GDPR Compliance Journey - 18 Reviews and Third Party Reviews
Summary
TLDRIn this video, Mike Salim discusses the ongoing nature of GDPR compliance, emphasizing that it's not a one-time task but requires regular reviews similar to a car's MOT. He suggests reviewing aspects like data protection impact assessments, processing records, and breach notifications. Salim recommends implementing a review system and conducting checks every six months, adapting the frequency to the organization's needs. He also shares examples of their review records and a form used to assess third-party GDPR compliance, highlighting the importance of keeping records simple yet comprehensive for future use.
Takeaways
- 🔄 GDPR is an ongoing process: The script emphasizes that GDPR compliance is not a one-time activity but requires continuous review and maintenance.
- 🚗 GDPR compared to car MOT: Just like a car needs regular checks, GDPR compliance must be reviewed regularly to ensure it remains fit for purpose.
- 📝 Establish a system of reviews: Organizations should have a system in place to regularly review their GDPR compliance measures.
- 🔍 Review various aspects: Key areas for review include data protection impact assessments, processing activity records, breach notifications, and consent records.
- 📅 Regular review schedule: The script suggests a regular schedule for reviews, such as every six months, depending on the organization's needs.
- 👀 Changes trigger reviews: Any change in the organization, processes, or data collection should prompt a GDPR compliance review.
- 📑 Documenting reviews: Records of reviews should be kept, including checks performed and actions undertaken.
- 📚 Training importance: The script highlights the importance of data protection training for employees to understand and comply with GDPR.
- 📝 Third-party checks: Organizations must also ensure that third parties they work with are GDPR compliant by using forms to check their status and measures.
- 📋 Simplified record-keeping: Records should be simple and usable, avoiding overly complex systems that may not be helpful in the future.
- 🔑 Focus on principles, not details: When reviewing third parties, focus on whether they understand and implement GDPR principles rather than getting into overly detailed technical questions.
Q & A
What is the main purpose of this video script?
-The main purpose of the video script is to emphasize the importance of ongoing reviews and maintenance of GDPR compliance, comparing it to the regular checks required for car MOTs.
Why does the speaker compare GDPR compliance to a car MOT?
-The speaker compares GDPR compliance to a car MOT to highlight that both require regular checks and maintenance to ensure they remain effective and fit for purpose.
What does GDPR stand for?
-GDPR stands for General Data Protection Regulation.
What types of records need to be reviewed for GDPR compliance?
-Types of records that need to be reviewed include data protection impact assessments, processing activity records, breach notifications, and consent records.
How often should organizations review their GDPR compliance?
-Organizations should review their GDPR compliance regularly, especially when there are changes in the organization, processes, information collected, or personnel. The speaker suggests scheduling reviews every six months as a guideline.
What is the purpose of keeping records of GDPR reviews?
-The purpose of keeping records of GDPR reviews is to document the checks and actions taken to maintain compliance, ensuring there is evidence that ongoing review and maintenance are being performed.
What should organizations avoid when keeping records for GDPR compliance?
-Organizations should avoid creating overly complex records that are difficult to use. Records should be simple, containing all necessary data while remaining user-friendly.
What does the form sent to third parties typically ask?
-The form sent to third parties typically asks basic questions to confirm awareness training, understanding of the privacy policy, and knowledge of procedures for data loss. It avoids overly detailed questions and focuses on essential compliance principles.
Why does the speaker prefer simple questions for third-party GDPR compliance checks?
-The speaker prefers simple questions to ensure that the fundamental principles of GDPR compliance are being met and to avoid unnecessary complexity. Detailed concerns can be addressed later if needed.
What will the final part of the GDPR compliance journey cover?
-The final part of the GDPR compliance journey will review the guideline software to assess compliance, discuss lessons learned, and consider priorities for addressing GDPR efforts.
Outlines
🔄 Ongoing GDPR Compliance Review
Mike Salim introduces the importance of continuous review in maintaining GDPR compliance, comparing it to a car's MOT to emphasize the need for ongoing checks. He suggests reviewing various aspects such as data protection impact assessments, processing activity records, breach notifications, and consent records. The speaker emphasizes the necessity of conducting reviews when changes occur within the organization, such as changes in processes, data collection, or personnel. A regular review schedule is recommended, with the example of every six months provided as a guideline. The video also showcases records of data protection training and a form used to check third-party GDPR compliance, highlighting the importance of keeping simple and usable records.
🤝 Third-Party GDPR Compliance Checks
This paragraph discusses the process of ensuring third-party compliance with GDPR. The speaker describes a form sent to third parties to verify their understanding and implementation of GDPR principles. The form includes basic questions about awareness training, privacy policy knowledge, and data loss procedures. The purpose of the form is to create a record that confirms third parties are aware of and compliant with GDPR requirements. The approach is to avoid overly detailed questions and instead focus on the fundamental concepts, with the option to delve into specifics if concerns arise. The speaker mentions that these forms are sent out regularly as part of an ongoing review process.
Mindmap
Keywords
💡GDPR
💡Compliance
💡Data Protection Impact Assessment (DPIA)
💡Processing Activity Record
💡Breach Notifications
💡Consent Records
💡Review System
💡Third-Party Checks
💡Data Protection Training
💡Record Keeping
💡MOT (Ministry of Transport) Test
Highlights
GDPR compliance is not a one-time activity but requires ongoing review and maintenance.
The analogy of a car MOT is used to illustrate the need for continuous GDPR review.
System changes, new data collection, and organizational shifts necessitate GDPR reviews.
