Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,108 @@
# GDPR Standards Reference
## Primary Legislation
### Regulation (EU) 2016/679 - General Data Protection Regulation
- **Adopted**: April 14, 2016
- **Effective**: May 25, 2018
- **Scope**: Applies to any organization processing personal data of EU/EEA residents
- **Chapters**: 11 chapters, 99 articles, 173 recitals
- **Enforcement**: Supervisory authorities in each EU member state
- **Penalties**: Up to EUR 20 million or 4% of annual global turnover (whichever is greater)
## Key Articles Reference
### Chapter II - Principles (Articles 5-11)
- **Art. 5**: Core processing principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)
- **Art. 6**: Six lawful bases for processing
- **Art. 7**: Conditions for consent
- **Art. 8**: Child's consent (minimum age varies by member state, 13-16)
- **Art. 9**: Special categories of data (health, biometric, genetic, racial/ethnic, political, religious, trade union, sexual orientation)
- **Art. 10**: Criminal conviction data
### Chapter III - Rights of the Data Subject (Articles 12-23)
- **Art. 12**: Transparent communication (one month response deadline)
- **Art. 13**: Information for direct collection
- **Art. 14**: Information for indirect collection
- **Art. 15**: Right of access (copy of data, processing purposes, recipients, retention periods, safeguards for transfers)
- **Art. 16**: Right to rectification
- **Art. 17**: Right to erasure (applies when: consent withdrawn, purpose fulfilled, unlawful processing, legal obligation)
- **Art. 18**: Right to restriction of processing
- **Art. 20**: Right to data portability (structured, commonly used, machine-readable format)
- **Art. 21**: Right to object (especially direct marketing - absolute right)
- **Art. 22**: Automated individual decision-making including profiling
### Chapter IV - Controller and Processor (Articles 24-43)
- **Art. 24**: Responsibility of the controller
- **Art. 25**: Data protection by design and by default
- **Art. 26**: Joint controllers
- **Art. 28**: Processor (DPA requirements: subject-matter, duration, nature/purpose, personal data types, data subject categories, controller obligations/rights)
- **Art. 30**: Records of processing activities
- **Art. 32**: Security of processing
- **Art. 33**: Notification to supervisory authority (72 hours)
- **Art. 34**: Communication to data subject (when high risk to rights and freedoms)
- **Art. 35**: Data Protection Impact Assessment (DPIA)
- **Art. 36**: Prior consultation with supervisory authority
- **Art. 37-39**: Data Protection Officer
### Chapter V - International Transfers (Articles 44-49)
- **Art. 45**: Adequacy decision (EU Commission determines adequate countries)
- **Art. 46**: Appropriate safeguards (SCCs, BCRs, codes of conduct, certification)
- **Art. 47**: Binding Corporate Rules
- **Art. 49**: Derogations (explicit consent, contract, public interest)
## Supporting Standards and Guidance
### ISO/IEC 27701:2019
- Privacy Information Management System (PIMS) extension to ISO 27001
- Maps GDPR requirements to ISO management system controls
- Provides controller and processor-specific guidance
### EDPB Guidelines
- Guidelines on Data Protection Impact Assessment (WP 248)
- Guidelines on Data Breach Notification (WP 250)
- Guidelines on Consent (updated 2020)
- Guidelines on International Data Transfers (post-Schrems II)
- Guidelines on Data Protection by Design and Default (04/2019)
### Transfer Mechanisms Post-Schrems II
- **Standard Contractual Clauses (SCCs)**: New modular SCCs adopted June 2021
- Module 1: Controller to Controller
- Module 2: Controller to Processor
- Module 3: Processor to Processor
- Module 4: Processor to Controller
- **Transfer Impact Assessment (TIA)**: Required to supplement SCCs
- **Supplementary Measures**: Technical (encryption, pseudonymization), contractual, organizational
- **EU-US Data Privacy Framework**: Adequacy decision adopted July 2023
### DPIA Criteria (Article 35(3) and EDPB)
DPIA required when processing involves:
