# Security Training Checklist

This training checklist should be reviewed by every new hire/contractor and annually by every employee as a refresher.

# Basic Certifications

[Team Member Name] certifies that they have reviewed required security documentation, including...

  1. Security Basics
  2. Security Incidents + Response

[Team Member Name] certifies that they have followed the security measures detailed in the Security Basics documentation.

# GDPR Education

[Team Member Name] certifies that they have reviewed the GDPR Checklist and has an understanding of the following terms/concepts:

Personal data

The EU GDPR only applies to personal data. Personal data means any information relating to an identified or identifiable person, a data subject. An identifier can be a name, an identification number, location data or an online identifier.

Special categories of personal data

Some sensitive personal data categories are subject to additional protection. Special categories of personal data include, but are not limited to, data on an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, health, genetic and biometric data.

Data controller

A data controller is one that, either alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers bear the primary responsibility for compliance.

Data processor

Any entity that processes personal data under the controller’s instructions. Many service providers, for example, are processors. Data processors can be held directly liable for the security of personal data.

Data Processor Agreement

GDPR requires that a Data Processor Agreement (DPA) be signed between a data controller and data processor to enumerate rights/obligations of each party in regards to the protection of personal data.


At the heart of the GDPR is the concept of accountability for the handling of personal data. The controller is responsible for making sure all privacy principles are adhered to. Moreover, the regulation requires that your organization can demonstrate compliance with all its principles.


The consent of the data subject means any freely given, specific, informed and unambiguous indication of wishes by which the data subject, either by a statement or by a clear affirmative action, proclaims agreement to the processing of their personal data. For organizations that rely on consent for their business activities, the processes through which they obtain consent will need to be reviewed and revised to meet the requirements of the GDPR.

For more information on consent read Articles 6 and 7 of the GDPR.


The GDPR combines numerous transparency obligations that already apply across the EU. Data controllers have to provide information about personal data processing in a concise, transparent, intelligible and easily accessible way.

Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) is the cornerstone of preserving privacy and GDPR compliant business processes and services. A PIA is intended to produce a systematic description of the envisaged processing operations and determines the legal basis for the processing. PIAs should describe the approach that an organization will take to mitigate the risks.

Privacy by Design

In short, privacy by design means that each new service or business process that makes use of personal data must take the protection of that data into consideration.

Privacy by Default

Privacy by Default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. Controllers or processors are only allowed to store data for the shortest possible time it takes to provide a product or a service.


Pseudonymization refers to a privacy-enhancing technique where personal data is processed without the ability to link it to a specific person. This is achieved by making the information non-attributable without additional information, which must be kept separately and is subject to various technical and organizational controls. Although pseudonymized information is still a form of personal data, its usage is heavily encouraged by the GDPR – it is even identified as a viable security measure.

# Reporting Concerns + Questions

If [Team Member Name] has further questions regarding Tandem security practices, GDPR compliance, or other topics related to data privacy ethics immediately contact Management at any time.

# Further Resources/References