Date: 15 February 2018
There is no shortage of information about the GDPR out there, from the six core principles to data subjects rights to the lawful basis for processing, there is a dizzy number of changes an organisation may need to implement. Solution selling on the back of the GDPR message is a sore subject for many and for good reason. The gold mine that is the GDPR is a marketers dream gone wrong.
While encryption, digital forensic solutions and incident response solutions are all being peddled as the silver bullet, what is really missing is oversight. How can you view your data processing activities, ensure adherence and be able to produce evidence when requested?
Below we have compiled five GDPR headaches, which we suspect many have or will suffer in the coming months, and why we think DPOrganizer provides a management overlay which could relieve these stresses.
GDPR Headaches
1. Keeping track of the organisation’s processing of personal data.
As a GDPR management overlay, DPOrganizer takes inputs regarding:
- The types of personal data you collect and process.
- The legality of doing so.
- The retention of personal data.
- The data stores where personal data resides.
- Which applications have access to those data stores and who can use them.
- Any third-party processors or data recipients.
- Privacy statements, processing instructions and persons responsible.
All inputs of these entities can have a person responsible assigned (including external contacts) and a requirement that they must review the entities that they have responsibility for, periodically. This gives organisations oversight of their GDPR posture while ensuring it is kept up-to-date by the correct parties.
2. Making sure all processing, including third country transfers, is based on appropriate legal basis.
When entering a record of a processing activity or personal data collecting, DPOrganizer will ask fo the legal basis of processing among other items such as retention period, location of stored personal data and applications which can view those storage locations. The selection of a legal basis is a drop-down field which is populated with the permitted lawful processing options specified in article 6 of the GDPR.
In cases where this information is not provided, executive reports with the gap analysis option enabled will highlight any processing which lacks a legal basis.
3. Ensuring that personal data is stored and accessible only for an appropriate period of time, and accessible only for appropriate staff in the organisation.
When a personal data processing activity is logged in DPOrganizer, the entering person is requested to specify the retention period or the expected time for personal data to be processed. In addition, further questions are asked about which applications have access to the personal data being used in that processing activity. This is tied to records about that application which specify who has access and which items of personal data they are exposed to. All this information can be viewed on-screen by way of a report or it can be exported as an executive summary.
4. Visualising complex data processing workflows in very large organisations with thousands of processing activities.
DPOrganizers map view allows you to plot your data controllers, data processors, third-parties, data stores and collection points onto a map. Coloured lines linking each of these entities indicates the nature of their relationship to each other and can help to understand both the GDPR posture and any geographical risks that may exist.
5. Being transparent with data subjects, partner organisations and the supervisory authority regarding processing activities.
The transparency widget is DPOrganizer's latest feature, which takes a subset of the information it holds about processing activities and makes this available by way of a mini-report on the organisations website. Informing visitors of which personal data items are collected, processed, the legal basis and if the personal data is shared with a third party.
