mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,108 @@
|
||||
# GDPR Standards Reference
|
||||
|
||||
## Primary Legislation
|
||||
|
||||
### Regulation (EU) 2016/679 - General Data Protection Regulation
|
||||
- **Adopted**: April 14, 2016
|
||||
- **Effective**: May 25, 2018
|
||||
- **Scope**: Applies to any organization processing personal data of EU/EEA residents
|
||||
- **Chapters**: 11 chapters, 99 articles, 173 recitals
|
||||
- **Enforcement**: Supervisory authorities in each EU member state
|
||||
- **Penalties**: Up to EUR 20 million or 4% of annual global turnover (whichever is greater)
|
||||
|
||||
## Key Articles Reference
|
||||
|
||||
### Chapter II - Principles (Articles 5-11)
|
||||
- **Art. 5**: Core processing principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)
|
||||
- **Art. 6**: Six lawful bases for processing
|
||||
- **Art. 7**: Conditions for consent
|
||||
- **Art. 8**: Child's consent (minimum age varies by member state, 13-16)
|
||||
- **Art. 9**: Special categories of data (health, biometric, genetic, racial/ethnic, political, religious, trade union, sexual orientation)
|
||||
- **Art. 10**: Criminal conviction data
|
||||
|
||||
### Chapter III - Rights of the Data Subject (Articles 12-23)
|
||||
- **Art. 12**: Transparent communication (one month response deadline)
|
||||
- **Art. 13**: Information for direct collection
|
||||
- **Art. 14**: Information for indirect collection
|
||||
- **Art. 15**: Right of access (copy of data, processing purposes, recipients, retention periods, safeguards for transfers)
|
||||
- **Art. 16**: Right to rectification
|
||||
- **Art. 17**: Right to erasure (applies when: consent withdrawn, purpose fulfilled, unlawful processing, legal obligation)
|
||||
- **Art. 18**: Right to restriction of processing
|
||||
- **Art. 20**: Right to data portability (structured, commonly used, machine-readable format)
|
||||
- **Art. 21**: Right to object (especially direct marketing - absolute right)
|
||||
- **Art. 22**: Automated individual decision-making including profiling
|
||||
|
||||
### Chapter IV - Controller and Processor (Articles 24-43)
|
||||
- **Art. 24**: Responsibility of the controller
|
||||
- **Art. 25**: Data protection by design and by default
|
||||
- **Art. 26**: Joint controllers
|
||||
- **Art. 28**: Processor (DPA requirements: subject-matter, duration, nature/purpose, personal data types, data subject categories, controller obligations/rights)
|
||||
- **Art. 30**: Records of processing activities
|
||||
- **Art. 32**: Security of processing
|
||||
- **Art. 33**: Notification to supervisory authority (72 hours)
|
||||
- **Art. 34**: Communication to data subject (when high risk to rights and freedoms)
|
||||
- **Art. 35**: Data Protection Impact Assessment (DPIA)
|
||||
- **Art. 36**: Prior consultation with supervisory authority
|
||||
- **Art. 37-39**: Data Protection Officer
|
||||
|
||||
### Chapter V - International Transfers (Articles 44-49)
|
||||
- **Art. 45**: Adequacy decision (EU Commission determines adequate countries)
|
||||
- **Art. 46**: Appropriate safeguards (SCCs, BCRs, codes of conduct, certification)
|
||||
- **Art. 47**: Binding Corporate Rules
|
||||
- **Art. 49**: Derogations (explicit consent, contract, public interest)
|
||||
|
||||
## Supporting Standards and Guidance
|
||||
|
||||
### ISO/IEC 27701:2019
|
||||
- Privacy Information Management System (PIMS) extension to ISO 27001
|
||||
- Maps GDPR requirements to ISO management system controls
|
||||
- Provides controller and processor-specific guidance
|
||||
|
||||
### EDPB Guidelines
|
||||
- Guidelines on Data Protection Impact Assessment (WP 248)
|
||||
- Guidelines on Data Breach Notification (WP 250)
|
||||
- Guidelines on Consent (updated 2020)
|
||||
- Guidelines on International Data Transfers (post-Schrems II)
|
||||
- Guidelines on Data Protection by Design and Default (04/2019)
|
||||
|
||||
### Transfer Mechanisms Post-Schrems II
|
||||
- **Standard Contractual Clauses (SCCs)**: New modular SCCs adopted June 2021
|
||||
- Module 1: Controller to Controller
|
||||
