GDPR Compliance Journey - 18 Reviews and Third Party Reviews

Gydeline
21 May 201806:41

Summary

TLDRIn this video, Mike Salim discusses the ongoing nature of GDPR compliance, emphasizing that it's not a one-time task but requires regular reviews similar to a car's MOT. He suggests reviewing aspects like data protection impact assessments, processing records, and breach notifications. Salim recommends implementing a review system and conducting checks every six months, adapting the frequency to the organization's needs. He also shares examples of their review records and a form used to assess third-party GDPR compliance, highlighting the importance of keeping records simple yet comprehensive for future use.

Takeaways

  • 🔄 GDPR is an ongoing process: The script emphasizes that GDPR compliance is not a one-time activity but requires continuous review and maintenance.
  • 🚗 GDPR compared to car MOT: Just like a car needs regular checks, GDPR compliance must be reviewed regularly to ensure it remains fit for purpose.
  • 📝 Establish a system of reviews: Organizations should have a system in place to regularly review their GDPR compliance measures.
  • 🔍 Review various aspects: Key areas for review include data protection impact assessments, processing activity records, breach notifications, and consent records.
  • 📅 Regular review schedule: The script suggests a regular schedule for reviews, such as every six months, depending on the organization's needs.
  • 👀 Changes trigger reviews: Any change in the organization, processes, or data collection should prompt a GDPR compliance review.
  • 📑 Documenting reviews: Records of reviews should be kept, including checks performed and actions undertaken.
  • 📚 Training importance: The script highlights the importance of data protection training for employees to understand and comply with GDPR.
  • 📝 Third-party checks: Organizations must also ensure that third parties they work with are GDPR compliant by using forms to check their status and measures.
  • 📋 Simplified record-keeping: Records should be simple and usable, avoiding overly complex systems that may not be helpful in the future.
  • 🔑 Focus on principles, not details: When reviewing third parties, focus on whether they understand and implement GDPR principles rather than getting into overly detailed technical questions.

Q & A

  • What is the main purpose of this video script?

    -The main purpose of the video script is to emphasize the importance of ongoing reviews and maintenance of GDPR compliance, comparing it to the regular checks required for car MOTs.

  • Why does the speaker compare GDPR compliance to a car MOT?

    -The speaker compares GDPR compliance to a car MOT to highlight that both require regular checks and maintenance to ensure they remain effective and fit for purpose.

  • What does GDPR stand for?

    -GDPR stands for General Data Protection Regulation.

  • What types of records need to be reviewed for GDPR compliance?

    -Types of records that need to be reviewed include data protection impact assessments, processing activity records, breach notifications, and consent records.

  • How often should organizations review their GDPR compliance?

    -Organizations should review their GDPR compliance regularly, especially when there are changes in the organization, processes, information collected, or personnel. The speaker suggests scheduling reviews every six months as a guideline.

  • What is the purpose of keeping records of GDPR reviews?

    -The purpose of keeping records of GDPR reviews is to document the checks and actions taken to maintain compliance, ensuring there is evidence that ongoing review and maintenance are being performed.

  • What should organizations avoid when keeping records for GDPR compliance?

    -Organizations should avoid creating overly complex records that are difficult to use. Records should be simple, containing all necessary data while remaining user-friendly.

  • What does the form sent to third parties typically ask?

    -The form sent to third parties typically asks basic questions to confirm awareness training, understanding of the privacy policy, and knowledge of procedures for data loss. It avoids overly detailed questions and focuses on essential compliance principles.

  • Why does the speaker prefer simple questions for third-party GDPR compliance checks?

    -The speaker prefers simple questions to ensure that the fundamental principles of GDPR compliance are being met and to avoid unnecessary complexity. Detailed concerns can be addressed later if needed.

  • What will the final part of the GDPR compliance journey cover?

    -The final part of the GDPR compliance journey will review the guideline software to assess compliance, discuss lessons learned, and consider priorities for addressing GDPR efforts.

