Concrete elements that must be arranged for within the framework of GDPR legislation:
- Registration of processing activities of personal data in relation to processes and applications;
- Data Protection Impact Assessment (PIA) for new or existing processing activities with high impact;
- Implementing data protection through mitigating measures;
- Demonstrable compliance.
When you connect the data which are relevant for the GDPR legislation to the applications and processes and specifically to the process steps in which these are used, an exact and traceable insight into the actual situation arises. Changes in the IT landscape can be easily and automatically perceived. Thus, when these prove to concern IT components that are related to the personal data, there is an immediate reason to check whether this has any GDPR consequences. This allows you to create a GDPR register of processing activities based on an automatic anchor with reality. In doing so, you record the mutual relationships of the GDPR register based on business functions, including components as ‘Business Objects’, ‘Operational Processes and Process Steps’, ‘Actors’ (departments, external actors), ‘Data Objects’ and ‘Applications’.
Opt for one central data system in which this information is recorded, one that is accessible and understandable for all involved. Additionally, all relevant information must be recorded in this system. Examples of relevant information:
- The results of the GDPR assessments
- The results of a DPIA (PIA) analysis;
- Ownership of processes and applications;
- Register of processing activities;
- Processing agreements available, define hyperlink to agreement;
- Insight in risks to define appropriate measures;
- Status and progress of the realization of the register.
The central system also describes which relevant activities exist, what the storage term is for data, and whether or not the data is passed on to third countries. The system must record all mutual relationships and dependencies, such as the person responsible for processing, processor, applications, legal basis, security measures, categories of personal data, purpose limitations, persons involved and transfer to recipient. It must be possible to visualize this information in a dynamic way. The coherence in complex situations can only be made visible in a simple way through visualization (an image says more than a thousand words).
Finally: once you make the new system accessible to all involved, all kinds of activities for taking stock of information and executing tasks are distributed to the knowledgeable persons responsible. Think of the CISO (Security Officer), application managers and process owners.
BlueDolphin offers optimal possibilities for filling in all questions in predefined questionnaires. Afterwards, domain managers can enter information themselves, while maintaining consistency. This way, many hands make light work. BlueDolphin ensures that you have insight into the status, progress and changes, so that the register can be easily maintained and assessed.