Our proposal for a Data Protection GAP analysis assures GDPR compliance and is in-line with the ISO 27001/02. The Gaps Analysis covers the following processes and activities:
- General IT Governance, Data Protection and Security Issues
- IT Risk Assessment and DPIA Process
- Data Subject Issues
- Rights of Data Subjects/Right To Be Forgotten
- The Data Subject Consent Processes
- The Stakeholder Awareness Process.
- Personal Data Process and Data Protection Mapping
- Data Protection Officer
- Data Register
- GDPR Information Security Management System (ISMS)
- Third Party Processing of Personal Data
The GDPR Data Protection GAP analysis goes into the operational processes and activities:
- Check list for privacy policies and procedures
GDPR compliance requires that information provided to all stakeholders must be in simple, clear and understandable language. We assist in documenting the policies and procedures that are transparent, readily available and documented in a way to facilitate automation.
- Roadmap and framework for accountability
When assurance on clear policies and procedures are in place to prove compliance to GDPR standards, and the structure to create a culture of monitoring, reviewing and assessing the data processing systems. The aim is to minimise data processing and retention of data issues that are built on safeguards and checks and balances.
- Privacy By Design And Default
Implementing privacy by design can both demonstrate compliance and create competitive advantage. We assure that the staff and stakeholders are trained to understand their responsibilities and obligations to take ownership. Auditable data privacy impact assessments will provide a platform to review risky processes or activities and address specific concerns.
- Data Protection Integration
Data privacy must be embedded in any processes, service or product that is ready for delivery with a structured and systematic assessment and validation. Data subject consent requires a legitimate interest in processing data that is not overridden by the benefit of the data subject. Consent is a way to legitime data processing activity and bears the burden of proof for obtaining adequate consent.
- Obligations Of The Data Processor
The GDPR imposes direct obligations on processors that must be integrated and embedded in the policies, procedures and contracts. Stakeholders and customers will require documentation that the services are compatible with enhanced GDPR Regulation requirements. The study of whether the contractual documentation is adequate for data processing services from a third party is critical to determine and document GDPR compliance.
- The Rights Of Data Subjects
Data subjects can exercise their rights to data portability, erasure and withdraw consent to store and process data with legitimate grounds for its retention. The burden of proof to demonstrate reasonable grounds to override the interests of the data subjects with unrealistic expectations of their GDPR rights.
- Cross-Border Data Transfers
International data transfers, including intra-group transfers, are required to ensure a legitimate basis for transferring personal data to multi-jurisdictions, that are not recognised as having adequate data protection regulation. This is not a new concern, but any failure to comply will now be subject to heavy fines. Consider adopting binding corporate rules to facilitate intra-group transfers of data
- Prepare For Data Security Breaches
Put in place clear policies and well-practiced procedures to ensure that you can react quickly to any data breach and notify in time where required.