GDPR Compliance Journey - 06 Data Protection Impact Assessment
Summary
TLDRIn this informative video, the host guides viewers through the process of conducting Data Protection Impact Assessments (DPIAs) in compliance with the General Data Protection Regulation (GDPR). The video offers a free DPIA template, discusses the company's system for managing GDPR records, and highlights the importance of DPIAs even for businesses not required by law. It provides an in-depth look at the company's DPIA progress, including data collection, storage, and deletion processes, and outlines future steps to enhance data security and compliance.
Takeaways
- 📚 The video introduces a free data protection impact assessment (DPIA) template available for download on their website.
- 🔒 The company uses a system to manage GDPR records and is considering sharing this system with customers.
- 🚫 Not all businesses are required to perform a DPIA under GDPR unless they process data on a large scale, make automated decisions, or handle special categories of information.
- 📝 The speaker guides through their own DPIA process, highlighting the importance of compliance in their business operations.
- 👤 The DPIA identifies the Assessor, the Data Protection Officer, and details the data processing activities involved.
- 💼 The script discusses the general business data process, including capturing personal data from various sources like business cards and emails.
- 📧 It mentions the storage of emails on servers in the Netherlands and the stakeholders involved in data processing.
- 🗑️ The company has documented processes for deleting data from their CRM system and local mail clients, as well as the expectation that providers will delete data from their archives.
- 📝 Another DPIA example covers the newsletter mailing list, detailing how data is captured, stored, and the option for individuals to opt-out.
- 🔐 Risks associated with cloud providers are identified, and measures like two-factor authentication and data encryption are used to mitigate these risks.
- 📈 The company aims to improve compliance by implementing single sign-on, reviewing retention policies, and conducting regular DPIA reviews.
Q & A
What is the main topic of the video script?
-The main topic of the video script is data protection impact assessments (DPIAs) in the context of GDPR compliance.
Is there a free resource available for those interested in starting with DPIAs?
-Yes, there is a free data protection impact assessment template available on the website, which is mentioned in the script.
What does the company use to manage their GDPR records?
-The company uses a system for managing their GDPR records, which they plan to share with customers in the future.
Under what circumstances is a data protection impact assessment not required according to the script?
-A DPIA is not required if the company is not processing data on a large scale, not making automated decisions, and not processing special categories of information.
What is the purpose of the general business data DPIA mentioned in the script?
-The purpose is to recognize the personal data captured during everyday business activities, such as business cards, meetings, calls, etc.
Where is the general business data captured and stored according to the script?
-The general business data is captured and mainly recorded within the company's CRM system or received via email and stored on email servers in the Netherlands.
What is the process for deleting data in the context of the general business data DPIA?
-Data can be deleted directly from the CRM system or according to the company's retention policy, emails for contacts are also deleted from local mail clients.
What is the newsletter mailing list DPIA about?
-The newsletter mailing list DPIA is about maintaining a database of contacts interested in receiving guideline news and developments, captured via the guideline website and stored in the CRM system.
Who are the stakeholders in the newsletter mailing list DPIA?
-The stakeholders are customers, potential customers, employees, and directors of the company.
How does the company handle data deletion from the newsletter mailing list?
-Data can be deleted directly from the CRM, and there is an opt-out option in the mailing lists to ensure no future information is sent to those who choose to unsubscribe.
What are the main risks identified in the DPIAs mentioned in the script?
-The main risks are related to cloud providers being compromised, such as the hosting provider AWS or the primary software provider Zoho.
What protective measures does the company implement as per the script?
-The company stores data on encrypted systems, avoids unnecessary email storage of customer information, deploys two-factor authentication, collects only required information, and enforces a data retention policy.
What future focus areas does the company plan to implement to improve compliance?
-The company plans to implement single sign-on, further checks on the retention policy, and conduct another deep DPIA in six months, along with monthly reviews of existing DPIAs.
What was the compliance status and number of outstanding actions before the recent updates in the guidelines software?
-Before the updates, the compliance status was at 42% with fifty-three outstanding actions.
What was the impact of the recent updates on the company's compliance status and number of actions?
-After the updates, the compliance status increased to 48% and the number of actions was reduced by 3.
What is the next major topic the company will address in their compliance journey?
-The next major topic the company will address is consent.
