Below the whole GDPR CISO kit has been presented. You may want to download them, the links are provided on top. Below that you can avail the content and decide which documents you need to download
Download Links To GDPR Kit Documents
#1.CISO Priorities for GDPR ( Download Here CISO Priorities GDPR.docx )
#2.GDPR Data Protection Control Survey ( Download Data Protection Control Survey.xlsx )
#3. GDPR Impact Assessment Tools ( Download GDPR Data Protection Impact Assessment Tool.xlsx )
#4.GDPR Program Management Checklist ( GDPR Program Management Checklist.docx )
#1.CISO Priorities For GDPR
Develop a data security governance strategy
Before drafting a security strategy, CISOs need to consider several key questions, such as how to prioritize the subject’s rights. As these questions cannot be answered solely by the security team, CISOs need to collaborate with DPO and / or other data security governance stakeholders who, for example, have an understanding of the data stored or processed on the organization’s systems.
CISOs should take the following five steps to develop a data security governance strategy and make their organization GDPR-compliant.
- Perform risk assessmentsto identify different data residency, compliance and security threats, and prioritize these threats using a financial assessment.
- Identify which datasets and risksneed to be addressed, as not all datasets need the same level of security. Some may not need any.
- Define an appropriate set of security policiesand associated procedures and security architectures for each business risk. Ensure each policy balances the needs of people or entities to access relevant datasets across all available digital business environments.
- Use these functions to set the requirementsfor products that need to be deployed across the organization’s IT infrastructure.
- Create access and usage policiesfor each dataset that are consistent, as data flows across all available digital business environments, applications and endpoints.
#2.GDPR Data Protection Control Survey
A.GDPR Survey - Initial Assessment
The objective of this survey is to gather the current state of understanding specific to GDPR requirements for data protection Control . The overall survey has been divided into segment categories focused on the specific aspects of data protection lifecycle right from data classification and discovery to monitoring and governance.
The survey questions in each segment are focused on gathering data about the current state with respect to the data protection lifecycle. The response format is open ended with some questions requiring detailed information while others which can be responded to in a simple yes or no.
The survey requires respondents to be organization Subject matter expets and teams working on this have knowledge of the domain and area of work within the organization.
All the questions in this survey are mandatory.
Responses will help provide a view of the current state of the organization with respect to data protection and GDPR and charter the next course of action from a data protection perspective to protect EU GDPR data in terms of controls, measures and technical solution required
B.Data Classification & Discovery
Questions | Response Reference |
Data Classification | |
Does your organization have a data classification policy & guidelines ? If yes, then please share the classification approach and criteria at a high level. | Ex. Data Classification - C1, C2 and so on. (confidentiality requirements) PII, SPII, PHI (type of data specific to the data subject) |
If No then is your organization looking at creating this data classification policy. | Yes or No |
Does your organization already have a data classification technology solution in place for structured and unstructured data for both on premise and cloud based applications ? | Ex. Data classification solutions such as Boldon James, Titus and so on |
Is there framework already defined which maps data classification to security controls across the organization ? | Ex. C1 -> Network Security Controls, Logging required and so on |
Has the organization already identified the EU specific data that needs to be addressed from a GDPR standpoint across the enterprise? | Ex. EU Data subjects -> Name, Email ID, Location, |
Data Discovery | |
Has your organization already carried out a discovery exercise of EU personal data in the various systems ? In terms of the kind of data the organization processes - employee, customer, vendor, contractors, third parties. | |
Please confirm if there is a defined data discovery process in place for identifying GDPR personal data elements on an ongoing basis. (a) Structured (databases, flat files, multimedia files and metadata associated with them, etc.) (b) Unstructured data (SharePoint, exchange, images, etc.) |
|
Please provide details on the current data discovery process- is it performed manually or by leveraging any industry standard tools? | Industry tools like Digital Guardian, IBM Guardium and so on. |
Is the current discovery process integrated with the other security solutions s such as DLP, Data Classification among others ? | |
Data Privacy and Security Program | |
