Technical & Organisational Measures

SCROLL DOWN FOR DETAILS

!!INDEX FOR LATER USE!!

Contact form
Cookies
DropBox
Email
Facebook, LinkedIn and Twitter privacy
Gig
Human tissue donor
Innovation Place (IP) / MatchPoint (MP)
Laptop
Mailing list
MailChimp
(Virtual) Meetings
Mobile phone
Network/LAN
Physical access premisses
Questionnaires
Survey Monkey
Seminar
Servers/Back-up
Social network/hub/website
Website
WeShare


Contact form
– Mark all obligatory fields with an asterisk * (and explain what the * means)
– Include unchecked tic box for accepting Privacy Statement
– Use the filled-out email address for sending a subscription confirmation
– Keep records on consent (date / time / email)
See Dutch https://dpo.pno.group/ap20200811

Contact form PNO. Notice tic box and link to Privacy Statement (link shows when hovering over the text ‘Privacy Statement’; rather highlight link by default). Notice missing explanation of the meaning of the *.

Cookies
Summer 2020: under construction to comply with EU law on cookies. Users must be able to choose. Some resources:
Scan your website with Cookiebot for free today
Learn more about the GDPR
Learn more about how to achieve GDPR compliance
Visit the EU website on data protection
Visit the official GDPR law text
– Make sure the user can choose to activate cookie categories
– Be careful with plugins (because of cookie placing/traffic measuring)
PS PNO researches (summer 2020) Iubenda.

https://manage.cookiebot.com/en/signup
https://cookiepedia.co.uk/giving-consent-to-cookies

DropBox
Used as an alternative for InnovationPlace and/or Microsoft SharePoint (365). The professional paid version can be GDPR-proof managed/used. The use of DropBox needs pro-active management in combination with technical and organizational measures. For example, access and cleansing/cleaning up have to be scheduled and traceable documented. Ask the PNO DPO for advice; contact GDPR@PNOConsultants.com.

Email
– Use B.c.c. for bigger/group/mass mailing to prevent sharing email addresses with every addressee PS Forwarding emails with lots of email addresses possibly winding up in an unintended inbox
– Use FileCap for attachments; also PNO-internally when Personal Data is involved
– Be careful with Reply All and Forward/include
– Be careful with sending around documents/attachments within PNO
– Move/connect client email to client folder/dossier on SharePoint/Dropbox professional
– Do not use PNO email address for network account unless for a PNO project network/hub/website and LinkedIn
– There is no such thing as a ‘Free Account’
– Report Data Breach/loss at ServiceDesk@pnoconsultants.com
Nice test: https://haveibeenpwned.com/

Facebook, LinkedIn and Twitter privacy
See article in Wired on ‘How to stop your personal information leaking to the world’: https://www.wired.co.uk/article/personal-data-privacy-facebook-twitter and pay attention to cookie consent plugin.

Gig
– Collect consent for use Personal Data/audio/video (name, email, signature/consent with Privacy Statement) preferably digital
– Scan paper consent forms for archive and destroy paper forms
– Be careful with data-dumps in Excel etc because these files tend to stay in the email (inbox, outbox/send, archive, etc.)
– Consider the use of a service like https://www.eventbrite.com
See Dutch https://dpo.pno.group/ap20200811

Human tissue donor
PNO does not do clinical trials/tests itself but collecting Personal Data of donors is possible. Mind the relation between PNO (Controller) and the organization the data are shared with (co-Controller/Third-party/Processor).

InnovationPlace (IP) / MatchPoint (MP)
Around Wheesbee (basically a search engine for public and propriety datasets like patents and EU project/allocated subsidies) the owner InnovationEngineering (INNEN) built a basic network/hub with various partner matching and cooperation features. The backend of IP is MP and for PNO to use with some extra features/functionalities.
PNO has a generic Processor Agreement with INNEN and INNEN is a preferred supplier for web services running a number of sites for PNO (sometimes in cooperation with Cloudselling, also a preferred partner of PNO).