Outlines
📊 Data Protection Impact Assessments Overview
This paragraph introduces the topic of data protection impact assessments (DPIAs) in the context of the General Data Protection Regulation (GDPR). The speaker mentions a free template available on their website for conducting DPIAs and discusses their system for managing these assessments. They clarify that not all organizations need to perform DPIAs unless they process data on a large scale, make automated decisions, or handle special categories of information. However, as compliance is their business, they believe it's best practice to perform DPIAs. The speaker then outlines their own company's DPIA process, including identifying the assessor, data protection officer, and data processing activities, and discusses the general business data and newsletter mailing list processes, their stakeholders, and data deletion policies.
🔒 Addressing Risks and Enhancing Data Security
The second paragraph delves into the risks associated with cloud-based data storage, particularly the potential compromise of cloud providers like AWS and software providers like Zoho. The speaker acknowledges the small but present risk and highlights the protective measures they have in place, such as two-factor authentication and data encryption. They also discuss the company's approach to data storage, emphasizing the use of encrypted systems, avoiding unnecessary email storage of customer information, and adhering to a strict data retention policy. The paragraph concludes with future plans to implement single sign-on and further refine their data retention policy, as well as conducting another DPIA in six months and monthly reviews of existing assessments. The speaker also provides an update on the company's compliance status, showing an increase to 48% compliance and a reduction in outstanding actions.
Mindmap
Keywords
💡Data Protection Impact Assessment (DPIA)
💡GDPR
💡Compliance
💡Personal Data
💡Data Processing Activities
💡Stakeholders
💡Data Retention Policy
💡Cloud Providers
💡Two-Factor Authentication
💡Risk Assessment
💡Opt-out Option
Highlights
Introduction to the topic of data protection impact assessments (DPIAs) in the context of GDPR compliance.
Availability of a free DPIA template on the website for easy start.
Discussion on the systems used for managing GDPR records and plans to share these with customers.
Clarification that not all organizations need to perform a DPIA due to the nature of their data processing.
Emphasis on compliance as a business practice, even when not mandatory, by conducting DPIAs.
Overview of the company's data protection impact assessment process and its components.
Identification of the assessor and data protection officer roles in the DPIA.
Explanation of data processing activities and their relation to DPIAs.
Description of the general business data process and its purpose in recognizing personal data captured.
Mention of various sources from which personal data is collected, such as business cards and emails.
Details on where data is captured and stored, primarily in CRM systems or email servers.
Documentation of data deletion processes and retention policies.
Discussion on the newsletter mailing list process and its stakeholders.
Explanation of the data deletion process from the CRM and mailing lists with opt-out options.
Identification of risks associated with cloud providers and the measures taken to mitigate them.
Introduction of protection measures such as encrypted storage and two-factor authentication.
Plans for future enhancements including single sign-on and further checks on retention policies.
Update on the company's compliance status and the impact of recent activities on overall GDPR compliance.
Mention of upcoming focus areas such as consent and privacy notice, expected to drive further progress.
Anticipation of conducting another deep DPIA in six months along with monthly reviews.
Conclusion emphasizing the importance of steady progress in GDPR compliance.
Transcripts
[Music]
hello and welcome once again to the
guideline GDP our compliance journey
this time we're talking about data
protection impact assessments so if you
haven't already seen it and downloaded
and hundreds if not thousands of people
already have we have a free data
protection impact assessment template
available on the website link is on the
screen now so that's a very very easy
way to get started once again we have a
system for managing our data protection
impact assessment a number of people
have asked about the systems that we're
using to manage our GDP our records and
we're going to be looking at ways that
we can share this with our customers so
they can use the same systems that we do
so stay tuned for more on that in the
next couple of weeks but in the meantime
just to say that not everybody has to do
a data protection impact assessment for
guideline because we're not processing
data on a very very large scale we're
not making automated decisions we are
not processing special categories of
information we really don't have to
according to the regulation do a data
protection impact assessment however
since compliance is our business we
think it's probably best practice that
we do so I'm going to take you through
our data protection impact assessment
and then I'm going to take you through
the guidelines software to show you what
our progress against the GDP our is to
date and what that has done to our
overall compliance so here we are at our
data protection impact assessments
you'll see that we completed a couple of
these last year but let's deal with the
most current assessment if we view this
assessment you can see that we've
recorded who the Assessor is who the
data protection officer is and in our
system we have data processing
activities which contain the main detail
regarding the data section impact
assessment so let's take the impact
assessment around general business data
if we look at this business process we
can see that the purpose is to recognize
the personal data that are captured