Please confirm if there an internal committee for data privacy and security to address GDPR requirements within the organization. | |
If yes then please share details of the business functions part of this committee | |
Is there a Privacy program in place within the organization ? | |
Please provide a list of legal/ compliance considerations for the data that is processed by the organization such as GLBA, HIPAA etc. | |
Please confirm if application classification has been carried out based on legal / compliance requirements. | |
Please confirm if there is a data protection or privacy policy already defined. Please provide details about the same. | |
Has a GDPR Assessment been carried out already within the organization or within specific geographies ? If yes then please share the assessment report ? |
C. Data Protection
SL No. | Questions | Response Reference | Response |
Data Access | |||
1 | Does the organization have a defined access control policy ? If yes please share the same and the key highlights of the policy? | ||
2 | Please provide details of the current access control measures in place across the enterprise for access to applications, databases and other assets. | Eg. Role based access control for critical applications | |
3 | Is there an organzation wide solution in place for identity and access management? If yes please provide the details and the area of coverage across key organization assets | Eg.IBM, Sailpoint, Oracle | |
4 | If no then please confirm if any plan for initiating the same. | ||
5 | Is there a privileged access solution in place for service / admin account access management? If yes please provide details of the solution and the area of coverage across key organization assets. | Eg. CyberArk | |
6 | Are access logs tracked and captured as a part of the audit requirements ? | ||
7 | Are these access logs integrated with an SIEM solution ? | ||
Data in Non Production Environment (Structured and Unstructured - Databases, File servers, Email, Document Management System ) | |||
1 | Is there a production (comprising EU personal data) data available in non -production environments? | ||
2 | If answer to question 1 is yes then a) please confirm if this is historical data b) if this is part of an ongoing refresh process from prod to non prod environment c) both a) and b) |
||
3 | if there is a data refresh from prod to non prod environments then please share what is the frequency and SLA of the data refresh process today from production environment to non-production environments ? Is the data refresh process automated? | ||
4 | Is masking of EU personal data being carried out in the current set up for testing applications with masked data? Please confirm. | ||
5 | Is there an existing data masking solution implemented for structured data in order to protect the sensitive prod data in non-prod environments? Please provide details on the following: 1) Product name 2) Modules implemented 3) No. of instance installation and location |
||
6 | Is there an existing data masking solution implemented for unstructured data (such as documents, pdfs, images, etc.) in the non-production environments? | ||
7 | Please provide details of locations of non production environments. Is the production data moved to the location of non production outside of EU or outside the country of colllection ? |
Ex. If data collected from Belgium is moved to Hungary or India for processing where the non production environments reside. | |
8 | Are the non-production environments outside of EEA locations ? | ||
9 | Please provide details of cloud provider and possible geographic locations where data is hosted if it involves non production environment. | ||
Data in Production Environment (Structured and Unstructured) | |||
Data at Rest | |||
1 | Please provide details of locations of production environments where data is hosted. Is it the same as the country where data collection is carried out ? |
||
2 | Please provide details of the kind of applications and databases, file servers etc. in use within the organization. | Eg. Oracle, Java / .Net application, SAP etc. | |
3 | Please confirm if any data protection measure such encryption currently enabled to protect data at the Database or storage levels? If yes then please provide details of the solution. | ||
4 | Please confirm if any data protection measure such encryption currently enabled to protect data at the file level? If yes then please provide details of the solution. | ||
5 | Please confirm if any data protection measure such encryption currently enabled to protect data at the disk level? If yes then please provide details of the solution. | ||
Data in Transit | |||
1 | Please confirm if any data protection mechanism currently deployed to protect the data in transit using Secure Communication (e.g. SSL/TLS,VPN, Secure FTP)? If yes then please provide details of the solution. Please provide details application / data types ( for example, internet facing applications, processing personal data) where data in transit protection has been implemented. |
||
Data in Use | |||
1 | Please confirm if any encryption or tokenization mechanism is currently enabled to protect the sensitive data at the Application Level (Field/ Column Level) for PCI requirements? If yes then please share details of the solution. Please provide details of data in use. |