- Module 2: Controller to Processor
|
||||
- Module 3: Processor to Processor
|
||||
- Module 4: Processor to Controller
|
||||
- **Transfer Impact Assessment (TIA)**: Required to supplement SCCs
|
||||
- **Supplementary Measures**: Technical (encryption, pseudonymization), contractual, organizational
|
||||
- **EU-US Data Privacy Framework**: Adequacy decision adopted July 2023
|
||||
|
||||
### DPIA Criteria (Article 35(3) and EDPB)
|
||||
DPIA required when processing involves:
|
||||
1. Systematic and extensive evaluation of personal aspects (profiling)
|
||||
2. Large-scale processing of special categories or criminal data
|
||||
3. Systematic monitoring of publicly accessible areas
|
||||
4. New technologies with potential high risk
|
||||
5. Large-scale data processing
|
||||
6. Matching or combining datasets
|
||||
7. Data concerning vulnerable subjects
|
||||
8. Innovative use of biometric data
|
||||
9. Data transfers outside EU without adequacy
|
||||
10. Processing that prevents data subjects from exercising rights
|
||||
|
||||
## Supervisory Authorities
|
||||
| Country | Authority | Website |
|
||||
|---------|-----------|---------|
|
||||
| EU-wide | European Data Protection Board (EDPB) | edpb.europa.eu |
|
||||
| France | CNIL | cnil.fr |
|
||||
| Germany | BfDI (Federal), State DPAs | bfdi.bund.de |
|
||||
| Ireland | DPC | dataprotection.ie |
|
||||
| Netherlands | Autoriteit Persoonsgegevens | autoriteitpersoonsgegevens.nl |
|
||||
| Spain | AEPD | aepd.es |
|
||||
| Italy | Garante | garanteprivacy.it |
|
||||
| UK | ICO (UK GDPR post-Brexit) | ico.org.uk |
|
||||
|
||||
## Key Enforcement Decisions (Benchmark)
|
||||
- Meta (Ireland DPC, 2023): EUR 1.2 billion - Transfers to US without adequate safeguards
|
||||
- Amazon (Luxembourg CNPD, 2021): EUR 746 million - Advertising targeting
|
||||
- WhatsApp (Ireland DPC, 2021): EUR 225 million - Transparency failures
|
||||
- Google (CNIL, 2022): EUR 150 million - Cookie consent
|
||||
- H&M (Hamburg DPA, 2020): EUR 35.3 million - Employee surveillance
|
||||
@@ -0,0 +1,288 @@
|
||||
# GDPR Data Protection Control Workflows
|
||||
|
||||
## Workflow 1: Data Subject Request (DSR) Handling
|
||||
|
||||
```
|
||||
Start
|
||||
|
|
||||
v
|
||||
[Receive DSR from Data Subject]
|
||||
- Via email, web form, phone, in-person
|
||||
- Record receipt timestamp (30-day clock starts)
|
||||
|
|
||||
v
|
||||
[Verify Identity of Requestor]
|
||||
- Request additional identification if needed
|
||||
- Clock pauses until identity verified
|
||||
|
|
||||
v
|
||||
[Classify Request Type]
|
||||
|
|
||||
+--> Access Request (Art. 15) --> Locate all personal data
|
||||
+--> Rectification (Art. 16) --> Identify incorrect data
|
||||
+--> Erasure (Art. 17) --> Verify grounds for erasure
|
||||
+--> Restriction (Art. 18) --> Flag data for restriction
|
||||
+--> Portability (Art. 20) --> Export in machine-readable format
|
||||
+--> Objection (Art. 21) --> Assess processing basis
|
||||
|
|
||||
v
|
||||
[Check for Exemptions]
|
||||
- Legal obligation to retain
|
||||
- Freedom of expression
|
||||
- Public health
|
||||
- Archiving in public interest
|
||||
- Legal claims
|
||||
|
|
||||
v
|
||||
[Execute Request Across All Systems]
|
||||
- Production databases
|
||||
- Backups and archives
|
||||
- Third-party processors
|
||||
- Cloud services
|
||||
- Analytics platforms
|
||||
|
|
||||
v
|
||||
[Document Action Taken]
|
||||
|
|
||||
v
|
||||
[Respond to Data Subject within 30 days]
|
||||
- Extension to 60 additional days if complex (notify subject)
|
||||
|
|
||||
v
|
||||
End
|
||||
```
|
||||
|
||||
## Workflow 2: Data Breach Notification (Art. 33-34)
|
||||
|
||||
```
|
||||
Start
|
||||
|
|
||||
v
|
||||
[Breach Detected or Reported]
|
||||
- Technical detection (SIEM, DLP, IDS)
|
||||
- Employee report
|
||||
- External notification
|
||||
- Third-party processor notification
|
||||
|
|
||||
v
|
||||
[72-hour Clock Starts]
|
||||
|
|
||||
v
|
||||
[Assess Breach Severity]
|
||||
- Number of data subjects affected
|
||||
- Types of personal data compromised
|
||||
- Special categories involved?