during the course of everyday business
and every business has these business
cards meeting those calls and so on and
that data can come from a wide variety
of sources email hardcopy word-of-mouth
face-to-face and so on and that won't be
unusual to guideline many businesses
will have those same scenarios in terms
of where the processing takes place
where we capture data into a couple of
primary systems
it's either mainly recorded within our
CRM or it's received via email and the
case of the latter the emails are stored
on email servers in the Netherlands
we've made a list of who the
stakeholders are regarding this
processor and it's all customers
partners and connections and we've also
documented what is the process for
deleting the data so we can delete the
data directly from our CRM system or
according to our retention policy will
also delete any emails for those
contacts from our local mail clients and
we assume that our providers in this
case Zoho will delete that data from its
own archives and backups looking now at
another area that many many of our
customers will have and that's a
newsletter mailing list so this process
is a database of contacts who have
expressed an interest in being kept up
to date with guideline news and
developments we get this data via the
guideline website and we also capture
this in the general course of our
business this is stored in our CRM
system provided by Zoho who are the
stakeholders in this instance well their
customers and potential customers our
employees and our directors
and if you want to delete the data we
can delete it the right from the CRM but
we also have an opt-out option in our
mailing lists so if he usually decides
not to receive information from us we
retain their email address so that we
can make sure that we don't send them
any information in the future and at the
bottom of all our impact assessments we
have a number of risks now because we do
most of our business in the cloud our
risks really are around those cloud
providers so one risk is that a cloud
provider is compromised so our hosting
provider AWS if they have a compromised
there's a risk to our personal
information albeit we believe quite
small and there's a second risk that our
primary software provider Zoho have
their ecosystem compromised both of
those risks we believe are are quite
small we use two-factor to protect those
systems and the data is encrypted so if
we go back to the main dpi a we can see
there a list of the data processing
activities we just talked about general
business data and newsletter mailing
lists so on the back of that we have
some protection measures that we can put
in place so the first thing is that we
only store data on encrypted systems we
are quite good as a company at not using
email where we don't have to not storing
customer information on spreadsheets and
Word documents so all our information
really is in our central CRM system and
where possible we deploy two-factor
authentication to further protect that
data and we also make sure that we only
collect the information that we require
to support somebody so we don't ask for
lots of information about a person's age
and their interests and so on
and finally we make sure that we enforce
our data retention policy moving into
the future
a few areas that we'd like to focus on
are implementing a single sign-on and
we'd like to do some further checks on
our retention policy to make sure that
the different retention periods we have
defined across our areas are enforced
and finally we'll be conducting another
deep EIA in six months time in addition
to the monthly review of the existing
DPI a's so we know about a third of the
way through the GDP our activities that
we a guideline need to complete if you
remember from the first or second video
I took you through our dashboard and our
assessment and if you remember we
arrived at 42% compliant and we had
fifty-three outstanding actions so I'm
going to go ahead and update our
assessment and show you the impact that
the things we've completed over the last
few weeks have had all our overall
compliance and so the finalists section
of the assessment that I'm going to
complete today is on the data protection
impact assessment and as a results of us
recently updating the guidelines
software with the feed from the article
29 working party we have a couple of
extra questions so we have one here that
says how often do you review your data
protection impact assessment well we
have put a reminder in place to review
it every month and do you publish
details of your DPI A's well I think by
the very nature of this video that we do
publish it in full
so if we return to the dashboard we can
see that our compliance status has gone
to 48 percent compliant and the number
of actions that we have has reduced by 3
those may not seem like big numbers but
there will be new actions that have
occurred as well as ones that we've
crossed off our list and the areas that
we are dealing with next on our list
which are consent and privacy notice
should see a large number of those
actions being completed so there you
have it data protection impact
assessments and slow steady progress
hopefully more rapid progress over the
next couple of weeks next time it's a
biggie
we're dealing with consent so stay tuned
for that and until then we hope you find
your compliance simple
Browse More Related Video
![](https://i.ytimg.com/vi/Qk-qmbBJzq4/hq720.jpg)
GDPR Compliance Journey - 15 Contracts & Agreements
![](https://i.ytimg.com/vi/-S-DbVoXpd4/hq720.jpg)
Keynote: Are You Ready for GDPR? - Michele Appello
![](https://i.ytimg.com/vi/i-IXNr9u2-w/hq720.jpg)
GDPR Compliance Journey - 14 Process Documentation
![](https://i.ytimg.com/vi/o8-058VyUOI/hq720.jpg)
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
![](https://i.ytimg.com/vi/3IDnuvs0kNs/hq720.jpg?v=65e1ef52)
How to Implement GDPR Part 2 :Roadmap for Implementation
![](https://i.ytimg.com/vi/GWdnKme7-Zk/hq720.jpg)
GDPR Compliance Journey - 18 Reviews and Third Party Reviews
5.0 / 5 (0 votes)