my GDPR "how-to" deal with in common sense

Ctrl Alt Del

Hello,

Doing my homework here and I compiled a list of steps in relation to a GDPR compliant policy.
I'm planning to use this "how-to" as a basic version 1 tool in assessing my customers and assuring that I will succeed in getting them GDPR compliant.

Please feel free to give any feedback, any updates and complain (so easy to misspell "compliant" versus "complaint" )

Thanks



intro hello





describe gdpr, common sense and already in place policies





ask if they have done anything so far





do you have any Qs before we begin







0 documentation of all IT

Gap analysis, network inventory, past invoices, all records present in end user systems



1 to inform ALL staff awareness of GDPR and that we perform DPIA



2 to inform the BoM/Management that we start compliance with GDPR



3 initial assessments, informal meeting



3.1 identify data,staff,processes

types: physical,virtual

location: onsite,offsite

location safe,protected,right place,multiple places

source: internal,external

owner: management,staff,others

reason: legal,staff,children

time stamp:tomorrow,today,past/archived

change:daily,regular,monthly

critical:yes,maybe,not

sensitivity:low,medium,high

data flow, if related to privacy



3.2 identify people that needs access to data

3.3 identify access type, level and time

3.4 define access, storage time, retention period duration

3.5 define possible issues as identified and/or raised by management, staff, third party

3.6 define why and how and what and where and who, by identifying and mapping processes and relation data - people - need – IT -=- “visual mapping”





4 associate risks to all above

4.1 internal associated risk

4.2 external associated risk

4.3 once identified, score each risk versus each element

4.4 label risk: mitigate, avoid, accept

4.5 label impact of risk versus each data element: low, medium, high -=- probable or remote

4.6 the measures intended to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data



5 third party

identify and label as data processor or TP

check if they compliant, request letter

define level of access, type of data processed

update SLA, contracts based on above



crm,vsware,aladin,o365,gs

check with provider on their released policies and compliance models

ctrl alt delete

update SLA

cleaners

security , monitoring, door access ,CCTV

other suppliers







6.backup and recovery

review backup

review recovery

notifications

data restore tests





7.security

to be integrated with data type, staff type

define security type needed for each data

define security needed for each staff, process

define security for each device

define multithread protection solution



8. CCTV Policy



9.Mobile Phones, laptops policy





10. create management notification, breach

setup dept for managing data protection

define process of controlling, informing the staff

define notification of data breach and/or compromised processes reporting (data violated or door code known)

assign staff to receive and setup process to deal with notification

manage relation with DPO,DP and third party







11.post breach

identify breach cause, reason, methods

safeguards and methods to prevent taking place

documentation created

update policy

train / upskill involved parties





12 change control

setup change control manager

setup process for request a change

manage the request, approve, reasons, logicality

follow-up on the result

update policy

notify the new policy change

upskill/train/educate





13.create GDPR compliance policy

define by design or by default

asses combine all current policies

publish policy

staff upskilling and education

enforce policy





14 Enforce, monitor policy

Define who and how

review / monitor timeframe and period

define mechanisms of doing it so

define / notify success or failure events

follow-up