Securing GDPR through Recording Relationships with Operational Processes and IT.
The General Data Protection Regulation, the GDPR, states that all processing operations related to personal data must be included in a single register and must be easy to view or retrieve. Many organizations have already set up a processing register. However, due to the constant changes in the world of data and IT, changes in your organization that have an impact on your processing register are not being noticed or implemented correctly.
How will you continue to properly safeguard all this information in the future? How do you adequately inform all involved in the processing of personal data about what they should and should not do? In addition to general personal data such as contact information, there are special personal data such as religion and health that are given a higher level of protection by the European legislator. How can you continue to actively manage continued compliance with the proposed ‘mitigating’ measures in practice, in order to safeguard privacy in situations with a risk of data leaks?
GDPR, business operations and IT
The GDPR has everything to do with the operational processes of the organization that records, edits or uses personal data in combination with the applications and databases that process this data. This includes the infrastructure that supports all this and that forms a risky security source in itself. In this complex interplay, changes occur almost on a frequent basis. Operational processes change due to the dynamics of the business, changing regulations and technical developments. IT changes accordingly. The (privacy-sensitive) data that flows through these processes and IT systems is subject to changes in a similar way. For this reason, it is important to have insight into the coherence and to safeguard this insight. Moreover: insight does not just benefit your GDPR compliancy but the total management of your organization as well.
GDPR compliant with BlueDolphin
As soon as you link the GDPR register of processing activities to processes, process diagrams and underlying IT resources, it becomes a piece of cake to constantly comply with the European regulations. After all, relevant changes are then a reason to inspect and, if necessary, adjust the register of processing activities. Subsequently, you determine whether additional mitigating measures are required, and if so, which ones. This allows you to present current and correct records at any time and meet the legal requirements. Securing data also results in a dynamic visualization of connections between data, processes, and IT. This is essential in order to gain quick insight into security risks and to remedy them. The GDPR indicates that organizations must be GDPR compliant, which means that all processing activities must be documented and tested.
How will you be recording and securing GDPR?
Concrete elements that must be arranged for within the framework of GDPR legislation:
- Registration of processing activities of personal data in relation to processes and applications;
- Data Protection Impact Assessment (PIA) for new or existing processing activities with high impact;
- Implementing data protection through mitigating measures;
- Demonstrable compliance.
When you connect the data which are relevant for the GDPR legislation to the applications and processes and specifically to the process steps in which these are used, an exact and traceable insight into the actual situation arises. Changes in the IT landscape can be easily and automatically perceived. Thus, when these prove to concern IT components that are related to the personal data, there is an immediate reason to check whether this has any GDPR consequences. This allows you to create a GDPR register of processing activities based on an automatic anchor with reality. In doing so, you record the mutual relationships of the GDPR register based on business functions, including components as ‘Business Objects’, ‘Operational Processes and Process Steps’, ‘Actors’ (departments, external actors), ‘Data Objects’ and ‘Applications’.
Opt for one central data system in which this information is recorded, one that is accessible and understandable for all involved. Additionally, all relevant information must be recorded in this system. Examples of relevant information:
- The results of the GDPR assessments
- The results of a DPIA (PIA) analysis;
- Ownership of processes and applications;
- Register of processing activities;
- Processing agreements available, define hyperlink to agreement;
- Insight in risks to define appropriate measures;
- Status and progress of the realization of the register.
The central system also describes which relevant activities exist, what the storage term is for data, and whether or not the data is passed on to third countries. The system must record all mutual relationships and dependencies, such as the person responsible for processing, processor, applications, legal basis, security measures, categories of personal data, purpose limitations, persons involved and transfer to recipient. It must be possible to visualize this information in a dynamic way. The coherence in complex situations can only be made visible in a simple way through visualization (an image says more than a thousand words).
Finally: once you make the new system accessible to all involved, all kinds of activities for taking stock of information and executing tasks are distributed to the knowledgeable persons responsible. Think of the CISO (Security Officer), application managers and process owners.
BlueDolphin offers optimal possibilities for filling in all questions in predefined questionnaires. Afterwards, domain managers can enter information themselves, while maintaining consistency. This way, many hands make light work. BlueDolphin ensures that you have insight into the status, progress and changes, so that the register can be easily maintained and assessed.