GDPR Compliance Journey - 14 Process Documentation
Summary
TLDRIn this informative video, Mike Sutherland discusses the essential steps for establishing and maintaining processes under the General Data Protection Regulation (GDPR). He emphasizes the importance of documenting, implementing, and communicating processes such as data mapping and subject access requests. The video provides a detailed walkthrough of a subject access request process document, highlighting the need for a clear process owner, purpose, and regular review to ensure ongoing improvement and compliance with GDPR standards.
Takeaways
- 📝 Documenting Processes: The importance of documenting processes is emphasized, including the need for implementation and communication within the organization.
- 🔄 Continuous Improvement: Processes should be reviewed regularly to ensure ongoing improvement and documentation of these revisions.
- 👤 Process Ownership: Assigning an owner to each process, such as a data protection officer, ensures accountability and responsibility.
- 🔍 Purpose Clarification: Describing the purpose of each process clearly helps to avoid confusion and ensures everyone understands its necessity.
- 📋 Process Steps: Outlining the steps involved in a process, such as subject access requests, helps standardize the approach and facilitates compliance.
- 🔗 Policy Linkage: Indicating which policies relate to a process and vice versa provides a clear connection between procedural actions and overarching guidelines.
- 🗓️ Review and Update: Regularly updating the process documentation with the latest version and date ensures the information remains current and relevant.
- 📬 Communication: Communicating processes effectively to all members of the organization is crucial for compliance and efficiency.
- 📈 Process Review Cycle: The script highlights the cyclical nature of process review and improvement, suggesting a never-ending quest for betterment.
- 📚 Subject Access Request Example: The script provides a detailed example of a subject access request process, illustrating the steps and considerations involved.
- 🔑 SLA and Categorization: Setting Service Level Agreements (SLAs) and categorizing requests within processes helps manage expectations and workflow.
Q & A
What is the main topic of the video script?
-The main topic of the video script is discussing the various processes required as part of the General Data Protection Regulation (GDPR), such as data mapping, data protection, impact assessments, subject access requests, breach process reviews, and the steps to document, implement, and review these processes.
What are the key steps mentioned in the script for putting a process together?
-The key steps mentioned are: documenting the process, implementing the process with systems in place, communicating the process to the organization, regularly reviewing the process, and improving it as needed.
What is the importance of documenting a process in GDPR compliance?
-Documenting a process is important because it provides a clear record of the steps involved, ensures that the process is understood and followed correctly, and helps in maintaining compliance with GDPR requirements.
Why is it necessary to implement a process after documenting it?
-Implementing a process after documenting it is necessary to ensure that the documented procedures are actually being followed in practice, and that the systems and resources are in place to support the process.
How does communication of the process contribute to GDPR compliance?
-Communication ensures that everyone in the organization is aware of the process, which is crucial for GDPR compliance as it involves collective responsibility and understanding of data protection measures.
What is the role of the process owner in GDPR process management?
-The process owner is responsible for overseeing the process, ensuring its proper implementation, and making sure it is reviewed and updated as needed. In the script, Mike Savile is identified as the process owner for the subject access request process.
What is a subject access request and why is it important under GDPR?
-A subject access request is a request made by an individual to a data controller to access their personal data. It is important under GDPR as it allows individuals to exercise their rights to information and ensures transparency and accountability in data handling.
What are the steps involved in the subject access request process as described in the script?
-The steps include receiving the request, sending an email to acknowledge it, categorizing the request, setting an SLA time, managing and logging it by the help desk, and recognizing any sub-processes such as data export, erasure, or correction before closing the ticket.
How does the script relate the process to policies in GDPR compliance?
-The script indicates that processes should be related to and referenced by relevant policies, ensuring that the procedures are aligned with the organization's policy framework and GDPR requirements.
What is the significance of maintaining a version history and last updated date for a process document?
-Maintaining a version history and last updated date helps track changes and improvements over time, ensuring that the process is current and compliant with the latest regulations and best practices.
What will be the topic of discussion in the next video according to the script?
-The next video will be discussing contracts, which is another important aspect of GDPR compliance.
Outlines
📝 GDPR Process Documentation and Implementation
In this segment, Mike Sutherland introduces the topic of processes required under the General Data Protection Regulation (GDPR). He discusses the importance of documenting processes such as data mapping, data protection, impact assessments, and subject access requests. Mike emphasizes the need to not only document these processes but also to implement them with appropriate systems in place. Communication of these processes to all members of the organization is highlighted as a key step. The video script also stresses the necessity of regular review and improvement of these processes, illustrating the cyclical nature of process documentation and enhancement. An example of a subject access request process document is provided, detailing its structure, including the process title, type, status, owner, purpose, steps, related policies, and the document's version and update history.
🔍 Upcoming Discussion on Contracts in GDPR Compliance
The second paragraph of the script teases the next topic of discussion, which is contracts, in the context of GDPR compliance. It serves as a brief transition, indicating that the focus will shift to contracts in the subsequent video, without going into the specifics of what will be covered. The speaker expresses hope that the audience finds their compliance journey straightforward, suggesting that the content provided so far has been helpful and accessible.