Outlines

00:00

🔄 Ongoing GDPR Compliance Review

Mike Salim introduces the importance of continuous review in maintaining GDPR compliance, comparing it to a car's MOT to emphasize the need for ongoing checks. He suggests reviewing various aspects such as data protection impact assessments, processing activity records, breach notifications, and consent records. The speaker emphasizes the necessity of conducting reviews when changes occur within the organization, such as changes in processes, data collection, or personnel. A regular review schedule is recommended, with the example of every six months provided as a guideline. The video also showcases records of data protection training and a form used to check third-party GDPR compliance, highlighting the importance of keeping simple and usable records.

05:03

🤝 Third-Party GDPR Compliance Checks

This paragraph discusses the process of ensuring third-party compliance with GDPR. The speaker describes a form sent to third parties to verify their understanding and implementation of GDPR principles. The form includes basic questions about awareness training, privacy policy knowledge, and data loss procedures. The purpose of the form is to create a record that confirms third parties are aware of and compliant with GDPR requirements. The approach is to avoid overly detailed questions and instead focus on the fundamental concepts, with the option to delve into specifics if concerns arise. The speaker mentions that these forms are sent out regularly as part of an ongoing review process.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law that focuses on data protection and privacy for all individuals within the European Union. In the video, GDPR is the central theme, as it discusses the ongoing compliance journey and the importance of reviewing GDPR measures to ensure data protection standards are maintained over time.

💡Compliance

Compliance in this context refers to the act of conforming to a set of rules or standards, specifically the GDPR in this video. It is crucial for organizations to demonstrate compliance to avoid penalties and ensure the protection of personal data. The script emphasizes the continuous nature of compliance, suggesting that it is not a one-time activity.

💡Data Protection Impact Assessment (DPIA)

A DPIA is a process of evaluating the impact of proposed processing operations on the privacy rights of individuals. It is a key component of GDPR compliance. The video mentions reviewing DPIAs as part of the ongoing GDPR compliance process, indicating that organizations must regularly assess their data processing activities to ensure they are in line with GDPR requirements.

💡Processing Activity Record

This refers to a record that organizations must maintain under GDPR, documenting their data processing activities. The script suggests that these records should be reviewed regularly to ensure they accurately reflect current practices and remain compliant with GDPR.

💡Breach Notifications

Breach notifications are a requirement under GDPR, where organizations must inform relevant parties of a data breach within 72 hours of becoming aware of it. The video script implies that maintaining and reviewing breach notification procedures is part of the ongoing compliance efforts.

💡Consent Records

Consent records are documentation of individuals' consent to the processing of their personal data. The script mentions the importance of reviewing these records to ensure that organizations continue to have valid consent for their data processing activities, in line with GDPR principles.

💡Review System

A review system, as discussed in the video, is a structured approach to regularly assessing and updating an organization's GDPR compliance measures. It includes setting up a schedule for reviews and ensuring that all relevant aspects of GDPR compliance are examined.

💡Third-Party Checks

Third-party checks involve verifying that external organizations, which an entity works with, are also compliant with GDPR. The script describes a form used to assess third-party GDPR compliance, highlighting the importance of ensuring that all parties involved in data processing adhere to GDPR standards.

💡Data Protection Training

Training is essential for ensuring that employees understand and can implement GDPR requirements. The video script provides an example of a data protection training record, which lists the topics covered and the attendees, demonstrating the organization's commitment to educating its workforce on data protection.

💡Record Keeping

Record keeping is the practice of maintaining documentation of activities and processes, which is mandatory under GDPR for accountability purposes. The script emphasizes the importance of keeping simple yet comprehensive records that can be used for evidence of compliance.

💡MOT (Ministry of Transport) Test

The MOT test is a UK-based vehicle inspection to ensure roadworthiness. In the script, it is used metaphorically to illustrate the idea that GDPR compliance is not a one-off event but requires regular checks and maintenance, similar to how a car needs periodic MOT tests.

