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:policies:regulatory [2023/10/03 20:11] katcow |
wiki:policies:regulatory [2023/10/05 02:27] (current) kholub |
||
---|---|---|---|
Line 5: | Line 5: | ||
===== About GDPR ===== | ===== About GDPR ===== | ||
- | ==== Key Concepts: ==== | + | ==== Key Terminology: ==== |
- | * **Personal data** | + | * **Personal data** |
* **Sensitive personal data **- race, ethniticy, religous or philosophical beliefs, political affiliation, | * **Sensitive personal data **- race, ethniticy, religous or philosophical beliefs, political affiliation, | ||
* Biometric data uniquely identifies a person (e.g. facial id or fingerprint) | * Biometric data uniquely identifies a person (e.g. facial id or fingerprint) | ||
* **Controller **- Determines how data is processed. | * **Controller **- Determines how data is processed. | ||
- | * **Processor **- Processes data on behalf of another | + | * **Processor **- Processes data on behalf of another |
* **Subprocessor** | * **Subprocessor** | ||
- | <WRAP left round tip 72%> \\ **Question: | + | <WRAP left round tip 99%> \\ **Question: |
**Answer: | **Answer: | ||
- | ---- | + | **Scope: **GDPR applies to the processing or controlling (by companies in ANY location) of personal data belonging to data subjects in the EU. |
- | ===== I. GDPR Data Processing ===== | + | * A US company **processing data on its EU users** |
+ | * A US company** handling data on employees and contractors in the EU **is bound by GDPR. | ||
+ | * This includes non-residents and non-citizens physically located in the EU. | ||
- | Nested Knowledge is committed to processing data in a lawful, fair, and transparent manner for explicity and legitimate purposes. Nested Knowledge will do what it reasonable can do make sure data is accurate and up to date. | + | ===== I. GDPR Data Processing ===== |
- | **Sensitive Data **- Nested Knowledge | + | Nested Knowledge |
+ | * **Sensitive Data **- Nested Knowledge does not process sensitive data (high-risk data) at this time. | ||
+ | * **Use of Photos **- User may voluntarily upload photos (see [[: | ||
==== Technical and Organizational Measures (TOMS) ==== | ==== Technical and Organizational Measures (TOMS) ==== | ||
- | We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction. \\ **Testing **- Nested Knowledge frequently tests systems for data integrity. We undergo penetration testing annually (see [[: | + | We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction. |
- | **Security **- We encrypt personal data in transit and at rest. | + | |
+ | * **Testing **- Nested Knowledge frequently tests systems for data integrity. We undergo penetration testing annually (see [[: | ||
+ | * **Security **- We encrypt personal data in transit and at rest. | ||
==== Data Retention and Destruction ==== | ==== Data Retention and Destruction ==== | ||
Line 43: | Line 48: | ||
===== II. Data Protection Impact Assessment ===== | ===== II. Data Protection Impact Assessment ===== | ||
- | Before processing personal information that may result in a high riskt to data subjects, Nested Knowledge employees will undergo a Data Protection Impact Assessment (DPIA), as described in our [[: | + | Before processing personal information that may result in a high risk to data subjects, Nested Knowledge employees will undergo a Data Protection Impact Assessment (DPIA), as described in our [[: |
<WRAP center round tip 90%> \\ **Question: **a new Marketing intern would like to target LinkedIn Ad campaigns based on customers' | <WRAP center round tip 90%> \\ **Question: **a new Marketing intern would like to target LinkedIn Ad campaigns based on customers' | ||
Line 55: | Line 60: | ||
==== Data Subject Rights ==== | ==== Data Subject Rights ==== | ||
- | Individual’s | + | Individuals |
* what personal data we hold about them | * what personal data we hold about them | ||
Line 75: | Line 80: | ||
We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. | We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. | ||
- | **Direct Marketing **- Our direct marketing includes clear opt-in mechanisms for marketing subscriptions and a clear notice and method for opting out o on all subsequent marketing materials. | + | * **Direct Marketing **- Our direct marketing includes clear opt-in mechanisms for marketing subscriptions and a clear notice and method for opting out on all subsequent marketing materials. |
- | + | | |
- | **Cookies** | + | |
==== Communicating Updates ==== | ==== Communicating Updates ==== | ||
Line 87: | Line 90: | ||
Nested Knowledge is obligated to report information on data breaches and mitigations to the required government agencies as well as reporting information of data breaches to the affected parties. Our [[: | Nested Knowledge is obligated to report information on data breaches and mitigations to the required government agencies as well as reporting information of data breaches to the affected parties. Our [[: | ||
- | ===== V. Statement on Sub-processors | + | ===== V. Statement on Subprocessors |
- | As described in the[[: | + | As described in the[[: |
\\ | \\ | ||
- | New contracts with third parties | + | New contracts with subprocessors and subcontractors will incorporate data protection |
- | + | ||
- | ===== VII. GDPR Roles and Employees ===== | + | |
- | + | ||
- | ==== Data Protection Officer ==== | + | |
- | + | ||
- | See the [[: | + | |
- | + | ||
- | **Employee Training** | + | |
- | **GDPR Audit Record -** Nested Knowledge began an internal audit in September 2023 | + | ===== VI. GDPR Roles and Accountability ===== |
+ | * **Data Protection Officer** | ||
+ | * **Employee Training** | ||
+ | * **GDPR Audit Record -** Nested Knowledge began an internal audit in September 2023 | ||
===== Contact ===== | ===== Contact ===== | ||
Line 112: | Line 110: | ||
|K. Cowie|05/ | |K. Cowie|05/ | ||
|K. Cowie|01/ | |K. Cowie|01/ | ||
- | |K. Holub|01/11/2022|Sub-processors| | + | |K. Holub|10/04/2023|Copy edits| |
|K. Kallmes|11/ | |K. Kallmes|11/ | ||