||
2 | Please confirm if encryption feature enabled for cloud application to protect GDPR personal sensitive data (during data in transit, data stored on the cloud platform)? | ||
3 | For cloud based applications do you leverage native encryption capabilities/third party encryption solution as a part of the cloud set up with Azure, AWS and others? | ||
Certificate and Key Management | |||
Key Management | |||
1 | Does the organization have a defined key management policy in place which defines the crypto standards and key management practices to be adopted across the organization? Please confirm. | ||
2 | Does the organization have an existing Key management solution for securing the key and key-rollover for a definite period of time? If yes provide details of the same in terms of the product / solution and extent of implementation. | ||
3 | Does the current key management solution also support hybrid and multi-cloud environments to protect all data types (structured & unstructured)? | ||
Hardware Security Module(HSM) | |||
1 | Please confirm if an existing HSM solution which has been implemented for key storage and management ? If yes, please share the details on the current HSM a. HSM Architecture, HSM details b. Applications supported c. HSM hosting details |
||
Public Key Infrastructure(PKI) | |||
1 | Please provide details on current PKI infrastructure if any. Additionally, please provide the following details 1. What is the tool/technology (ex: Microsoft PKI on premise, 3rd party solution ) for issuing internal Certificates on premise. 2. Any Managed PKI service from 3rd party are leveraged for external/ public certificates. If so, kindly specify the Managed PKI provider details and volume of public certificates that are to be managed. 3. Please let us know the process involved for issuance, revocation and renewal of certificates |
D. Data Monitoring & Governance
SL No. | Questions | Response Reference | Response |
1 | Please confirm if the databases / applications generate logs for audit requirements. If yes then are these logs stored and retained for a certain period of time. Are access logs generated as a part of the logging exercise ? Are these logs integrated with a syslog / splunk or SIEM solution? |
||
2 | Is database activity monitoring solution implemented for database servers? Provide details on database activity monitoring solution in place (if applicable) |
||
3 | Please confirm if there is a solution in place for File Monitoring for SharePoint related sites and other files? If yes, please share the details. | ||
4 | Does the application support audit/logging capabilities to a syslog/SIEM solution? If yes, please provide more details. | ||
5 | Is there an SIEM solution already implemented within the organization ? If yes please provide the details. Is this solution integrated with all security devices generating security logs including authentication logs from the IAM solution ? | ||
6 | Is there a breach notification process defined? If yes is this integrated with security incident response ? Is there a breach notification policy in place within the organization ? |
#3. GDPR Impact Assessment Tools
A.GDPR DPIA Intro Questions
A. Description of the Processing (Article 35(7)(a)) |
[Name of Enterprise Here] Enter answers to questions / prompts in column A. |
[Sample answers for fictional ABC Corporation] |
1. Nature, scope, context and purposes of the processing (Recital 90): | A network application used to monitor employee activities within ABC Corporation's physical and network facilities to ensure safety and compliance with legal and policy requirements | |
2. List of in-scope personal data items: | Data reflects: 1) employee activities around work stations 2) employee network activities (login/logout, applications used, associated dates/times/durations/locations, etc.) 2) internet activities (sites visited/duration of visits/IP addresses/dates/times/locations, etc.) made through the company's network 3) phone calls (incoming/outgoing phone numbers/dates/times/durations/locations, etc.) |
|
3. Recipients of personal data items (if not applicable, indicate N/A): | Data controllers: management whose job responsibilities require such data; IT support personnel Data processors: * contracted physical safety/security vendor ACME Co. * contracted managed systems security vendor ABC Net Security * contracted phone systems vendor XYZ Telco |
|
4. Period for which the personal data will be stored (e.g. in hours, days, weeks or years, etc.): | Data will be stored as follows: 1) Physical monitoring: for at least 6 months and in compliance with legal requirements 2) Network monitoring: for at least 1 year and in compliance with legal requirements 3) Phone calls: for at least 3 months and in compliance with legal requirements |
|