|
||||
- Risk to rights and freedoms
|
||||
|
|
||||
v
|
||||
[Determine Notification Requirements]
|
||||
|
|
||||
+--> [Risk to Rights and Freedoms?]
|
||||
|
|
||||
+--> No Risk --> Document in breach register only
|
||||
|
|
||||
+--> Risk exists --> Notify Supervisory Authority (72 hours)
|
||||
| |
|
||||
| v
|
||||
+--> High Risk --> Notify Supervisory Authority (72 hours)
|
||||
AND notify affected data subjects
|
||||
|
|
||||
v
|
||||
[Prepare Supervisory Authority Notification]
|
||||
- Nature of the breach
|
||||
- Categories and approximate number of data subjects
|
||||
- Categories and approximate number of records
|
||||
- Name and contact details of DPO
|
||||
- Likely consequences of the breach
|
||||
- Measures taken or proposed to address the breach
|
||||
|
|
||||
v
|
||||
[Submit Notification to Lead Supervisory Authority]
|
||||
|
|
||||
v
|
||||
[If High Risk: Notify Data Subjects]
|
||||
- Clear and plain language
|
||||
- Description of breach
|
||||
- DPO contact information
|
||||
- Likely consequences
|
||||
- Measures taken to mitigate
|
||||
|
|
||||
v
|
||||
[Conduct Post-Breach Review]
|
||||
- Root cause analysis
|
||||
- Control improvements
|
||||
- Update breach register
|
||||
|
|
||||
v
|
||||
End
|
||||
```
|
||||
|
||||
## Workflow 3: Data Protection Impact Assessment (DPIA)
|
||||
|
||||
```
|
||||
Start
|
||||
|
|
||||
v
|
||||
[Identify Processing Activity]
|
||||
|
|
||||
v
|
||||
[Screen Against DPIA Criteria]
|
||||
- Profiling or automated decision-making?
|
||||
- Large-scale special category data?
|
||||
- Systematic monitoring of public areas?
|
||||
- New technology application?
|
||||
- Cross-border data transfer?
|
||||
- Vulnerable data subjects?
|
||||
|
|
||||
+--> [No DPIA triggers] --> Document screening decision --> End
|
||||
|
|
||||
+--> [DPIA required]
|
||||
|
|
||||
v
|
||||
[Describe Processing Operation]
|
||||
- Purpose and scope
|
||||
- Data elements collected
|
||||
- Data subjects categories
|
||||
- Recipients and transfers
|
||||
- Retention period
|
||||
- Technology used
|
||||
|
|
||||
v
|
||||
[Assess Necessity and Proportionality]
|
||||
- Is processing necessary for the purpose?
|
||||
- Could purpose be achieved with less data?
|
||||
- Is lawful basis appropriate?
|
||||
- Are data subject rights supported?