Highlights

GDPR compliance is not a one-time activity but requires ongoing review and maintenance.

The analogy of a car MOT is used to illustrate the need for continuous GDPR review.

System changes, new data collection, and organizational shifts necessitate GDPR reviews.

A system of reviews should be in place to ensure ongoing GDPR compliance.

Data Protection Impact Assessment, Processing Activity Record, and Breach Notifications are among the items needing regular review.

The frequency of GDPR reviews should be determined by changes within the organization or its processes.

A regular review schedule, such as semi-annually, is suggested for maintaining GDPR compliance.

Documentation of reviews and checks is essential for demonstrating ongoing compliance efforts.

The importance of keeping records simple yet comprehensive for future usability is emphasized.

Data protection training records should include date, location, attendees, and topics covered.

Third-party GDPR compliance checks are crucial and should be conducted regularly.

A simple form can be used to assess third-party awareness and understanding of GDPR requirements.

The form serves as a record of third-party confirmation of GDPR compliance and understanding.

Avoiding overly detailed questions allows for a more streamlined review process of third parties.

The approach to reviewing third parties involves sending forms on an ongoing basis to ensure compliance.

The final part of the GDPR compliance journey will involve revisiting the guide software for compliance assessment.

The upcoming session will discuss lessons learned and priorities for tackling GDPR compliance efforts.

The goal is to make GDPR compliance simple and achievable for organizations.

Transcripts

play00:00

[Music]