5. Functional description of the processing operation: | The application was created in-house by company IT personnel. The application imports data from three different vendors: * Physical safety/security data, video, audio and photo files from vendor ACME Co. are collected through an API from the ACME cloud-based system. * Company systems-activity data are generated internally, via tools used by company IT personnel. This data is combined with data collected through an API from systems-security vendor ABC Net Security. * Company IT personnel created API to import data from contracted phone systems vendor XYZ Telco. * All data is then accessible through the company IT application, hosted within the company network. * Access to data files via the company application is based on minimum necessary privileges justified by job responsibilities. |
|
6. Processing or functional assets associated with in-scope personal data (e.g., hardware, software, networks, people, paper or paper-transmission channels): | Functional assets related to personal data: * Company network * Computing devices attached to the company network * All software related to, and accessed by, the monitoring activities and supporting software and hardware * Personnel who need access to perform job duties, including but not limited to: IT tech support, HR, information security, privacy, legal, audit, call center, associated data processors (ABC Net Security, XYZ Telco, ACME Co.) |
|
7. Compliance with the following approved codes of conduct has been confirmed (Article 35(8)). Provide one of the following answers: * Yes (list associated codes of conduct) * No (list associated codes of conduct) * Not Applicable (explain why) |
YES, with AccreditationsRUs, an approved privacy-sector accreditation body | |
COBIT 5 © ISACA, 2012. All rights reserved. This DPIA Framework, using her Privacy Impact Assessment Approach, is provided courtesy of Rebecca Herold. Rebecca Herold PIAA © Rebecca Herold, 2017. ISACA has designed this publication primarily as an educational resource for privacy, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, readers should apply their own professional judgement to the specific privacy, risk and security circumstances presented by the particular systems or information technology environment. |
B.GDPR DPIA Questions
SAMPLE ENTRY (For illustration only, using sample data in worksheet A.) 1. Choice & Consent |
1) Do you have documented and enforced privacy and security policies (and supporting procedures) to provide choices, where appropriate, to data subjects regarding use of their personal data? Is consent obtained before using personal information for specific purposes, as required by GDPR? See GDPR Art. 6(1) |
A | We have the following safeguards in place: * Documented policies and procedures for the facility, internet use and phone use monitoring. * Training for the policies and procedures. * Technology has been implemented within the surveillance systems to give notice to those within our facilities of the surveilling activities. At the entrance to our facilities we give notification that if the individual does not want to be surveilled they should not enter the facilities. * For the types of monitoring and surveillance implemented, no consent is necessary for entering the facilities or for monitoring network use to access the internet, as confirmed with GDPR supervisory authorities. Personnel understand these are conditions of employment. * For the phone calls we give notice and obtain consent. * Identification verification is obtained where necessary. * Data is retained according to the information given in the Introduction. Planned actions: None at this time. |
We have the following harm prevention controls in place: * Documented policies and procedures detail how the data can and cannot be used. * Controls do not allow data to be shared to others without obtaining authorization for such sharing. * Data is irreversibly deleted upon reaching the end of the retention date or legal requirement, whichever arrives first. * We have cyber liability insurance to cover personal data breaches. * We have documented and implemented breach response plans in place. Planned actions: None at this time. |
1. Choice & Consent Summary a. Maturity & Risk Levels # of Level A answers: 1 # of Level B answers: # of Level C answers: 1 # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: 1 b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: * Technology has not yet been implemented to manage consents fully. The new privacy manager will be responsible for accomplishing this soon after he starts working in this position (4 weeks from the date of this DPIA report). Position/person(s)/team assigned: Chris Jones, Privacy officer c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: * Technology has not yet been implemented to fully manage the consents. The new privacy manager will be responsible for accomplishing this soon after he starts working in this position (4 weeks from the date of this DPIA report). Position/person(s)/team assigned: Chris Jones, Privacy officer d. Additional Information: The new privacy manager will be choosing a new system to automate the management of consents more effectively. We have hired a privacy manager to oversee the consents management. That person will start in four weeks from the date on this DPIA. He will be responsible for ensuring all requirements for question 2 are accomplished. Overall, most risk is being sufficiantly mitigated and appropriately accepted where applicable; all GDPR requirements are being met for this Choice and Consent Privacy Principle. |