|
||||
|
|
||||
v
|
||||
[Identify and Assess Risks]
|
||||
- Risks to confidentiality
|
||||
- Risks to integrity
|
||||
- Risks to availability
|
||||
- Risks to rights and freedoms
|
||||
- Likelihood and severity of each risk
|
||||
|
|
||||
v
|
||||
[Identify Mitigation Measures]
|
||||
- Technical measures (encryption, pseudonymization, access controls)
|
||||
- Organizational measures (policies, training, DPO oversight)
|
||||
- Contractual measures (DPAs, SCCs)
|
||||
|
|
||||
v
|
||||
[Determine Residual Risk]
|
||||
|
|
||||
+--> [Residual Risk Acceptable] --> Approve and proceed
|
||||
|
|
||||
+--> [Residual Risk High] --> Consult DPO
|
||||
| |
|
||||
| +--> [Can mitigate further] --> Add measures
|
||||
| |
|
||||
| +--> [Cannot mitigate] --> Prior consultation
|
||||
| with Supervisory Authority (Art. 36)
|
||||
|
|
||||
v
|
||||
[Document DPIA]
|
||||
- Keep under review
|
||||
- Reassess when processing changes
|
||||
|
|
||||
v
|
||||
End
|
||||
```
|
||||
|
||||
## Workflow 4: International Data Transfer Assessment
|
||||
|
||||
```
|
||||
Start
|
||||
|
|
||||
v
|
||||
[Identify Cross-Border Transfer]
|
||||
- Data flowing outside EEA
|
||||
- Cloud services in non-EEA regions
|
||||
- Group company data sharing
|
||||
- Vendor/processor locations
|
||||
|
|
||||
v
|
||||
[Check Adequacy Decision]
|
||||
- Is destination country on EU adequacy list?
|
||||
- (Andorra, Argentina, Canada, Faroe Islands, Guernsey,
|
||||
Israel, Isle of Man, Japan, Jersey, New Zealand, Republic
|
||||
of Korea, Switzerland, UK, Uruguay, US under DPF)
|
||||
|
|
||||
+--> [Adequate] --> Document and proceed
|
||||
|
|
||||
+--> [Not Adequate]
|
||||
|
|
||||
v
|
||||
[Select Transfer Mechanism]
|
||||
|
|
||||
+--> Standard Contractual Clauses (SCCs)
|
||||
+--> Binding Corporate Rules (BCRs)
|
||||
+--> Approved Code of Conduct
|
||||
+--> Certification Mechanism
|
||||
+--> Derogations (Art. 49) - limited circumstances
|
||||
|
|
||||
v
|
||||
[Conduct Transfer Impact Assessment (TIA)]
|
||||
- Laws of destination country
|
||||
- Government surveillance powers
|
||||
- Data protection standards
|
||||
- Access by public authorities
|
||||
|
|
||||
v
|
||||
[Identify Supplementary Measures]
|
||||
- Technical: encryption with EEA-held keys
|
||||
- Contractual: additional processor obligations
|
||||
- Organizational: policies limiting access
|
||||
|
|
||||
v
|
||||
[Document Transfer Mechanism]
|
||||
- Signed SCCs with correct module
|
||||
- TIA findings and conclusions
|
||||
- Supplementary measures implemented
|
||||
|
|
||||
v
|
||||
End
|
||||
```
|
||||
|
||||
## Workflow 5: Records of Processing Activities (ROPA)
|
||||
|
||||
```
|
||||
Start
|
||||
|
|
||||
v
|
||||
[Identify All Processing Activities]
|
||||
- Interview business units
|
||||
- Review system inventory
|
||||
- Analyze data flows
|
||||
- Check vendor agreements
|
||||
|
|
||||
v
|
||||
[For Each Processing Activity Document:]
|
||||
|
|
||||
v
|
||||
[Controller Record (Art. 30(1))]
|
||||
- Name and contact details of controller (and DPO)
|
||||
- Purposes of processing
|
||||
- Categories of data subjects
|
||||
- Categories of personal data
|
||||
- Categories of recipients
|
||||
- Transfers to third countries (safeguards)
|
||||
- Retention periods
|
||||
- Technical and organizational security measures
|
||||
|
|
||||
v
|
||||
[Processor Record (Art. 30(2))]
|
||||
- Name and contact details of processor and controller
|
||||
- Categories of processing carried out
|
||||
- Transfers to third countries (safeguards)
|
||||
- Technical and organizational security measures
|
||||
|
|
||||
v
|
||||
[Maintain and Update ROPA]
|
||||
- Review quarterly or when processing changes
|
||||
- Update for new systems, vendors, purposes
|
||||
- Make available to supervisory authority on request
|
||||
|
|
||||
v
|
||||
End
|
||||
```
|
||||
Reference in New Issue
Block a user