1. Systematic and extensive evaluation of personal aspects (profiling)
2. Large-scale processing of special categories or criminal data
3. Systematic monitoring of publicly accessible areas
4. New technologies with potential high risk
5. Large-scale data processing
6. Matching or combining datasets
7. Data concerning vulnerable subjects
8. Innovative use of biometric data
9. Data transfers outside EU without adequacy
10. Processing that prevents data subjects from exercising rights
## Supervisory Authorities
| Country | Authority | Website |
|---------|-----------|---------|
| EU-wide | European Data Protection Board (EDPB) | edpb.europa.eu |
| France | CNIL | cnil.fr |
| Germany | BfDI (Federal), State DPAs | bfdi.bund.de |
| Ireland | DPC | dataprotection.ie |
| Netherlands | Autoriteit Persoonsgegevens | autoriteitpersoonsgegevens.nl |
| Spain | AEPD | aepd.es |
| Italy | Garante | garanteprivacy.it |
| UK | ICO (UK GDPR post-Brexit) | ico.org.uk |
## Key Enforcement Decisions (Benchmark)
- Meta (Ireland DPC, 2023): EUR 1.2 billion - Transfers to US without adequate safeguards
- Amazon (Luxembourg CNPD, 2021): EUR 746 million - Advertising targeting
- WhatsApp (Ireland DPC, 2021): EUR 225 million - Transparency failures
- Google (CNIL, 2022): EUR 150 million - Cookie consent
- H&M (Hamburg DPA, 2020): EUR 35.3 million - Employee surveillance
@@ -0,0 +1,288 @@
# GDPR Data Protection Control Workflows
## Workflow 1: Data Subject Request (DSR) Handling
```
Start
|
v
[Receive DSR from Data Subject]
- Via email, web form, phone, in-person
- Record receipt timestamp (30-day clock starts)
|
v
[Verify Identity of Requestor]
- Request additional identification if needed
- Clock pauses until identity verified
|
v
[Classify Request Type]
|
+--> Access Request (Art. 15) --> Locate all personal data
+--> Rectification (Art. 16) --> Identify incorrect data
+--> Erasure (Art. 17) --> Verify grounds for erasure
+--> Restriction (Art. 18) --> Flag data for restriction
+--> Portability (Art. 20) --> Export in machine-readable format
+--> Objection (Art. 21) --> Assess processing basis
|
v
[Check for Exemptions]
- Legal obligation to retain
- Freedom of expression
- Public health
- Archiving in public interest
- Legal claims
|
v
[Execute Request Across All Systems]
- Production databases
- Backups and archives
- Third-party processors
- Cloud services
- Analytics platforms
|
v
[Document Action Taken]
|
v
[Respond to Data Subject within 30 days]
- Extension to 60 additional days if complex (notify subject)
|
v
End
```
## Workflow 2: Data Breach Notification (Art. 33-34)
```
Start
|
v
[Breach Detected or Reported]
- Technical detection (SIEM, DLP, IDS)
- Employee report
- External notification
- Third-party processor notification
|
v
[72-hour Clock Starts]
|
v
[Assess Breach Severity]
- Number of data subjects affected
- Types of personal data compromised
- Special categories involved?
- Risk to rights and freedoms
|
v
[Determine Notification Requirements]
|
+--> [Risk to Rights and Freedoms?]
|
+--> No Risk --> Document in breach register only
|
+--> Risk exists --> Notify Supervisory Authority (72 hours)
| |
| v
+--> High Risk --> Notify Supervisory Authority (72 hours)
AND notify affected data subjects
|
v
[Prepare Supervisory Authority Notification]
- Nature of the breach
- Categories and approximate number of data subjects
- Categories and approximate number of records
- Name and contact details of DPO
- Likely consequences of the breach
- Measures taken or proposed to address the breach
|
v
[Submit Notification to Lead Supervisory Authority]
|
v
[If High Risk: Notify Data Subjects]
- Clear and plain language
- Description of breach
- DPO contact information
- Likely consequences
- Measures taken to mitigate
|
v
[Conduct Post-Breach Review]
- Root cause analysis
- Control improvements
- Update breach register
|
v
End
```
## Workflow 3: Data Protection Impact Assessment (DPIA)
```
Start
|
v
[Identify Processing Activity]
|
v
[Screen Against DPIA Criteria]
- Profiling or automated decision-making?