2) Are consents (once obtained) appropriately documented and maintained? Can consents be easily provided upon request by data subjects and/or appropriate authorities? See GDPR Art. 7(1), Art. 7(2) |
C | We have the following safeguards in place: * Documented policies and procedures for obtaining consents. * Training for the policies and procedures. * Technology not yet been implemented to fully manage the consents. The new privacy manager will be responsible for accomplishing this. Planned actions: Implement technology to fully manage the consents. |
We have the following harm prevention controls in place: * Documented policies and procedures detail how the data can and cannot be used. * Controls do not allow data to be shared to others without obtaining authorization for such sharing. * Data is irreversibly deleted upon reaching the end of the retention date or legal requirement, whichever arrives first. Planned actions: None at this time. |
||
3) If the enterprise collects information from children younger than 16 years of age, have you created and documented policies and implemented processes to collect parental consent as required by the GDPR? See GDPR Art. 8(1) |
NA: We do not allow children within our facilities or to use our networks. | NA | NA | ||
Provide descriptions, comments and additional information for each associated column, as appropriate. | We have hired a privacy manager to oversee consents management. That person will start in four weeks from the date on this DPIA. He will be responsible for ensuring all requirements for question 2 are accomplished. | ||||
1. Choice & Consent | 1) Do you have documented and enforced privacy and security policies (and supporting procedures) to provide choices, where appropriate, to data subjects regarding use of their personal data? Is consent obtained before using personal information for specific purposes, as required by GDPR? See GDPR Art. 6(1) |
1. Choice & Consent Summary a. Maturity & Risk Levels # of Level A answers: # of Level B answers: # of Level C answers: # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: Position/person(s)/team assigned: c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: Position/person(s)/team assigned: d. Additional Information: |
|||
2) Are consents (once obtained) appropriately documented and maintained? Can consents be easily verified upon request by data subjects and/or appropriate authorities? See GDPR Art. 7(1), Art. 7(2) |
|||||
3) If the enterprise collects information from children younger than 16 years of age, have you created and documented policies and implemented processes to collect parental consent as required by the GDPR? See GDPR Art. 8(1) |
|||||
Provide descriptions, comments and additional information for each associated column, as appropriate. | |||||
2. Legitimate Purpose Specification and Use Limitation | 1) Do you have documented and enforced privacy and security policies (and supporting procedures) to collect only the personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed, in support of data-minimization requirements? See GDPR Art. 5(1) |
2. Legitimate Purpose Specification and Use Limitation Summary a. Maturity & Risk Levels # of Level A answers: # of Level B answers: # of Level C answers: # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: Position/person(s)/team assigned: c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: Position/person(s)/team assigned: d. Additional Information: |
|||
2) Do you have documented and enforced privacy and security policies (and supporting processes) in place to ensure that personal data processing is lawful and necessary given the purposes for which the data were collected? See GDPR Art. 6(1)(b) |
|||||
3) Do you have documented and enforced privacy and security policies (and supporting processes) in place to ensure that any intended further processing will be reviewed, and handled appropriately, prior to such use (e.g., obtaining additional data-subject consent, ensuring legal compliance, etc.)? See GDPR Art. 6(4)(a) |
|||||
4) Do you have documented and enforced privacy and security policies (and supporting processes) in place to ensure that the processing and/or use of criminal conviction personal data are subject to the exclusive control of official authorities, or authorized by union or member state law? See GDPR Art. 10 |
|||||
5) Have you determined and documented situations to which the right to object does not apply, and implemented appropriate supporting procedures? See GDPR Art. 22(2) |
|||||
6) Do the data protection officer job responsibilities include consideration of risks to personal data and the associated harm risks to data subjects so that purpose and use limitation can be appropriately considered? See GDPR Art. 39(2) |
|||||
Provide descriptions, comments and additional information for each associated column, as appropriate. | |||||
3. Personal Information and Sensitive Information Life Cycle | 1) Do you have documented and enforced privacy and security policies (and supporting procedures) to keep personal data for no longer than necessary to support the purposes for which they were collected, including legal and any applicable public interest, scientific and historic-research purposes? See GDPR Art. 5(1) |
