General Data Protection Regulation
GDPR harmonizes data privacy law & regulation across Europe and is related to processing and controlling personal data. GDPR is applicable to entities holding or monitoring European Citizen’s personal data.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
GDPR presents organizations a framework to define and design their approach to privacy of data for all personnel, harness the value of the data and ensure that the organization is fit for tomorrow’s digital and cloud economy. ControlCase has a seasoned approach for conducting assessments and audits for many regulations and including the GDPR Data Impact Assessment (DIA).
Data Impact Assessment
The Data Impact Assessment (DIA) domains include:
Strategy and governance by design to manage privacy data
Define an overarching privacy program governance structure, roles and responsibilities for Data Protection Officer to coordinate, operate and maintain the program on an ongoing basis.
Policy management
Define formal Privacy policies, procedures and guidelines which are consistent with applicable laws and regulations.
Data Identification, transfer, management & protection
Identify the locations of your privacy data. Define cross-border data transfer strategy based on current and future planned data collection, use, and sharing, and have current data flow diagrams. Create ongoing mechanisms to identify new personal data processing and use technical and organizational measures and internal controls to safeguard data,
Individual rights processing
Enable the effective processing of consent and data subject requests, such as data access, deletion and portability.
Privacy by design
Personal data protection must be implemented in the design stage of a security measure. Organization should develop a strategy for “privacy by design” to incorporate privacy controls and impact assessments throughout the data lifecycle for new and changing data use initiatives.
Information security
Identify existing security information protection controls and align security practices with security considerations, such as scanning assets for vulnerability, penetration testing (Network/Application) as applicable, defense in depth with firewall reviews, segmented networks for Privacy data holding assets, Logging and Monitoring and other information security controls.
Privacy incident management
Align incident response processes with GDPR specifications and reporting requirements. Establish a methodical approach to evaluating and reporting potential privacy breaches and incidents.
Data processor accountability
Establish privacy requirements for third parties to mitigate risks associated with access to the organization’s information assets and organizations data.
Training and awareness
Define and implement a training and awareness strategy at the enterprise and individual level to employees and contractors on how to manage and treat privacy European Citizen data.
Where are you on the GDPR journey?
ControlCase recommends the following stepped approach for adhering with GDPR:
ControlCase will conduct the Data Impact Assessment (DIA) as the Step One approach to implementing an Organizations GDPR program. (Priced in this proposal is GDPR – highlighted Green).
GDPR Data Discovery Solution
ControlCase Data Discovery solution will be used as a managed services solution for identifying the locations of Sensitive European Citizen’s data. The discovery tool will be used after identifying the assets from the dataflow of business processes which may hold sensitive GDPR data points and used on sampling few assets to identify the locations of these data points. After which it will be an investigative process to identify other related GDPR data attributes. The investigative process is more specific to interview based approach.