Mindmap
Keywords
💡GDPR
💡Data Mapping
💡Data Protection
💡Impact Assessments
💡Subject Access Requests
💡Breach Process
💡Process Documentation
💡Implementation
💡Communication
💡Review and Improvement
💡Data Protection Officer (DPO)
Highlights
Introduction to the General Data Protection Regulation (GDPR) compliance processes by Mike Sutherland.
Discussion on various processes required by GDPR, including data mapping, data protection, and impact assessments.
Emphasis on the importance of documenting processes as part of GDPR compliance.
Explanation that merely documenting processes is not enough; they must also be implemented with proper systems.
The necessity of communicating processes to ensure everyone in the organization is aware.
Highlighting the non-static nature of GDPR processes, requiring regular review and improvement.
Introduction of the subject access request process as an example of GDPR documentation.
The importance of assigning a process owner, such as a data protection officer, for accountability.
Describing the purpose of the subject access request process to ensure clarity and understanding.
Detailing the steps involved in managing and logging subject access requests by the help desk.
Mention of sub-processes such as data export, erasure, and correction within the request process.
The significance of recognizing and documenting the completion of the request process by closing the ticket.
Linking processes to relevant policies to maintain a coherent compliance framework.
Documentation of the last update date and version number for process records.
The call to action for continuous improvement and communication of GDPR processes.
Preview of the next topic to be discussed, which is contracts in the context of GDPR.
Closing remarks encouraging simplicity in GDPR compliance.
Transcripts
[Music]
hello and welcome back once again to our
GDP our compliance Chile I'm Mike
Sutherland this time we are talking
about processes now there are a lot of
processes required as part of GDP are
things like data mapping data protection
impact assessments subjects access
requests breach process reviews and
we've got some of them listed on this
side of the screen but when you're
thinking about process and we'll show
you one of our documents in a second
there are a number of steps you need to
consider when putting the process
together the first thing we need to do
is to actually document the process but
it's not just enough to document it you
need to implement the process so make
sure that the systems are in place to
back that up and once you've documented
and implemented you then need to
communicate that process so that
everybody in your organization is aware
of that process and like many things in
the gdpr it's not just a one-time effort
so you need to review that process on a
regular basis and make sure that you
continue to improve it and when you do
improve it you need to document the
process as a cycle that goes on and on
to keep your processes as good as they
can be so let's now take a look at what
our process we talked a couple of times
ago about subject access requests so
just going to show you through our
subject - request document so this is
our subject access request process
document and in line with all our
process documents we have a title and we
give the processor type now that can be
irregular as in this case so we do this
process when somebody requests it we
have other processes which are on a
daily a weekly a monthly schedule so we
define the type of process we give it a
status whether it's live Draft under
review or retired and then importantly
we need to give
the process an owner so that could be a
role and the role to learn the subject
to access request process in our cases
the data protection officer and also we
give that role and that person a name so
we know that Mike Savile is responsible
for this process now it's important to
describe the purpose of the process
because we don't want people to think oh
well we're not sure why it's needed why
we're doing it so in the case of
subjects access requests we say that
exists to enable individuals to exercise
their rights to information and it gives
us a standard approach for documenting
responding to and fulfilling these
requests we then in every process go on
to document these steps that are
required so there's a series of wreaths
of steps and overarching comment that
says we manage and we log it by our help
desk and then some quite simple steps we
don't need to go into very detailed
descriptions but we need to get the
process steps laid out so receive the
tickets send an email response to
acknowledge the requests give it a
category set an SLA time on the request
then there might be sub processes so we
don't need to define every single nuance
of the sub process here in the request
process but we do need to recognize that
there's a separate data export process
there's a separate data erasure process
there's a separate data deletion or
correction process and then some other
steps before we finally finally get on
to closing the ticket and at that point
the process is finished it's all
important to indicate which policies
this process relates to and vice-versa
so if you see saw the earlier video on
policy you would have seen us referring
to process so in this instance there are
several policies that would reference
this subject access request process and
we've listed them in the document here
and finally at the footer of the
document we've said when it was last
updated and in this case the 13th of
April and the version number of the
document and that gives us a complete
view of the process for subject access
requests so I hope you found that useful
we've got other other processes
documented in exactly the same way but
just to reiterate you need to document
you then need to implement your
processes you then need to communicate
them tell people about your processes no
good having them if you haven't told
people and keep reviewing them with a
view to keeping them improved or
improving them on an ongoing basis so
that's it for this time next time we are
going to be talking about contracts so
until then we hope you find your
compliance simple
Просмотреть больше связанных видео
![](https://i.ytimg.com/vi/o8-058VyUOI/hq720.jpg)
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
![](https://i.ytimg.com/vi/dORvzn1MLo0/hq720.jpg)
How do I document data flow under GDPR?
![](https://i.ytimg.com/vi/6PMxllun0e0/hq720.jpg)
GDPR Compliance Journey - 11 Rights
![](https://i.ytimg.com/vi/a99IE8y_1cU/hq720.jpg)
GDPR Compliance Journey - 06 Data Protection Impact Assessment
![](https://i.ytimg.com/vi/3IDnuvs0kNs/hq720.jpg?v=65e1ef52)
How to Implement GDPR Part 2 :Roadmap for Implementation
![](https://i.ytimg.com/vi/Qk-qmbBJzq4/hq720.jpg)
GDPR Compliance Journey - 15 Contracts & Agreements
5.0 / 5 (0 votes)