play00:04

hi I'm Mike Salim welcome to the

play00:08

penultimate part in our GDP our

play00:10

compliance journey and assuming that

play00:14

you've done every other step that you

play00:16

need to do as part of the GBP are then

play00:20

the next thing you need to do is ensure

play00:23

that you review it on an ongoing basis

play00:25

that gdpr isn't just a one-time activity

play00:28

we like to think of it like a car MOT

play00:31

your car may be suitable for Road use

play00:33

the day you have the MOT but the next

play00:37

day you might develop an engine fault my

play00:39

gait chip and the windscreen anything

play00:41

could happen that means that car is no

play00:43

longer fit for purpose and the same

play00:45

thing really applies with the GDP are

play00:46

you might have got to a ready state on

play00:49

one day but the system changes you

play00:52

collect new data and you're no longer

play00:55

fit for purpose so you need to review

play00:58

and maintain the GDP are on an ongoing

play01:00

basis and the way that you one of the

play01:02

ways you would do this is to make sure

play01:04

you've got a system of reviews in place

play01:05

so what needs reviewing well there's a

play01:09

number of things that might need

play01:11

reviewing things like your data

play01:13

protection impact assessment your

play01:15

processing activity record your breach

play01:20

notifications your consent records

play01:23

there's a list on the screen but there's

play01:24

a number of things that you need to

play01:27

review on an ongoing basis and when we

play01:31

talk about review the GDP is silent

play01:35

really on how often or when you should

play01:39

review but to our way of thinking

play01:42

there's clearly a need to review when

play01:44

anything changes so your organization

play01:47

changes your processes change the

play01:50

information you collect changes maybe

play01:53

the people change so when things change

play01:55

you should do a review and then you

play01:57

should also have a schedule so a

play01:59

guideline we've scheduled things in the

play02:02

most part every six months we think

play02:05

that's

play02:06

appropriate for our organization maybe

play02:09

different for your organization but it's

play02:10

up to you to decide a regular schedule

play02:13

of review for the measures and the

play02:17

processes that you've put in place so

play02:20

I'm going to show you a couple of things

play02:22

we have records of our reviews that

play02:25

really are lists of the checks that

play02:28

we've done and the things we've

play02:32

undertaken and so we've got those

play02:34

documented and then I'll show you

play02:37

forms that we use to check with our

play02:39

third parties because the gdpr says that

play02:41

you need to check the GDP our status and

play02:44

the measures that your third parties

play02:46

have implemented so I'll take you

play02:48

through that form as well so this is our

play02:52

record of data protection training that

play02:55

we've done within guideline now larger

play02:58

organizations will have a much longer

play03:01

list and smaller organizations may have

play03:04

a slightly shorter list but really just

play03:07

want to say that the records you need to

play03:10

keep they need to be simple enough that

play03:13

they contain all the data you need and

play03:16

simply enough that they're usable don't

play03:19

fall into the trap of creating something

play03:22

highly complex that is then no use to

play03:25

anybody in the future so need to keep

play03:29

records across a number of areas this is

play03:31

our training record and you can see it

play03:34

just lists what date the training took

play03:36

place whereabouts it took place who

play03:38

attended and the sorts of topics that we

play03:41

covered so we've done things on data

play03:44

protection impact assessment awareness

play03:46

training cleansing data and some of our

play03:49

processes and really it is just a simple

play03:52

record that grows over time to show that

play03:56

we are doing the right thing in terms of

play03:58

training our employees to better

play04:00

understand data protection let's now

play04:03

take a look at the form we use to our

play04:06

third party's about their rights

play04:10

so here is a form that we send to some

play04:13

of the third parties that we work with

play04:16

and we send these forms because it is an

play04:21

simple way for us to ask some basic

play04:24

questions to check if these

play04:27

organizations are doing some of the

play04:29

things they need to be doing under the

play04:31

gdpr now the form isn't always the same

play04:35

and we modify this depending on what we

play04:38

need but the basic principle is there

play04:41

that says we are some very simple

play04:43

questions around can you confirm you've

play04:47

completed awareness training can you

play04:49

confirm you've read the guideline

play04:51

privacy policy do you know what to do

play04:53

about data loss and then when the

play04:56

individual puts in their name and their

play04:59

email and click submit that then forms a

play05:03

record that we can use to evidence that

play05:07

we've checked this third party in this

play05:11

instance it might be somebody that's

play05:12

doing some some consulting work on

play05:15

behalf of guide line but we can check

play05:17

that they've read understood and

play05:20

confirmed that they're doing the right

play05:22

things on the gdpr and we have that as a

play05:25

record of when they answered and the day

play05:28

that they answered it and that's the

play05:30

approach we're taking across most of our

play05:32

third parties and the question approach

play05:35

is also very similar we're trying to

play05:38

avoid asking hundreds of very very

play05:42

detailed questions around that field is

play05:46

that encrypted and protecting how often

play05:48

is that particular letter backed up and

play05:51

that's you know a level of detail that

play05:54

we don't feel we need we need to

play05:56

understand if the concepts the

play05:58

principles are being done and then if we

play06:02

have any concerns we can drill down into

play06:04

those fine level of details later so

play06:07

that's our approach on reviewing third

play06:10

parties and we send those forms out on

play06:12

an ongoing basis so that's it on reviews

play06:16

and next time will be the final part of

play06:19

our GDP our journey where we'll have

play06:21

another look at the guide

play06:22

software to see how compliant or not we

play06:25

are and will talk about what we may have

play06:28

learnt and maybe what some of the

play06:30

priorities that you might be thinking

play06:32

about when it comes to tackling your own

play06:34

GDP our efforts so until then we hope

play06:37

you find your compliant simple

Browse More Related Video

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

How to Implement GDPR Part 2 :Roadmap for Implementation

GDPR Compliance Journey - 06 Data Protection Impact Assessment

GDPR Compliance Journey - 15 Contracts & Agreements

GDPR Compliance Journey - 14 Process Documentation

GDPR Compliance Journey - 16 Training

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR ComplianceData ProtectionOngoing ReviewsPrivacy PolicyThird-Party ChecksTraining RecordsData BreachAwareness TrainingRegulatory ComplianceData ManagementCompliance Audit