Conducting an audit type of GAP analysis against the GDPR regulation and preparing a report.
a. Data discovery - acquisition, identification, classification and location of personal data.
Systems in the organization that contain or may contain personal data will be identified. Determination of databases used. Defining and classifying personal data or a set of data that can be qualified as personal. A discrepancy list will be prepared for:
- Data lifecycle management.
- Management and guidance of identification of personal data.
- Maintain data classification.
- Maintaining the register of personal data.
- Management of special categories of data.
- Management of deletion (right to be forgotten).
b. Review of personal data risk management.
Risks related to personal data will be examined, assessment of risk factors, impact, treatment and validation of risk when handling data.
c. Personal data security management
The overall security and management of processes and policies related to personal data will be reviewed. View user groups, system access roles and applications identify those working with personal data. Ways to grant rights to employees in the following cases will be reviewed:
- Joiner process
- Leaver process
- Moving in the structure of the organization (Mover process)
Increased protection of systems by separating the levels of access and limiting them to the minimum necessary for the performance of official duties – need to know principle. Recommendations for protection and optimization of roles and access rights to information in the organization. A discrepancy list will be prepared for:
- Management of anonymization and pseudonymization.
- Cryptography management.
- Manage protection levels.
- Sustainability management.
- Access control.
- Test management and evaluation.
d. Personal data in supply chain management
Processes, contracts and input-output connections with your suppliers will be checked and verified. A list of inconsistencies will be generated for:
- Manage administrators and processors.
- Subprocessing management.
- Maintaining processing agreements.
- Supply chain impact management.
- Maintaining supply chain controls.
e. Incident management and personal data breaches.
Assessment of possible security gaps in data processing. Workflow optimization, allowing potential problems to be proactively identified and resolved. Minimize risk by increasing the security of the entire communication infrastructure and reducing the possibility of crashes and breaches. Preparation of a proposal for a complex technical solution that will satisfy the implementation of the protected work in the organization to the maximum extent. The proposal will comply with modern global good practices. The processes in case of a negative scenario related to a breach and leakage of personal data from your organization will be checked. A discrepancy list will be prepared for:
- Notification management.
- Management of communications to data subjects.
- Carrying out crisis and incident management.
- Evidence and claims management.
Recommendations for increasing the effectiveness of crisis measures (recovery from crashes, leakage of personal data into the public space, information losses and other disasters). Damage and loss assessment. Limiting the perimeter. Reporting the problem to the responsible institutions.
f. Establish and maintain qualification and awareness of the regulation.
Awareness and training processes for employees directly affected by the new regulation will be reviewed. Their skills and education, as well as the need for additional qualifications, will be assessed.
g. The role and function of the DPO in the enterprise.
The need to appoint a DPO (Data privacy officer) or personal data protection officer in the enterprise will be checked and assessed. A discrepancy list will be prepared for:
- Supports DPO function.
- Budget and resource management.
- Management of organizational interfaces.
- Reporting management.
- Management of external services.
h. Maintenance of internal controls
Existing internal controls for the processing of personal data will be reviewed and assessed. Additionally, the current impact and effectiveness of internal audit (control) on personal data will be assessed. A discrepancy list will be prepared for:
- Maintaining data acquisition controls.
- Maintaining processing controls.
- Maintain storage controls.
- Maintain delete controls.
- Maintaining monitoring controls.
- Conducting an independent review.
- All necessary procedures, documents, internal rules and policies.
i. Maintaining the management of personal data
Determining the systems and channels through which personal data is exchanged. Defining approval processes and procedures, data movement flows. Drafting recommendations for the protection of data exchange between systems and applications. Control and approval hierarchy optimization. The current framework for personal data management will be assessed and recommendations will be made for:
- Creation of a framework for the management and protection of personal data.
- Maintaining the processing register.
- Maintaining Binding Corporate Rules (BCRs).
- Maintain consent rules.
- Maintaining the rules for requests for data from subjects.
- Maintaining complaint management policies.
- Ensuring unbiased oversight.
The GDPR requires organizations to provide customers with clear and concise information about their rights and how their personal data will be used. Customers have the right to access their personal data, the right to change their mind about the processing of their data and the right to delete their data.
Organizations must also ensure that customer data is protected from unauthorized access, destruction, alteration or use. In order to do so the organizations must implement technical and physical security measures such as encryption, firewalls and vulnerability detection systems and etc. controls. They must also have procedures in place to deal with data breaches, such as a data breach notification procedure.