A system of reviews should be in place to ensure ongoing GDPR compliance.
Data Protection Impact Assessment, Processing Activity Record, and Breach Notifications are among the items needing regular review.
The frequency of GDPR reviews should be determined by changes within the organization or its processes.
A regular review schedule, such as semi-annually, is suggested for maintaining GDPR compliance.
Documentation of reviews and checks is essential for demonstrating ongoing compliance efforts.
The importance of keeping records simple yet comprehensive for future usability is emphasized.
Data protection training records should include date, location, attendees, and topics covered.
Third-party GDPR compliance checks are crucial and should be conducted regularly.
A simple form can be used to assess third-party awareness and understanding of GDPR requirements.
The form serves as a record of third-party confirmation of GDPR compliance and understanding.
Avoiding overly detailed questions allows for a more streamlined review process of third parties.
The approach to reviewing third parties involves sending forms on an ongoing basis to ensure compliance.
The final part of the GDPR compliance journey will involve revisiting the guide software for compliance assessment.
The upcoming session will discuss lessons learned and priorities for tackling GDPR compliance efforts.
The goal is to make GDPR compliance simple and achievable for organizations.
Transcripts
[Music]
hi I'm Mike Salim welcome to the
penultimate part in our GDP our
compliance journey and assuming that
you've done every other step that you
need to do as part of the GBP are then
the next thing you need to do is ensure
that you review it on an ongoing basis
that gdpr isn't just a one-time activity
we like to think of it like a car MOT
your car may be suitable for Road use
the day you have the MOT but the next
day you might develop an engine fault my
gait chip and the windscreen anything
could happen that means that car is no
longer fit for purpose and the same
thing really applies with the GDP are
you might have got to a ready state on
one day but the system changes you
collect new data and you're no longer
fit for purpose so you need to review
and maintain the GDP are on an ongoing
basis and the way that you one of the
ways you would do this is to make sure
you've got a system of reviews in place
so what needs reviewing well there's a
number of things that might need
reviewing things like your data
protection impact assessment your
processing activity record your breach
notifications your consent records
there's a list on the screen but there's
a number of things that you need to
review on an ongoing basis and when we
talk about review the GDP is silent
really on how often or when you should
review but to our way of thinking
there's clearly a need to review when
anything changes so your organization
changes your processes change the
information you collect changes maybe
the people change so when things change
you should do a review and then you
should also have a schedule so a
guideline we've scheduled things in the
most part every six months we think
that's
appropriate for our organization maybe
different for your organization but it's
up to you to decide a regular schedule
of review for the measures and the
processes that you've put in place so
I'm going to show you a couple of things
we have records of our reviews that
really are lists of the checks that
we've done and the things we've
undertaken and so we've got those
documented and then I'll show you
forms that we use to check with our
third parties because the gdpr says that
you need to check the GDP our status and
the measures that your third parties
have implemented so I'll take you
through that form as well so this is our
record of data protection training that
we've done within guideline now larger
organizations will have a much longer
list and smaller organizations may have
a slightly shorter list but really just
want to say that the records you need to
keep they need to be simple enough that
they contain all the data you need and
simply enough that they're usable don't
fall into the trap of creating something
highly complex that is then no use to
anybody in the future so need to keep
records across a number of areas this is
our training record and you can see it
just lists what date the training took
place whereabouts it took place who
attended and the sorts of topics that we
covered so we've done things on data
protection impact assessment awareness
training cleansing data and some of our
processes and really it is just a simple
record that grows over time to show that
we are doing the right thing in terms of
training our employees to better
understand data protection let's now
take a look at the form we use to our
third party's about their rights
so here is a form that we send to some
of the third parties that we work with
and we send these forms because it is an
simple way for us to ask some basic
questions to check if these
organizations are doing some of the
things they need to be doing under the
gdpr now the form isn't always the same
and we modify this depending on what we
need but the basic principle is there
that says we are some very simple
questions around can you confirm you've
completed awareness training can you
confirm you've read the guideline
privacy policy do you know what to do
about data loss and then when the
individual puts in their name and their
email and click submit that then forms a
record that we can use to evidence that
we've checked this third party in this
instance it might be somebody that's
doing some some consulting work on
behalf of guide line but we can check
that they've read understood and
confirmed that they're doing the right
things on the gdpr and we have that as a
record of when they answered and the day
that they answered it and that's the
approach we're taking across most of our
third parties and the question approach
is also very similar we're trying to
avoid asking hundreds of very very
detailed questions around that field is
that encrypted and protecting how often
is that particular letter backed up and
that's you know a level of detail that
we don't feel we need we need to
understand if the concepts the
principles are being done and then if we
have any concerns we can drill down into
those fine level of details later so
that's our approach on reviewing third
parties and we send those forms out on
an ongoing basis so that's it on reviews
and next time will be the final part of
our GDP our journey where we'll have
another look at the guide
software to see how compliant or not we
are and will talk about what we may have
learnt and maybe what some of the
priorities that you might be thinking
about when it comes to tackling your own
GDP our efforts so until then we hope
you find your compliant simple
تصفح المزيد من مقاطع الفيديو ذات الصلة
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
How to Implement GDPR Part 2 :Roadmap for Implementation
GDPR Compliance Journey - 06 Data Protection Impact Assessment
GDPR Compliance Journey - 15 Contracts & Agreements
GDPR Compliance Journey - 14 Process Documentation
GDPR Compliance Journey - 16 Training
5.0 / 5 (0 votes)