3. Personal Information & Sensitive Information Life Cycle Summary a. Maturity & Risk Levels # of Level A answers: # of Level B answers: # of Level C answers: # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: Position/person(s)/team assigned: c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: Position/person(s)/team assigned: d. Additional Information: |
|||
2) Do you have documented and enforced privacy and security policies (and supporting procedures) to decide whether or not special categories of personal data, or personal data related to criminal convictions/offences, have been used beyond the original purposes for which they were collected? See GDPR Art. 6(4) |
|||||
3) Do you have documented and enforced privacy and security policies (and supporting procedures) to determine whether the following types of personal data are collected (and/or processed) under relevant exemptions provided within GDPR, or if such processing needs to be prohibited? a) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership b) genetic data c) biometric data for the purpose of uniquely identifying a natural person d) data concerning health e) data concerning a natural person's sex life or sexual orientation See GDPR Art. 9(1) |
|||||
4) Do you have documented and enforced privacy and security policies (and supporting procedures) that allow data subjects to be removed from using their personal data for direct marketing purposes whenever they request to be removed from such communications? See GDPR Art. 21(3) |
|||||
5) Do you have documented and enforced privacy and security policies (and supporting procedures) that require implementation of appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific processing purpose are actually processed? See GDPR Art. 25(2) |
|||||
6) Do you have documented and enforced privacy and security policies (and supporting procedures) to perform reviews, when necessary, that determine whether processing is performed in accordance with the data protection impact assessment, whenever the risk represented by processing operations changes? See GDPR Art. 35(11) |
|||||
7) Do you have documented and enforced privacy and security policies (and supporting procedures) that document the legal derogations from GDPR rights for the use of personal data processed for scientific or historical research purposes or statistical purposes? See GDPR Art. 89(2) |
|||||
Provide descriptions, comments and additional information for each associated column, as appropriate. | |||||
4. Accuracy and Quality | 1) Do you have documented and enforced privacy and security policies (and supporting procedures) to ensure that personal data are kept accurate and up to date, as necessary, and to correct personal data errors without delay? See GDPR Art. 5(1) |
4. Accuracy and Quality Summary a. Maturity & Risk Levels # of Level A answers: # of Level B answers: # of Level C answers: # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: Position/person(s)/team assigned: c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: Position/person(s)/team assigned: d. Additional Information: |
|||
Provide descriptions, comments and additional information for each associated column, as appropriate. | |||||
5. Openness, Transparency and Notice | 1) Do you have documented and enforced privacy and security policies (and supporting procedures) to ensure that personal data are collected for clearly specific and legitimate purposes; not used for processing purposes other than those stated or as defined by GDPR; and are processed fairly, transparently and in compliance with applicable legal requirements? See GDPR Art. 5(1) |
5. Openness, Transparency and Notice Summary a. Maturity & Risk Levels # of Level A answers: # of Level B answers: # of Level C answers: # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: Position/person(s)/team assigned: c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: Position/person(s)/team assigned: d. Additional Information: |
|||
2) Do you have documented and enforced privacy and security policies (and supporting procedures and processes) to communicate to data subjects their rights, notices, and answer their questions and provide information to them relating to data processing, in a manner that is clear, easy to understand, and age appropriate to the data subject? See GDPR Art. 12(1) |
|||||
3) Do you have documented and enforced privacy and security policies (and supporting procedures and processes) to provide, at the time personal data are obtained from data subjects, all necessary information elements, such as the data subject’s rights; how to restrict use of their associated personal data; how to retract consents for personal data use, etc., as required by GDPR; as well as to ensure fair and transparent processing? See GDPR Art. 13(1), Art. 13(2), Art. 14(2), Art. 21(4) |
|||||
4) Do you have documented and enforced privacy and security policies (and supporting procedures and processes) to provide the data subject with information describing any additional purposes for which previously collected personal information will be used and other relevant information, prior to further processing? See GDPR Art. 13(3), Art. 14(4) |