Laptop
– Do not connect to public ‘free’ networks
– Use fingerprint or password protection
– Set maximum to idle time
– Encrypt the harddisk
– Do not use data sticks
– Do not save Personal Data on your Laptop (use SharePoint, Dropbox professional)
– Report Data Breach/loss at ServiceDesk@pnoconsultants.com
Per PNO-country inventory obligatory

Mailing list
– Collect Consent by ticking tic box on Privacy Statement applicable
– Confirmation subscription using email (avoid others to sign up people unwanted)
– Indicate obligatory field subscription form
– Make sure all fields are covered in the Privacy Statement
– Active bounce management
– Report Data Breach/loss at ServiceDesk@pnoconsultants.com
– Include a link to un-subscribe in all mailings
– There is no such thing as a ‘Free Account’
– Be careful with data-dumps in Excel etc because these files tend to stay in an email (inbox, outbox/send, etc.)
See Dutch https://dpo.pno.group/ap20200811

MailChimp: ….

(Virtual) Meetings
– Collect consent for use Personal Data/audio/video (for example recording)
– Preferably use MS Teams as offered by IT Enschede
– There is no such thing as a ‘Free Account’
See Dutch https://dpo.pno.group/ap20200811

Mobile phone
– Do not connect to public ‘free’ networks
– Use fingerprint or password protection
– Do not save Personal Data on your phone
– Study privacy settings
– There is no such thing as a ‘Free Account’
– Report Data Breach/loss at ServiceDesk@pnoconsultants.com
Per PNO-country inventory obligatory

Network/LAN
Per PNO-country inventory obligatory
ISO 27001 certification

Physical access premisses
Per PNO-country inventory obligatory
ISO 27001 certification

Questionnaires
– Collect Consent by ticking tic box on Privacy Statement applicable
– Indicate obligatory field questionnaire
– Make sure all fields are covered in the Privacy Statement
– Report Data Breach/loss at ServiceDesk@pnoconsultants.com
– Write in introduction how you got the participants’ email address
– Include a link to un-subscribe in all questionnaire
– Be careful with data-dumps in Excel etc because these files tend to stay in an email (inbox, outbox/send, etc.)
– There is no such thing as a ‘Free Account’
Avoid using Google forms (data transfer outside EER)
See Dutch https://dpo.pno.group/ap20200811

SurveyMonkey: …

Seminar
– Collect consent for use Personal Data/audio/video (name, email, signature/consent with Privacy Statement) preferably digital
– Scan paper consent forms for archive and destroy paper forms
– Be careful with data-dumps in Excel etc because these files tend to stay in an email (inbox, outbox/send, etc.)
– Consider the use of a service like https://www.eventbrite.com
See Dutch https://dpo.pno.group/ap20200811

Servers/Back-up
Per PNO-country inventory obligatory
ISO 27001 certification

Social network/hub/website
– Do not use PNO email address for network account unless for a PNO project network/hub/website and LinkedIn
– Study privacy settings
– When running a social network/hub/website:
– Check Privacy Statement against Personal Data in use
– Create Disclaimer | Netiquette | Cookie Policy
– Archive consent using the social network/hub/website
– Determine what will happen with data in the project network/hub/website when the project/consent is over
– Report Data Breach/loss at ServiceDesk@pnoconsultants.com
– There is no such thing as a ‘Free Account’
– Be careful with data-dumps in Excel etc because these files tend to stay in an email (inbox, outbox/send, etc.)

Website
– Footer with links to Privacy Statement, Cookie Policy, and Disclaimer
– Optional link in the footer to General Terms & Conditions
– Link to a private area: possible new Privacy Statement for use Personal Data in social network/hub: Check the period of consent
InnovationPlace (IP) / MatchPoint (MP) used as a private network
– Make sure the user can choose to activate cookie categories; see Cookies
– Be careful with plugins (because of cookie placing/traffic measuring)
PS PNO researches (summer 2020) Iubenda
– Look at Gig, Mailing list, Questionnaires etc