Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

my GDPR "how-to" deal with in common sense

  • 04-05-2018 7:18am
    #1
    Registered Users, Registered Users 2 Posts: 357 ✭✭


    Hello,

    Doing my homework here and I compiled a list of steps in relation to a GDPR compliant policy.
    I'm planning to use this "how-to" as a basic version 1 tool in assessing my customers and assuring that I will succeed in getting them GDPR compliant.

    Please feel free to give any feedback, any updates and complain (so easy to misspell "compliant" versus "complaint" )

    Thanks



    intro hello





    describe gdpr, common sense and already in place policies





    ask if they have done anything so far





    do you have any Qs before we begin







    0 documentation of all IT

    Gap analysis, network inventory, past invoices, all records present in end user systems



    1 to inform ALL staff awareness of GDPR and that we perform DPIA



    2 to inform the BoM/Management that we start compliance with GDPR



    3 initial assessments, informal meeting



    3.1 identify data,staff,processes

    types: physical,virtual

    location: onsite,offsite

    location safe,protected,right place,multiple places

    source: internal,external

    owner: management,staff,others

    reason: legal,staff,children

    time stamp:tomorrow,today,past/archived

    change:daily,regular,monthly

    critical:yes,maybe,not

    sensitivity:low,medium,high

    data flow, if related to privacy



    3.2 identify people that needs access to data

    3.3 identify access type, level and time

    3.4 define access, storage time, retention period duration

    3.5 define possible issues as identified and/or raised by management, staff, third party

    3.6 define why and how and what and where and who, by identifying and mapping processes and relation data - people - need – IT -=- “visual mapping”





    4 associate risks to all above

    4.1 internal associated risk

    4.2 external associated risk

    4.3 once identified, score each risk versus each element

    4.4 label risk: mitigate, avoid, accept

    4.5 label impact of risk versus each data element: low, medium, high -=- probable or remote

    4.6 the measures intended to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data



    5 third party

    identify and label as data processor or TP

    check if they compliant, request letter

    define level of access, type of data processed

    update SLA, contracts based on above



    crm,vsware,aladin,o365,gs

    check with provider on their released policies and compliance models

    ctrl alt delete

    update SLA

    cleaners

    security , monitoring, door access ,CCTV

    other suppliers







    6.backup and recovery

    review backup

    review recovery

    notifications

    data restore tests





    7.security

    to be integrated with data type, staff type

    define security type needed for each data

    define security needed for each staff, process

    define security for each device

    define multithread protection solution



    8. CCTV Policy



    9.Mobile Phones, laptops policy





    10. create management notification, breach

    setup dept for managing data protection

    define process of controlling, informing the staff

    define notification of data breach and/or compromised processes reporting (data violated or door code known)

    assign staff to receive and setup process to deal with notification

    manage relation with DPO,DP and third party







    11.post breach

    identify breach cause, reason, methods

    safeguards and methods to prevent taking place

    documentation created

    update policy

    train / upskill involved parties





    12 change control

    setup change control manager

    setup process for request a change

    manage the request, approve, reasons, logicality

    follow-up on the result

    update policy

    notify the new policy change

    upskill/train/educate





    13.create GDPR compliance policy

    define by design or by default

    asses combine all current policies

    publish policy

    staff upskilling and education

    enforce policy





    14 Enforce, monitor policy

    Define who and how

    review / monitor timeframe and period

    define mechanisms of doing it so

    define / notify success or failure events

    follow-up


Advertisement