GDPR Compliance Journey - 14 Process Documentation

Gydeline

17 May 201805:10

Summary

TLDRIn this informative video, Mike Sutherland discusses the essential steps for establishing and maintaining processes under the General Data Protection Regulation (GDPR). He emphasizes the importance of documenting, implementing, and communicating processes such as data mapping and subject access requests. The video provides a detailed walkthrough of a subject access request process document, highlighting the need for a clear process owner, purpose, and regular review to ensure ongoing improvement and compliance with GDPR standards.

Takeaways

📝 Documenting Processes: The importance of documenting processes is emphasized, including the need for implementation and communication within the organization.
🔄 Continuous Improvement: Processes should be reviewed regularly to ensure ongoing improvement and documentation of these revisions.
👤 Process Ownership: Assigning an owner to each process, such as a data protection officer, ensures accountability and responsibility.
🔍 Purpose Clarification: Describing the purpose of each process clearly helps to avoid confusion and ensures everyone understands its necessity.
📋 Process Steps: Outlining the steps involved in a process, such as subject access requests, helps standardize the approach and facilitates compliance.
🔗 Policy Linkage: Indicating which policies relate to a process and vice versa provides a clear connection between procedural actions and overarching guidelines.
🗓️ Review and Update: Regularly updating the process documentation with the latest version and date ensures the information remains current and relevant.
📬 Communication: Communicating processes effectively to all members of the organization is crucial for compliance and efficiency.
📈 Process Review Cycle: The script highlights the cyclical nature of process review and improvement, suggesting a never-ending quest for betterment.
📚 Subject Access Request Example: The script provides a detailed example of a subject access request process, illustrating the steps and considerations involved.
🔑 SLA and Categorization: Setting Service Level Agreements (SLAs) and categorizing requests within processes helps manage expectations and workflow.

Q & A

What is the main topic of the video script?
-The main topic of the video script is discussing the various processes required as part of the General Data Protection Regulation (GDPR), such as data mapping, data protection, impact assessments, subject access requests, breach process reviews, and the steps to document, implement, and review these processes.
What are the key steps mentioned in the script for putting a process together?
-The key steps mentioned are: documenting the process, implementing the process with systems in place, communicating the process to the organization, regularly reviewing the process, and improving it as needed.
What is the importance of documenting a process in GDPR compliance?
-Documenting a process is important because it provides a clear record of the steps involved, ensures that the process is understood and followed correctly, and helps in maintaining compliance with GDPR requirements.
Why is it necessary to implement a process after documenting it?
-Implementing a process after documenting it is necessary to ensure that the documented procedures are actually being followed in practice, and that the systems and resources are in place to support the process.
How does communication of the process contribute to GDPR compliance?
-Communication ensures that everyone in the organization is aware of the process, which is crucial for GDPR compliance as it involves collective responsibility and understanding of data protection measures.
What is the role of the process owner in GDPR process management?
-The process owner is responsible for overseeing the process, ensuring its proper implementation, and making sure it is reviewed and updated as needed. In the script, Mike Savile is identified as the process owner for the subject access request process.
What is a subject access request and why is it important under GDPR?
-A subject access request is a request made by an individual to a data controller to access their personal data. It is important under GDPR as it allows individuals to exercise their rights to information and ensures transparency and accountability in data handling.
What are the steps involved in the subject access request process as described in the script?
-The steps include receiving the request, sending an email to acknowledge it, categorizing the request, setting an SLA time, managing and logging it by the help desk, and recognizing any sub-processes such as data export, erasure, or correction before closing the ticket.
How does the script relate the process to policies in GDPR compliance?
-The script indicates that processes should be related to and referenced by relevant policies, ensuring that the procedures are aligned with the organization's policy framework and GDPR requirements.
What is the significance of maintaining a version history and last updated date for a process document?
-Maintaining a version history and last updated date helps track changes and improvements over time, ensuring that the process is current and compliant with the latest regulations and best practices.
What will be the topic of discussion in the next video according to the script?
-The next video will be discussing contracts, which is another important aspect of GDPR compliance.

