GDPR Compliance Journey - 05 Policy
Summary
TLDRThis video script from Guideline GDP discusses a unique approach to policy creation, emphasizing the importance of simplicity and applicability within organizations. It critiques the common practice of using generic templates and instead promotes succinct, easily enforceable statements linked to various policy areas and personnel. The script outlines a system for organizing policy collections, such as cybersecurity, data protection, and privacy, which can be applied across different areas for compliance with regulations like the GDPR. The speaker also highlights the ability to print policy documents for record-keeping, aiming to simplify compliance processes.
Takeaways
- 🗓️ The General Data Protection Regulation (GDPR) will be enforceable in seven to eight weeks, emphasizing the urgency to prepare.
- 📝 The speaker advocates for a unique approach to policy, criticizing the common practice of using generic templates that do not meet specific organizational needs.
- 🔑 The importance of creating a 'living' policy document that is applied within the organization is highlighted, as opposed to just having a static document.
- 📑 The script mentions the typical structure of a policy document, including an introduction, explanation, and purpose, which often leads to excessive preamble before the actual policy statements.
- 📈 The speaker introduces a system for creating succinct, easy-to-understand policy statements that can be linked to various policy areas and individuals within the organization.
- 🔗 Policy statements are broken down into individual components that can be applied to multiple policy collections, such as data collection, cybersecurity, and data quality.
- 🔒 A specific example is given about the policy on collecting information for cookies without identifying individuals, which is related to the cookie policy collection.
- 🛡️ The script discusses the creation of policy collections, such as cybersecurity, data security, data quality, backup, privacy, cookies, and retention, which are essential for GDPR compliance.
- 📋 The retention policy is used as an example to illustrate how the purpose and scope of policy collections are defined, and how individual statements contribute to these collections.
- 📘 The flexibility of the system allows for policy statements to be applied across multiple policy areas, streamlining compliance efforts.
- 🖨️ Once satisfied with the policy collection, the option to print a copy of the policy is available, providing a tangible record of compliance.
Q & A
What is the main focus of the video script?
-The main focus of the video script is to discuss the approach to creating and managing company policies, especially in compliance with the General Data Protection Regulation (GDPR).
What is the unique view on policy held by the speaker's company?
-The speaker's company believes in creating a living policy document that is easily understandable, enforceable, and can be applied across various policy areas and individuals within the organization, rather than a static document that doesn't meet the company's needs.
Why does the speaker criticize the standard approach to policy creation?
-The speaker criticizes the standard approach because it often results in a document that is not a living policy, is not applied within the organization, and is filled with unnecessary introductions and explanations before getting to the actual policy statements.
What is the speaker's company's approach to policy statements?
-The company's approach involves creating succinct statements that are easy to understand and enforce, and can be linked to various policy areas and people within the organization.
How does the speaker's company organize policy statements?
-The company organizes policy statements into individual statements that can be applied to multiple policy collections, allowing for flexibility and efficiency in policy management.
What is the purpose of the 'retention policy' mentioned in the script?
-The purpose of the retention policy is to define the retention period for each category of information stored by the company.
What does the speaker mean by 'doing things once and keeping it simple'?
-The speaker is emphasizing the importance of creating policy statements that can be applied across multiple policy areas, avoiding redundancy, and maintaining simplicity in policy management.
How does the company's policy system relate to the GDPR?
-The company's policy system is designed to help organizations comply with the GDPR by providing a structured and efficient way to manage policies related to data protection, privacy, and cybersecurity.
What is the next topic the speaker plans to discuss after policies?
-The next topic the speaker plans to discuss is the data protection impact assessment.
What is the speaker's final message to the audience?
-The speaker's final message is to encourage the audience to find compliance simple and to look forward to the next discussion on data protection impact assessments.
Outlines
📅 Countdown to GDPR Enforcement
This paragraph introduces the urgency of the GDPR enforcement deadline, which is fast approaching in about seven to eight weeks from the start of April. The speaker emphasizes the need to quickly address compliance policies within the organization. It suggests that the standard approach of using generic templates is not effective, as it does not create a living document that is applied and enforced within the company. Instead, the speaker proposes a unique approach to policy creation that is succinct, easy to understand, and enforceable, with the ability to link policy statements to various policy areas and individuals within the organization.
📝 Simplifying Policy Statements for GDPR Compliance
The speaker discusses the company's approach to breaking down policies into individual, succinct statements that are easy to understand and enforce. These statements can be linked to various policy areas, such as data protection, cybersecurity, and privacy. The paragraph explains how policy statements are created, such as one about collecting information for cookies without identifying individuals, and how they relate to specific policy areas like data collection and cybersecurity. It also demonstrates how these statements can be grouped into policy collections, such as the cybersecurity policy collection, which includes the purpose, scope, referenced standards, and related statements.
🔒 Policy Collections and GDPR Compliance
This paragraph delves into the concept of policy collections, which are groups of policy statements that are applied to various areas of the business, including GDPR compliance. The speaker highlights the importance of having a comprehensive set of policy collections that cover areas such as cybersecurity, data security, data quality, backup, privacy, cookies, and retention. The paragraph provides an example of the retention policy, explaining its purpose to define the retention period for different categories of information and its scope, which includes all stored information. It also illustrates how individual policy statements can be applied to multiple policy areas, offering flexibility and efficiency in policy management.
