Allendevaux & Company

Resources and Data Protection Guidance

for the Enterprise

Providing resources and guidance to implement and maintain

regulatory compliance and data protection for global business.

Dear Enterprise Community,

​

Data breach trends continue to rise. Hacking is becoming more sophisticated, and studies show the most valuable information pursued by criminals is personal information. Governments have responded to these threats by creating regulations enterprises must follow, fashioning a set of best practices to help organisations implement administrative, technical and physical measures intended to safeguard the information entrusted to them. When rightly implemented, these regulations (such as the GDPR and others) aim to lower the risk of threat of information loss, fostering accountability and restoring trust in today’s digital age.

Toward this, I write this letter to help your organisation comply with these new regulations, which when rightly implemented, aim to foster confidentiality, availability and integrity of information. Within the last few years, more than 100+ countries have executed data protection laws, and most regulations come with penalties for non-compliance. To do nothing risks the threat of attack from bad actors and the threat of regulatory penalties from governments.

The ISO/ANSI credentialed team at Allendevaux & Company has spent over a thousand hours building this repository of data protection guidance, and we want to make it freely available to the enterprise community. Within the pages of this site, you will find many tools and templates you can use. Please note this information is provided as helpful guidance and is not legal guidance. Click below to read more.

A message from Rebekah Allendevaux,

CIPP/E, CIPM, CIS LI, CIS LA | Senior Partner

Data Protection Modules for Assured Security and Regulatory Compliance

Privacy Notice

Guidelines

Learn how to write a privacy notice so it meets your organisation's needs.

Vulnerability Guidance

Know the technical aspects of conducting a vulnerability scan, what the data means and how to request a scan by submitting a request.

Cookie Notice

Guidance

Learn the essentials of writing a cookie notice and how to conduct a cookie audit, including what it means and how to submit an audit request.

Regulatory

Compliance

Learn how to identify current regulations and what to do next so your organisation can comply.

Spear Phishing

Guidance

Learn how to conduct a spear phishing campaign and make sure your organisation is vigilant about their online activity.

Data Processing

Agreement

Access a data process addendum (DPA) that you, the data controller, should employ when involving data processors.

Data Protection Officer

Learn when the data protection officer (DPO) role should be implemented, the competency requirements, and the responsibilities of the job.

Data Subject

Requests

Understand the concept of a data subject request (DSR), the many types, and how to be prepared for the actions you may be required to perform.

Risk

Management

Performing a risk assessment according to NIST or ISO/IEC 27005 international practices to identify and measure risk across the organisation, with the aim of mitigating those risks to reduce the surface area of expose.

EU Model Clause

Access Standard Contractual Clauses (SCCs) approved by the European Commission for cross-border data transfers from the EEA to countries of non-adequacy.

Data Protection Programmes

If your organisation collects, uses and discloses personal data or sensitive information, it is required to develop and implement an effective data protection programme. Most data protection programmes are based on complying with geographic or sectoral regulations, so the guidance below should be viewed as a starting point.

If your organisation has never formalized a data protection programme, a starting point is to consider the Lite or Assured approach, offering increasing depths of policy and practice. In either case, the starting point is to understand the regulations to which the organisation must adhere, and to build the programme around that centrifuge.

Some organisations, such as those involved in a supply chain, may need to demonstrate third-party attestation or certification of its data protection programme. In those cases, pursuing the certified track may be the starting point, resulting in a comprehensive data protection regime that demonstrates sufficient guarantees that information is safeguarded with administrative, technical, physical and administrative controls.

The Forum

Join our community discussion!