GDPR Compliance Journey - 14 Process Documentation

Gydeline

17 May 201805:10

Summary

TLDRIn this informative video, Mike Sutherland discusses the essential steps for establishing and maintaining processes under the General Data Protection Regulation (GDPR). He emphasizes the importance of documenting, implementing, and communicating processes such as data mapping and subject access requests. The video provides a detailed walkthrough of a subject access request process document, highlighting the need for a clear process owner, purpose, and regular review to ensure ongoing improvement and compliance with GDPR standards.

Takeaways

📝 Documenting Processes: The importance of documenting processes is emphasized, including the need for implementation and communication within the organization.
🔄 Continuous Improvement: Processes should be reviewed regularly to ensure ongoing improvement and documentation of these revisions.
👤 Process Ownership: Assigning an owner to each process, such as a data protection officer, ensures accountability and responsibility.
🔍 Purpose Clarification: Describing the purpose of each process clearly helps to avoid confusion and ensures everyone understands its necessity.
📋 Process Steps: Outlining the steps involved in a process, such as subject access requests, helps standardize the approach and facilitates compliance.
🔗 Policy Linkage: Indicating which policies relate to a process and vice versa provides a clear connection between procedural actions and overarching guidelines.
🗓️ Review and Update: Regularly updating the process documentation with the latest version and date ensures the information remains current and relevant.
📬 Communication: Communicating processes effectively to all members of the organization is crucial for compliance and efficiency.
📈 Process Review Cycle: The script highlights the cyclical nature of process review and improvement, suggesting a never-ending quest for betterment.
📚 Subject Access Request Example: The script provides a detailed example of a subject access request process, illustrating the steps and considerations involved.
🔑 SLA and Categorization: Setting Service Level Agreements (SLAs) and categorizing requests within processes helps manage expectations and workflow.

Q & A

What is the main topic of the video script?
-The main topic of the video script is discussing the various processes required as part of the General Data Protection Regulation (GDPR), such as data mapping, data protection, impact assessments, subject access requests, breach process reviews, and the steps to document, implement, and review these processes.
What are the key steps mentioned in the script for putting a process together?
-The key steps mentioned are: documenting the process, implementing the process with systems in place, communicating the process to the organization, regularly reviewing the process, and improving it as needed.
What is the importance of documenting a process in GDPR compliance?
-Documenting a process is important because it provides a clear record of the steps involved, ensures that the process is understood and followed correctly, and helps in maintaining compliance with GDPR requirements.
Why is it necessary to implement a process after documenting it?
-Implementing a process after documenting it is necessary to ensure that the documented procedures are actually being followed in practice, and that the systems and resources are in place to support the process.
How does communication of the process contribute to GDPR compliance?
-Communication ensures that everyone in the organization is aware of the process, which is crucial for GDPR compliance as it involves collective responsibility and understanding of data protection measures.
What is the role of the process owner in GDPR process management?
-The process owner is responsible for overseeing the process, ensuring its proper implementation, and making sure it is reviewed and updated as needed. In the script, Mike Savile is identified as the process owner for the subject access request process.
What is a subject access request and why is it important under GDPR?
-A subject access request is a request made by an individual to a data controller to access their personal data. It is important under GDPR as it allows individuals to exercise their rights to information and ensures transparency and accountability in data handling.
What are the steps involved in the subject access request process as described in the script?
-The steps include receiving the request, sending an email to acknowledge it, categorizing the request, setting an SLA time, managing and logging it by the help desk, and recognizing any sub-processes such as data export, erasure, or correction before closing the ticket.
How does the script relate the process to policies in GDPR compliance?
-The script indicates that processes should be related to and referenced by relevant policies, ensuring that the procedures are aligned with the organization's policy framework and GDPR requirements.
What is the significance of maintaining a version history and last updated date for a process document?
-Maintaining a version history and last updated date helps track changes and improvements over time, ensuring that the process is current and compliant with the latest regulations and best practices.
What will be the topic of discussion in the next video according to the script?
-The next video will be discussing contracts, which is another important aspect of GDPR compliance.