🖨️ Printing and Implementing GDPR Policies
The final paragraph of the script discusses the process of finalizing and printing the policy collection once it is satisfied with its content. The speaker suggests that having a well-crafted policy collection sets the stage for other areas of GDPR compliance, such as procedures and documentation. The paragraph concludes by hinting at the next topic to be covered in the series, which is the data protection impact assessment, and it reassures the audience that the approach to policy creation and management is designed to be simple and user-friendly.
Mindmap
Keywords
💡GDPR
💡Policy
💡Compliance
💡Living Policy Document
💡Cybersecurity
💡Data Protection
💡Data Collection
💡Policy Statements
💡Data Retention
💡Privacy
💡Data Protection Impact Assessment (DPIA)
Highlights
Start of April means 7-8 weeks until GDPR becomes enforceable, emphasizing urgency
Standard approach criticized for using generic word templates that don't meet specific needs
Proposed approach involves creating a living policy document that is applied within the organization
Traditional policies often have 3 pages of description before actual policy content
Introduces a system with succinct statements that are easy to understand and enforce
Policy statements can be linked to various policy areas and people within the organization
Demonstrates breaking down policies into individual statements for clarity and applicability
Example given of a policy statement on collecting information for cookies without identifying individuals
Policy statements can be part of multiple policy collections, such as cybersecurity and data protection
Shows how to apply a single policy statement like strong passwords across different policy areas
Policy collections are organized by areas like data security, data quality, privacy, etc.
Retention policy defines the period for storing information and applies to all stored data
Policy statements can be flexibly assigned to multiple policy areas, like financial regulations
Emphasizes the ability to do things once and apply them across collections for simplicity
Option to print policy collections for a tangible copy of the policy
Praises the policy capturing and recording method for its ease of use
Sets the stage for discussing procedures and documentation needed for GDPR compliance
Teases upcoming discussion on data protection impact assessments
Transcripts
I and welcome back to the guideline GDP
our compliance journey it's now the
start of April so that means we've got
seven or eight weeks to go until the GDR
becomes enforceable so a lot to do for
not much time so let's crack on with
policy now policy is something that we
have quite a unique view on here at
guideline because having worked in lots
of big businesses and very small
businesses the standard approach seems
to be to get a word template completely
company name and have a document that
doesn't really meet what you need isn't
really a living policy document and
doesn't get applied in your organization
what we typically see is an introduction
and explanation of the document why it's
needed what it's for what the purpose of
it's for who's included these sorts of
things you end up with three pages of
description before you even get to any
policy so we have a different approach
we have a system which I'll show you in
a minute
and we have lots of very succinctly
statements that are easy to understand
and that are easily enforceable and we
can link those statements to any numbers
of policy areas and to any people within
the organization so we think it's a much
simpler approach and going to take you
through some of those areas that apply
to the GD P L so as I said we break down
our policies into a number of individual
policy statements we can see here at the
top we have a statement about collecting
information for cookies and we're doing
so in a way which does not identify
anybody and you can see that's related
to the policy collection on cookies if
we look down further we've got various
other policy statements this one all
passwords must be strong and meet
password standards and this goes into
our cybersecurity policy collection in
this way we can create a whole number of
statements we
can then be applied into a number of
policy collections so as an example
collection of data is only made from
reliable and reputable sources which can
be applied to data quality data
protection and to cybersecurity if we go
back and look at the password standards
policy statement again and if we click
on cybersecurity
we can see information about the cyber
security policy collection its purpose
its scope the standards are referenced
and all the statements that go together
to make up that policy collection so
let's now jump to our policy collections
we've got a large number of collections
across the business but for now let's
focus on our GDP our policy collections
and you can see that this is made up of
various areas so we've got cyber
security data section data quality
backup privacy cookies retention and so
on if we look at the retention policy we
can see that the purpose is to define
the retention period for each category
of information stored by the company and
that the scope is all stored information
further down we have the individual
policy statements that make up this
policy and we can also see that there
are some statements this one for example
on records relating to pension schemes
that will apply in one or more policy
areas so this gives us the flexibility
to assign this one not just to
information retention but also to
financial regulations that we might also
have to comply with so this means that
we can do a policy statement once and
apply it across a number of collections
and that really is at the heart of what
guideline does do things once and keep
it simple once I'm happy with my policy
collection I then have the option to
click print and I can print
a copy of my policy so I hope that gives
you an idea of how we capture and record
policy we like it we think it's very
easy to use and that's really sets us up
nicely for a number of other areas of
the GDP are we need to look at in terms
of procedures what our attention might
look like some of the documentation we
need to do can all be fed from those
policies that we've put in place so
that's it for policy
we'll be back very soon to talk about
the data protection impact assessment
and until then you hope you find your
compliant simple
浏览更多相关视频
GDPR Compliance Journey - 09 Retention
How to Implement GDPR Part 1 :Roadmap for Implementation
AI Revolutionizing Governance, Risk, and Compliance (GRC) in the Modern World | Cyber Security
Using Open Source Tools to Build Privacy-Conscious Data Systems
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
GDPR Compliance Journey - 04 Processing Activity Record
5.0 / 5 (0 votes)