GDPR Compliance Journey - 06 Data Protection Impact Assessment

00:00

[Music]

00:05

hello and welcome once again to the

00:08

guideline GDP our compliance journey

00:11

this time we're talking about data

00:13

protection impact assessments so if you

00:17

haven't already seen it and downloaded

00:19

and hundreds if not thousands of people

00:22

already have we have a free data

00:24

protection impact assessment template

00:26

available on the website link is on the

00:29

screen now so that's a very very easy

00:32

way to get started once again we have a

00:35

system for managing our data protection

00:38

impact assessment a number of people

00:40

have asked about the systems that we're

00:42

using to manage our GDP our records and

00:44

we're going to be looking at ways that

00:47

we can share this with our customers so

00:49

they can use the same systems that we do

00:51

so stay tuned for more on that in the

00:54

next couple of weeks but in the meantime

00:57

just to say that not everybody has to do

01:01

a data protection impact assessment for

01:04

guideline because we're not processing

01:05

data on a very very large scale we're

01:09

not making automated decisions we are

01:11

not processing special categories of

01:13

information we really don't have to

01:16

according to the regulation do a data

01:19

protection impact assessment however

01:21

since compliance is our business we

01:24

think it's probably best practice that

01:25

we do so I'm going to take you through

01:29

our data protection impact assessment

01:31

and then I'm going to take you through

01:32

the guidelines software to show you what

01:36

our progress against the GDP our is to

01:38

date and what that has done to our

01:40

overall compliance so here we are at our

01:44

data protection impact assessments

01:47

you'll see that we completed a couple of

01:50

these last year but let's deal with the

01:52

most current assessment if we view this

01:57

assessment you can see that we've

01:59

recorded who the Assessor is who the

02:02

data protection officer is and in our

02:05

system we have data processing

02:08

activities which contain the main detail

02:13

regarding the data section impact

02:15

assessment so let's take the impact

02:19

assessment around general business data

02:22

if we look at this business process we

02:26

can see that the purpose is to recognize

02:29

the personal data that are captured

02:31

during the course of everyday business

02:32

and every business has these business

02:35

cards meeting those calls and so on and

02:37

that data can come from a wide variety

02:40

of sources email hardcopy word-of-mouth

02:43

face-to-face and so on and that won't be

02:47

unusual to guideline many businesses

02:49

will have those same scenarios in terms

02:53

of where the processing takes place

02:55

where we capture data into a couple of

02:59

primary systems

03:01

it's either mainly recorded within our

03:04

CRM or it's received via email and the

03:09

case of the latter the emails are stored

03:11

on email servers in the Netherlands

03:13

we've made a list of who the

03:16

stakeholders are regarding this

03:17

processor and it's all customers

03:19

partners and connections and we've also

03:23

documented what is the process for

03:25

deleting the data so we can delete the

03:28

data directly from our CRM system or

03:30

according to our retention policy will

03:34

also delete any emails for those

03:35

contacts from our local mail clients and

03:38

we assume that our providers in this

03:41

case Zoho will delete that data from its

03:44

own archives and backups looking now at

03:48

another area that many many of our

03:51

customers will have and that's a

03:52

newsletter mailing list so this process

03:55

is a database of contacts who have

03:58

expressed an interest in being kept up

04:00

to date with guideline news and

04:02

developments we get this data via the

04:05

guideline website and we also capture

04:08

this in the general course of our

04:09

business this is stored in our CRM

04:13

system provided by Zoho who are the

04:17

stakeholders in this instance well their

04:18

customers and potential customers our

04:21

employees and our directors

04:24

and if you want to delete the data we

04:26

can delete it the right from the CRM but

04:29

we also have an opt-out option in our

04:32

mailing lists so if he usually decides

04:34

not to receive information from us we

04:37

retain their email address so that we

04:39

can make sure that we don't send them

04:41

any information in the future and at the

04:45

bottom of all our impact assessments we

04:48

have a number of risks now because we do

04:54

most of our business in the cloud our

04:56

risks really are around those cloud

04:59

providers so one risk is that a cloud

05:04

provider is compromised so our hosting

05:07

provider AWS if they have a compromised

05:10

there's a risk to our personal

05:12

information albeit we believe quite

05:14

small and there's a second risk that our

05:18

primary software provider Zoho have

05:21

their ecosystem compromised both of

05:24

those risks we believe are are quite

05:26

small we use two-factor to protect those

05:30

systems and the data is encrypted so if

05:35

we go back to the main dpi a we can see

05:38

there a list of the data processing

05:40

activities we just talked about general

05:43

business data and newsletter mailing

05:45

lists so on the back of that we have

05:49

some protection measures that we can put

05:53

in place so the first thing is that we

05:56

only store data on encrypted systems we

05:58

are quite good as a company at not using

06:02

email where we don't have to not storing

06:05

customer information on spreadsheets and

06:08

Word documents so all our information

06:09

really is in our central CRM system and

06:13

where possible we deploy two-factor

06:16

authentication to further protect that

06:18

data and we also make sure that we only

06:21

collect the information that we require

06:24

to support somebody so we don't ask for

06:27

lots of information about a person's age

06:30

and their interests and so on

06:33

and finally we make sure that we enforce

06:37

our data retention policy moving into

06:40

the future

06:41

a few areas that we'd like to focus on

06:44

are implementing a single sign-on and

06:46

we'd like to do some further checks on

06:48

our retention policy to make sure that

06:52

the different retention periods we have

06:54

defined across our areas are enforced

06:57

and finally we'll be conducting another

07:00

deep EIA in six months time in addition

07:03

to the monthly review of the existing

07:06

DPI a's so we know about a third of the

07:11

way through the GDP our activities that

07:14

we a guideline need to complete if you

07:17

remember from the first or second video

07:20

I took you through our dashboard and our

07:24

assessment and if you remember we

07:28

arrived at 42% compliant and we had

07:33

fifty-three outstanding actions so I'm

07:36

going to go ahead and update our

07:38

assessment and show you the impact that

07:41

the things we've completed over the last

07:44

few weeks have had all our overall

07:46

compliance and so the finalists section

07:51

of the assessment that I'm going to

07:53

complete today is on the data protection

07:55

impact assessment and as a results of us

08:01

recently updating the guidelines

08:04

software with the feed from the article

08:08

29 working party we have a couple of

08:10

extra questions so we have one here that

08:15

says how often do you review your data

08:17

protection impact assessment well we

08:20

have put a reminder in place to review

08:23

it every month and do you publish

08:26

details of your DPI A's well I think by

08:30

the very nature of this video that we do

08:33

publish it in full

08:38

so if we return to the dashboard we can

08:42

see that our compliance status has gone

08:45

to 48 percent compliant and the number

08:49

of actions that we have has reduced by 3

08:53

those may not seem like big numbers but

08:59

there will be new actions that have

09:01

occurred as well as ones that we've

09:03

crossed off our list and the areas that

09:06

we are dealing with next on our list

09:07

which are consent and privacy notice

09:11

should see a large number of those

09:13

actions being completed so there you

09:17

have it data protection impact

09:18

assessments and slow steady progress

09:21

hopefully more rapid progress over the

09:23

next couple of weeks next time it's a

09:27

biggie

09:28

we're dealing with consent so stay tuned

09:31

for that and until then we hope you find

09:33

your compliance simple