UC GDPR Gap Analysis DRAFT
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAFAG
1
Contact Denise Dolezal with questions ddolezal@ucsc.edu
2
DRAFT-For discussion purposes only
University of California EEA GDPR Gap Analysis
3
EU GDPR conceptLawUC PolicyStandards
Practice
comment
4
CA Information Practices Act Civil Code Sect. 1798 et seq.FERPAGramm Leach Bliley ActCMIAHIPAARMP-7 Privacy of and Access to Information ResponsibilitiesRules of Conduct for UC Employees Involved with Information Regarding IndividualsRMP-2 UC Records Retention & Disposition ScheduleRMP-12: Guidelines for Assuring Privacy of Personal Information in Mailing Lists and Telephone Directories IS-3: Electronic Information Security PolicyUC Electronic Communication PolicyPACAOSAppendix DSNISTISOPayment Card Industry Data Security Standard
5
6
Fundamental Rights of Data Subject
7
Notice: Privacy Notice (transparency)XXXXXXXXX
8
9
Access to records relating to self - Article 15XXXXXXX
10
11
Rectification/right to correction - Article 16 XXXXXXX
12
13
Data portability if technically feasible - Article 20 XXXtechnical issue yet to be resolved: n/a? if legal basis is not based on consent or to facilitate contract
14
15
Erasure/Right to be forgotten - Article 17XXopt-out of receiving marketing materials processes in place e.g., marketing efforts of advancement team data collection [note: must keep track of the individual and data that is disallowed to process; therefore, can one really be "erased"?]
16
17
Objection to processing personal data - Article 21XXXopt-out of receiving marketing materials processes in place e.g., marketing efforts of advancement team data collection [note: must keep track of the individual and data that is disallowed to process; therefore, can one really be "erased"?]
18
19
Controller and Processor Obligations
20
Data minimization - Article 5XXXby design some systems are not capable of deleting records w/o affecting other downstream data as SaaS and enterprise software database system vendors focus efforts to enhance functionality at expense of data deletion. Such systems have obtained a waiver of record disposition (e.g., Academic Information System (student information system) and parental Tax forms submitted in connection to student financial aid)
21
22
data breach response and notification - Article 34XX*XXXXX
* Consult OGC as the governing relationship may be contractual based on SAIG rather than GLBA
23
24
3rd party service providers - Article 28XXXXXXX
25
26
privacy by design, privacy by default - Article 25XXXXXXXX
27
28
Data Inventory (record or processing) Article 30XXX
29
30
Information Security - Article 32XXXXXXXXXX
31
32
Appoint DPO - Article 37X
33
34
DPIA for data processing including data transfers - Article 35X
35
36
Identify Lead DPA - Article 51!
37
38
Authenticate identity prior to providing subject records - Recitals 64 and 63XXXXXXXXX
39
40
Cooperate with regulatorsXX
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...