Outlines

00:00

📝 GDPR Process Documentation and Implementation

In this segment, Mike Sutherland introduces the topic of processes required under the General Data Protection Regulation (GDPR). He discusses the importance of documenting processes such as data mapping, data protection, impact assessments, and subject access requests. Mike emphasizes the need to not only document these processes but also to implement them with appropriate systems in place. Communication of these processes to all members of the organization is highlighted as a key step. The video script also stresses the necessity of regular review and improvement of these processes, illustrating the cyclical nature of process documentation and enhancement. An example of a subject access request process document is provided, detailing its structure, including the process title, type, status, owner, purpose, steps, related policies, and the document's version and update history.

05:01

🔍 Upcoming Discussion on Contracts in GDPR Compliance

The second paragraph of the script teases the next topic of discussion, which is contracts, in the context of GDPR compliance. It serves as a brief transition, indicating that the focus will shift to contracts in the subsequent video, without going into the specifics of what will be covered. The speaker expresses hope that the audience finds their compliance journey straightforward, suggesting that the content provided so far has been helpful and accessible.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside these areas. In the video, GDPR is the main theme, as the discussion revolves around the processes required for compliance with this regulation.

💡Data Mapping

Data mapping refers to the process of creating a detailed diagram or model of data flows within an organization. It is a crucial step in understanding and managing data for GDPR compliance. In the script, data mapping is listed as one of the processes required as part of GDPR, indicating its importance in tracking and managing personal data.

💡Data Protection

Data protection involves safeguarding the privacy and integrity of data. It is a fundamental aspect of GDPR, which requires organizations to implement measures to protect personal data from unauthorized access or breaches. The script mentions data protection as one of the processes that organizations need to consider for GDPR compliance.

💡Impact Assessments

Impact assessments are evaluations performed to identify and mitigate the risks of various processes or systems. In the context of GDPR, these assessments are important for understanding the potential effects on data protection. The video script lists impact assessments as a necessary process for GDPR compliance.

💡Subject Access Requests

Subject access requests (SARs) are a right granted to individuals under GDPR, allowing them to request access to their personal data held by an organization. The script discusses the process of handling SARs, emphasizing the need for a documented and implemented procedure to respond to such requests.

💡Breach Process

A breach process outlines the steps an organization should take in the event of a data breach. It is a critical component of GDPR compliance, ensuring that organizations can respond effectively to protect data integrity. The script mentions the breach process as one of the processes that need to be documented and reviewed regularly.

💡Process Documentation

Process documentation involves creating written records that describe how a process should be carried out. In the script, it is emphasized that documenting processes is not only about recording them but also about ensuring they are implemented and communicated within the organization.

💡Implementation

Implementation refers to the act of putting a plan, process, or idea into effect. In the context of the video, implementation is key to ensuring that documented processes are actually carried out within an organization, supporting GDPR compliance.

💡Communication

Communication in this context means disseminating information about processes throughout an organization to ensure that all relevant parties are aware and understand their roles. The script highlights the importance of communicating processes to everyone in the organization.

💡Review and Improvement

Review and improvement involve regularly assessing and enhancing processes to ensure they remain effective and compliant. The script stresses the need for ongoing review and improvement of GDPR processes, illustrating the dynamic nature of compliance.

💡Data Protection Officer (DPO)

A Data Protection Officer is a role designated under GDPR to oversee data protection strategies and ensure compliance with data protection regulations. In the script, the DPO is identified as the owner of the subject access request process, highlighting the critical role of this position in GDPR compliance.

Highlights

Introduction to the General Data Protection Regulation (GDPR) compliance processes by Mike Sutherland.

Discussion on various processes required by GDPR, including data mapping, data protection, and impact assessments.

Emphasis on the importance of documenting processes as part of GDPR compliance.

Explanation that merely documenting processes is not enough; they must also be implemented with proper systems.

The necessity of communicating processes to ensure everyone in the organization is aware.

Highlighting the non-static nature of GDPR processes, requiring regular review and improvement.

Introduction of the subject access request process as an example of GDPR documentation.

The importance of assigning a process owner, such as a data protection officer, for accountability.

Describing the purpose of the subject access request process to ensure clarity and understanding.

Detailing the steps involved in managing and logging subject access requests by the help desk.

Mention of sub-processes such as data export, erasure, and correction within the request process.

The significance of recognizing and documenting the completion of the request process by closing the ticket.

Linking processes to relevant policies to maintain a coherent compliance framework.

Documentation of the last update date and version number for process records.

The call to action for continuous improvement and communication of GDPR processes.

Preview of the next topic to be discussed, which is contracts in the context of GDPR.

Closing remarks encouraging simplicity in GDPR compliance.