- Large-scale special category data?
- Systematic monitoring of public areas?
- New technology application?
- Cross-border data transfer?
- Vulnerable data subjects?
|
+--> [No DPIA triggers] --> Document screening decision --> End
|
+--> [DPIA required]
|
v
[Describe Processing Operation]
- Purpose and scope
- Data elements collected
- Data subjects categories
- Recipients and transfers
- Retention period
- Technology used
|
v
[Assess Necessity and Proportionality]
- Is processing necessary for the purpose?
- Could purpose be achieved with less data?
- Is lawful basis appropriate?
- Are data subject rights supported?
|
v
[Identify and Assess Risks]
- Risks to confidentiality
- Risks to integrity
- Risks to availability
- Risks to rights and freedoms
- Likelihood and severity of each risk
|
v
[Identify Mitigation Measures]
- Technical measures (encryption, pseudonymization, access controls)
- Organizational measures (policies, training, DPO oversight)
- Contractual measures (DPAs, SCCs)
|
v
[Determine Residual Risk]
|
+--> [Residual Risk Acceptable] --> Approve and proceed
|
+--> [Residual Risk High] --> Consult DPO
| |
| +--> [Can mitigate further] --> Add measures
| |
| +--> [Cannot mitigate] --> Prior consultation
| with Supervisory Authority (Art. 36)
|
v
[Document DPIA]
- Keep under review
- Reassess when processing changes
|
v
End
```
## Workflow 4: International Data Transfer Assessment
```
Start
|
v
[Identify Cross-Border Transfer]
- Data flowing outside EEA
- Cloud services in non-EEA regions
- Group company data sharing
- Vendor/processor locations
|
v
[Check Adequacy Decision]
- Is destination country on EU adequacy list?
- (Andorra, Argentina, Canada, Faroe Islands, Guernsey,
Israel, Isle of Man, Japan, Jersey, New Zealand, Republic
of Korea, Switzerland, UK, Uruguay, US under DPF)
|
+--> [Adequate] --> Document and proceed
|
+--> [Not Adequate]
|
v
[Select Transfer Mechanism]
|
+--> Standard Contractual Clauses (SCCs)
+--> Binding Corporate Rules (BCRs)
+--> Approved Code of Conduct
+--> Certification Mechanism
+--> Derogations (Art. 49) - limited circumstances
|
v
[Conduct Transfer Impact Assessment (TIA)]
- Laws of destination country
- Government surveillance powers
- Data protection standards
- Access by public authorities
|
v
[Identify Supplementary Measures]
- Technical: encryption with EEA-held keys
- Contractual: additional processor obligations
- Organizational: policies limiting access
|
v
[Document Transfer Mechanism]
- Signed SCCs with correct module
- TIA findings and conclusions
- Supplementary measures implemented
|
v
End
```
## Workflow 5: Records of Processing Activities (ROPA)
```
Start
|
v
[Identify All Processing Activities]
- Interview business units
- Review system inventory
- Analyze data flows
- Check vendor agreements
|
v
[For Each Processing Activity Document:]
|
v
[Controller Record (Art. 30(1))]
- Name and contact details of controller (and DPO)
- Purposes of processing
- Categories of data subjects
- Categories of personal data
- Categories of recipients
- Transfers to third countries (safeguards)
- Retention periods
- Technical and organizational security measures
|
v
[Processor Record (Art. 30(2))]
- Name and contact details of processor and controller
- Categories of processing carried out
- Transfers to third countries (safeguards)
- Technical and organizational security measures
|
v
[Maintain and Update ROPA]
- Review quarterly or when processing changes
- Update for new systems, vendors, purposes
- Make available to supervisory authority on request
|
v
End
```