Types of Data Subjects:
- PNO client
The bulk of PNO clients are serviced under Shared responsibility.
The bulk of Personal Data used at PNO is in the lowest risk category and used for business administrations/communication. - User: staff, admin/administrative, staff/workgroups, consortium staff and – affiliates, anonymous and probably other roles as PNO defines them.
Per role research what Personal Data is at hand => DPIA (light) - Participant: service/action/work package (newsletter, gig, mailing list, human tissue donor, ….).
Per service/action /work package research what Personal Data is at hand => technical and/or organizational measures and when needed follow up DPIA work.
The Data Subject must give consent for use of Personal Data; given consent must be available, editable and revocable. A data breach is reported at the Data Subject and the Dutch Privacy Authority within the timeframes at hand – maximal 72 hours after the breach is knowable.
GDPR road-map:
1 – Determine what Personal Data use must be given consent for
Standard staff contract/consortium agreements/addendums are a place for consent on the use of the name, email, CV, bank number, picture for the who-is-who page, sending salary slip, etc.
2 – Perform a DPI (light) and check the Controllers/Processors technical and/or organizational measures
Standard (project) staff NDA (non-disclosure agreement).
3 – Check if Processing Agreement is needed and when so fill out the template/Schedule
4 – Doubble check on data cleansing/cleaning/deletion at the end of the consent period