Date: 12 February 2018
The GDPR (General Data Protection Regulation) is a complex beast at best, with some estimates as low as 15% of organisations being ready for May 25th. Questions and challenges are swirling around various board and meeting rooms regarding how to respond to subject access requests, how long do we retain personal data and what legal basis they have for processing...and that is just the tip of the iceberg.
Dusting off the Privacy Notice
Compliance with the regulation is said not just the the right thing to do but also, good for business. But how do data subjects know that you are complying, so that you can benefit from your good work?
Some may say the privacy notice, that document or page buried somewhere on your website which details your processing activities and how you justify them. But is this really the best place to demonstrated your GDPR prowess or transparency with data subjects? Will it not just fail to be updated and consequentially become the same as every over iteration of the same privacy policy which is rarely read?
The GDPR Transparency Widget
GDPR management solution DPOrganizer's latest edition to their solution attempts to cure the problem of the static and dust-covered privacy policy by giving it a kick of the dynamic sort.
As a management overlay, DPOrganizer collates information about the types of personal data you process and collect; the data stores where you keep personal data; the applications which have access to those data stores and the permissions application users have; and any third-party processors; their processing instructions and locations. This is a very concise list of information which DPOrganizer can be fed, all of which is stored in a relational database, providing reporting and drill-down capabilities. Ultimately, with all the by feeding DPOrganizer with your effective GDPR posture, will be able to re-consume that information in a clearer manner.
The transparency widget expands on this principle by extending some of that stored information into the public realm by way of a dynamic lookup tool on your public website. With one simple drop-down menu, a visitor to your website is able to select which type of user they are (all defined by you) and as view a mini report displaying:
- Personal data items collected.
- Sources of that personal data.
- Lawful basis for processing.
- Any third-parties that personal data is shared with and their processing activity.
The result of this is a dynamic privacy policy which is updated as you update DPOrganizer and a possible reduction in the need to request a subject access request, as the questions some data subjects may have, could be answered by the output report.
Making GDPR Easier
It is often remarked that those who have been compliant with the Data Protection Directive 1995, should have no problem with becoming GDPR compliant. This is of course true, a shorter leap is easier than a longer one, however it over simplifies the task. The GDPR is going to involve both technological and cultural change, which will be testing to even the most flexible of organisations. With DPOrganizer, those changes are not avoided but the ability to spot where changes need to be made and the ongoing review of those implemented changes are easier to see and manage.
Whether you use the map view to plot controllers, databases, processors and third-parties; or you use the output report to gap assess; or you use the DP manager feature to request department leaders, business leaders and regional managers to review their own exposure to the GDPR in the DPOrganizer management console, it is hard not to see the value in solution.
