GDPR Compliance Processes

The Summary

General Data Protection Regulation (GDPR) is a regulation (EU 2016/679) by which the European parliament (council of the European Union) and the European Commission intend to strengthen and unify data protection for all individuals within EU.
The intention is to give control back to citizens and residents over their personal data. To achieve the above-mentioned objective, Network Intelligence is submitting this techno-commercial proposal to:

  • Conduct the Gap assessment with respect to the GDPR requirements
  • Conducting Data Protection Impact Assessment (DPIA – risk register)
  • Support in implementation of changes in process(es)/application(s) along with documentation requirements

Assessment phase

Project Kick-Off

GDPR Compliance is an extensive journey for any organization and hence a initial journey road-map helps to set a defined plan for action. During this phase a formal introduction of the teams takes place which is followed by explanation of each of the process. This phase also includes setting up the dates for completion of each milestones. Also, it is very important to understand the client’s business environment in order to arrive at the scope of work for NII

Gap assessment

To verify the compliance level of client’s existing data protection system (documentation and practices) including automated activities against the requirements of GDPR and produce a gap assessment report

Recommendations

Based on the gaps found during gap assessment phase, technical as well as process related recommendations will be given to client to ensure compliance. While recommending solutions / changes in system, following strategy should be followed:

  • Data protection by design
  • Data protection by default

Appointment of Data Protection Officer (DPO)

This is mandatory requirement for each organization to appoint DPO depending on the size and locations (single / multi-location) of the organization. Roles and responsibilities to be documented and communicated to DPO.

Assessment phase’s deliverables

  • The deliverables for gap assessment will be a detailed Gap Assessment Report, which will list down all the action points pertaining to the gaps as per the GDPR guidelines
  • The gap assessment report will not only list the non compliant areas but practical possible solutions for each action point will also be defined
  • NII will make a detailed presentation on the findings. It will ensure that the findings are discussed with all stakeholders
  • The executive summary section in the Gap Assessment Report can be used for effective project management

Implementation phase

Once the recommendations are approved by client’s management, actual deployment of suggested solutions will be started. Following activities shall be covered during this phase:

  • Awareness – Awareness on overall GDPR, it’s requirements and the context with respect to the client’s business environment shall be covered. Role based training needs to be provided, as necessary
  • Conducting risk assessment – Following methodology should be followed for the risk assessment:
    • The risk to the rights and freedoms of natural persons that may result from personal data processing which could lead to physical, material or non-material damage
    • The likelihood and severity of the risks to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes for processing of personal data.
    • Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk / high risk or possibility of Data breach incidents

Once the recommendations are approved by client’s management, actual deployment of suggested solutions will be started. Following activities shall be covered during this phase:

  • Awareness – Awareness on overall GDPR, it’s requirements and the context with respect to the client’s business environment shall be covered. Role based training needs to be provided, as necessary
  • Conducting risk assessment – Following methodology should be followed for the risk assessment:
    • The risk to the rights and freedoms of natural persons that may result from personal data processing which could lead to physical, material or non-material damage
    • The likelihood and severity of the risks to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes for processing of personal data.
    • Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk / high risk or possibility of Data breach incidents
  • Documentation – Required policies and procedures shall be documented which will bridge the gap between the GDPR requirements and practices to be deployed to achieve compliance and mitigate the risk or data breaches
  • Deployment – Deployment of risk mitigating actions and documented processes leading to compliance. This shall include the data breach reporting mechanism to appropriate authorities as per GDPR requirement
  • Monitoring – To build an access control and monitoring mechanism (changes in DLP, SIEM, IdAM / IAM) and data breach incidents, logging, reporting, response, resolution etc.
  • Periodical evaluation and maintenance – Checklist based audit / assessment should be carried out on periodical basis and support to be provided so that the organization remain complaint to GDPR requirements. This will involve evaluation of effectiveness of technical and organizational measures to ensure security of data processing

Implementation phase’s deliverables

  • Policies and procedures documentation
  • Roles and responsibilities documentation
  • Audit report(s)