|||||
5) Do you have documented and enforced privacy and security policies (and supporting procedures and processes) to inform data subjects of the safeguards applied when personal data are transferred to a third country or to an international organization? See GDPR Art. 15(2) |
|||||
Provide descriptions, comments and additional information for each associated column, as appropriate. | |||||
6. Individual Participation | 1) Do you have documented and enforced privacy and security policies (and supporting procedures and easy-to-use processes) that allow data subjects to withdraw consent to use their associated personal data at any time (including personal data used in partnership with other controllers), as long as the withdrawal does not result in legal violations about which you have informed the data subjects? See GDPR Art. 7(3), Art. 26(3) |
6. Individual Participation Summary a. Maturity & Risk Levels # of Level A answers: # of Level B answers: # of Level C answers: # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: Position/person(s)/team assigned: c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: Position/person(s)/team assigned: d. Additional Information: |
|||
2) Do you have documented and enforced privacy and security policies (and supporting procedures and easy-to-use processes) in partnership with any other joint controllers to ensure that a data subject whose identity has been verified can exercise his or her rights to request access to; information about; corrections to; deletion/destruction (erasure) of; or restrictions on associated personal data in compliance with the timing, costs, and format of information delivery requirements mandated by the GDPR? And do these include processes to provide documented reasons for denying requests? See GDPR Art. 12(2), Art. 12(3), Art. 12(4), Art. 12(5), Art. 12(6), Art. 14(3), Art. 16, Art. 17, Art. 21(1), Art. 26(3) |
|||||
3) Do you have documented and enforced privacy and security policies (and supporting procedures and easy-to-use processes) to allow a data subject whose identity has been verified to obtain confirmation regarding whether or not personal data are being processed (including personal data used in partnership with other controllers), and when that is the case, to provide the data subject access to the associated personal data, including information concerning the purposes; categories; recipients; retention periods; rights for deletion and registering complaints; ability to restrict personal data processing where feasible and legal, with notices when the restrictions are lifted; and data source details where possible, in compliance with GDPR requirements? See GDPR Art. 15(1), Art. 18, Art. 26(3) |
|||||
4) Do you have documented and enforced privacy and security policies (and supporting procedures and easy-to-use processes) to provide a copy of personal data that are not used in the public interest or by official authorities, which copy shall be processed upon request by the data subject, without prejudice; delivered in a commonly used digital format, along with additional copies as requested; for a reasonable fee where the fee is based on actual administrative costs? See GDPR Art. 15(3), Art. 20(3) |
|||||
5) Do you have documented and enforced privacy and security policies (and supporting procedures and easy-to-use processes) that enable data subjects to object to the use of their personal data for direct-marketing and profiling purposes, including those that result in decisions or circumstances affecting the associated data subject legally? See GDPR Art. 21(2), Art. 22(1) |
|||||
6) Do you have documented and enforced privacy and security policies (and supporting procedures and easy-to-use processes) to enable data subjects to contact the data protection officer for any issue related to processing of their personal data or to the exercise of their rights under GDPR? See GDPR Art. 38(4) |
|||||
Provide descriptions, comments and additional information for each associated column, as appropriate. | |||||
7. Accountability | 1) Do you have documented and enforced privacy and security policies (and supporting procedures) that detail: a) the acceptable legal basis for processing personal data, as required by union or member state law; and b) the procedure by which an enterprise determines whether processing for another purpose is compatible with the original purpose for collecting the personal data (taking into account the context in which the personal data were collected and in particular regarding the relationship between data subjects and the enterprise), as required by GDPR? See GDPR Art. 6(1), Art. 6(3), Art. 6(4) |
7. Accountability Summary a. Maturity & Risk Levels # of Level A answers: # of Level B answers: # of Level C answers: # of Level D answers: # of Level E answers: # of Level F answers: # of NA answers: b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective Action Plan: Position/person(s)/team assigned: c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan: Position/person(s)/team assigned: d. Additional Information: |
|||
