While preparing to meet GDPR requirements the companies and organizations have started to review their processes and procedures to check, if they are compliant with the requirements. Many of them must have realized there are areas in their business where documentation or process knowledge is missing and they don’t have full control over the data processing activities. Seem like implementation of the GDPR assumptions is an excellent moment to organize these areas, however the question is whether we have the right tools and people in place who could bring order to this documentation? We have prepared a tool that can support data protection officers in their daily work.
Integration of processes and documentation
All for One GDPR Manager creates a comprehensive work environment for the DPO, supports the management of personal data of all types (including data of employees, customers, recipients of marketing information, suppliers and others), enables effective management of access to personal data with regard to the required documentation and helps improve personal data protection processes on a continuous basis.
Features and capabilities of All for One GDPR Manager:
- maintaining records of processing activities,
- keeping a register of powers of attorney and authorizations together with detailed reporting,
- automatic generation of documents, e.g. powers of attorney and authorizations for employees,
- checking and verifying agreements with counterparties, including recording all actions in the document flow process,
- designing and carrying out a risk analysis process for individual processing activities, including the comparability of data over time,
- planning training programs.
All for One GDPR Manager is a ready-to-use application, available in the cloud (SaaS) or as an on-premise installation.
Role of the Data Protection Inspector (DPO)
Along with a panel for managing registers and requests, the DPO receives access to a dashboard that presents key parameters of the GDPR processes and is useful for reporting progress related to risk reduction, continuous improvement, or simply tracking the number of notifications coming to the organization, like information requests or demand for personal data removal.
To be able to define key system parameters, you must first feed the tool with data. Over time, the panel will allow you to analyze this data. The development potential of this tool depends mainly on the activity of the Data Protection Officer.
Risk analysis
The distinguishing feature of All for One GDPR Manager is its ability to track “grey zones" of our organizations by conducting a periodical risk analysis. A risk is the possibility of an event occurring that will have a negative impact on the security of personal data during its processing. Therefore, the analysis requires a subjective impact assessment, based on the information gathered about the current state of implemented safeguards. The cyclical analysis will allow the organization to track progress towards risk reduction.
The analysis consists in assigning the following attribute values to each personal data processing activity defined in the processing record:
- List of threats (e.g. unauthorized access, communication channel disruptions, damage to a workstation).
- Vulnerabilities (hardware failure, employee, communication channel)
- CIA (Confidentiality, Integrity and Availability)
Then, the risk is assessed as a value resulting from the product of the set values (in the case of the GDPR, it may be the cost of any claims in respect of penalties for negligence regarding personal data) and the likelihood of a threat. After analyzing the existing safeguards, you can determine the residual risk. Existing safeguards should reduce the primary risk to zero. If this is not the case, DPO can think of a remedial plans that will eliminate it.
As the operations of processing and the risks associated with it change over time each analysis is recorded as a separate report illustrating the current state of our business. This is influenced by the status of work related to the implementation of security measures, whether through processing policies or physical and technical safeguards. Therefore, All for One GDPR Manager may prove to be a valuable tool that will help in reporting expenses incurred by the organization and assessing their effectiveness as well as planning expenses related to the implementation of subsequent security measures. Remedial plans tracked at All for One GDPR Manager can be associated not only with the risk, but also with possible incidents of loss, distortion or exposing of personal data. After the occurrence of an event and describing its circumstances, we can choose a remedial plan that will mitigate its impact in the future or eliminate subsequent events.
Continuous development
The concept of the GDPR is the transition to an open security model that assumes continuous development and improvement of these processes. Therefore, All for One GDPR Manager is more a framework for handling the GDPR than a closed tool. The ECM (currently Rockawork) engine used as a base for building this tool enables us to easily modify this model and, consequently, follow the business needs. In addition to the definition of the personal data processing activities, some of these data collections can be physically stored in the ECM archive itself, in electronic form (employee files, contracts, applications, etc.).
Since the GDPR directive forces organizations to create its own personal data processing definitions and models, All for One GDPR Manager mainly focuses on processes and defining their key parameters. Lack of these definitions in our organization is what we call “Gray Zones”. It is worth taking the time to define them, because all the conclusions that we will draw from these activities will contribute to improving the quality of services. Let us take advantage of this opportunity.
SNP Poland (now All for One Poland) uses GDPR Manager
In accordance with the GDPR guidelines, SNP Poland has implemented the All for One GDPR Manager solution for its own needs. The new tool enables us to support our Data Protection Officer in keeping records of processing activities, handling requests and incidents and planning training cycles in the field of Personal Data Protection. It also helps us facilitate communication with counterparties within the processes of giving consent to personal data processing by SNP Poland as part of our services.
Rafał Grześkowiak, IT Project Team Leader, All for One Poland