2) Do you have documented and enforced privacy and security policies (and supporting procedures) that detail: a) requirements for establishing the data protection officer responsibilities; b) the tasks for which the data protection officer will be responsible, in compliance with the GDPR; and c) the measures in place to ensure that the person(s) fulfilling the role are appropriately qualified and knowledgeable of data protection legal requirements and are either a member of the enterprise, a contracted entity or from a processor that the enterprise has engaged? See GDPR Art. 37(1); Art. 37(2); Art. 37(3); Art. 37(4), Art. 37(5), Art. 37(6) |
|||||
3) Do you have documented and enforced privacy policies (and supporting procedures) to ensure that in the event personal data are not obtained from the data subject, the enterprise provides the data subject with the following information: a) identity and contact details of the controller; b) contact details of any applicable data protection officer; c) documentation of the purposes and legal basis for personal data processing; d) documentation of the categories of personal data concerned; e) lists of recipients (or categories of recipients) of the personal data, if any; f) records of intention to transfer personal data to a recipient in a third country or international organization, where applicable; g) the existence or absence of an adequacy decision by the Commission; and h) records of existing safeguards and the means to obtain a copy of them? See GDPR Art. 14(1) |
|||||
4) Do you have documented and enforced privacy and security policies (and supporting procedures) to ensure that: a) within the enterprise and among all processors, the authority of the data protection officer is understood and acknowledged; b) the data protection officer is involved in all issues regarding personal data; c) all executives, including those at the highest level, not only provide clear support for the data protection officer but also provide the resources necessary (including knowledge and training) to discharge the position's responsibilities; d) the data protection officer is not penalized for performing duties or maintaining necessary confidentiality; and e) the data protection officer is also tasked with other responsibilities in addition to those of being data protection officer, as appropriate and reasonable given the business environment? See GDP |
#4.GDPR Program Management Checklist
GDPR Implementation Checklist
- ESTABLISH AND MATURE A PRIVACY PROGRAM
- Educate and raise awareness.
- Assess Organization privacy risks.
- Develop a privacy policy, privacy statement and Data Protection Addendum (DPA)[1] to ensure transparency about the data collected and the purposes of that collection.
- Perform a policy evaluation.
- Implement and train.
- Conduct an annual review.
- CLASSIFY ALL DATA
- Understand the flow of data in your organization.
- Identify mission-critical systems.
- Understand what GDPR considers personally identifiable information (PII), especially:
- Article 4 – GDPR Definitions
- Article 9 – GDPR Processing of Special Categories of Personal Data
- Classify by public, sensitive, confidential, etc.
- ENGAGE A QUALIFIED DATA PRIVACY OFFICER (DPO)
- Per Articles 37-39, ensure the DPO has completed:
- International Association of Privacy Professionals (IAPP) training.
- Certified Information Privacy Professional (CIPP/E) courses.
- Certified Information Privacy Manager (CIPM) courses.
- Ensure the DPO:
- Drives the maturity of the privacy program and GDPR compliance.
- Handles companywide privacy and training awareness.
- Helps establish technical compliance requirements.
- Helps prioritize and create a roadmap.
- PERFORM PROCESSING ACTIVITIES
- Conduct data protection impact assessments (DPIAs) for all processing activities, especially those that may impact data subject rights.
- Create a data mapping process.
- Create a record of processing activities.
IDENTIFY TECHNICAL REQUIREMENTS
- Classify data.
- Implement data loss prevention (DLP).
- Implement encryption.
- Revamp identity and access management (IDAM) to include single sign-on (SSO) and multifactor authentication (MFA).
- Ensure the right tools and processes are in place to comply with Article 30 (processing activities) and Article 17 (right to erasure).
- WRITE A DATA PROTECTION ADDENDUM (DPA) AND/OR ACCEPT DPAs
- Create DPAs addressing GDPR requirements.
- Sign others on a case-by-case basis.
- IDENTIFY AND MODIFY CURRENT CONTROLS AND PROCESSES
- Engage a third-party to perform a self-assessment.
- Review and modify current breach notification rules to comply with new GDPR rules, such as the requirement that customers contact their SA within 72 hours of verifying a breach impacts them.
- Review and modify encryption policies to ensure individuals’ personal data remains protected.
- BE TRANSPARENT AND SHOW BEST EFFORT
- Some articles will take longer to implement and establish compliance. Ensure you provide a practical, clear roadmap to full compliance.
- Demonstrate compliance with industry-standard controls, certifications and attestations.
[1] Addendum specifies the data protection obligations of the Parties, their staff and any third parties acting on their behalf, and applies to all Personal Data transferred between the Parties in connection with the provision of the Services under the Services Agreement.
Comments