A fundamental element of any data protection framework is to understand how data moves throughout your organisation.
This is often captured in the Record of Processing activities (RoPA), sometimes called a data map. An effective RoPA will identify how you collect, process, store and share personal data. It will show you how data moves within your organisation and how long you keep it for. Without this key information it is extremely difficult to demonstrate compliance .
The RoPA or data map is such an important piece of your GDPR compliance arsenal that you should ensure it’s done correctly and managed effectively.
Here at Heimdall360 Ltd we can:
· Help you identify you data lifecycle.
· Capture your data flows effectively.
· Put tools in place to help you manage them.
The more you know about how data moves within your organisation, the easier it is to secure and control it.
Data Protection requires a number of risk-based assessments, whether they are for security, the use of a data processor, or to ensure the rights of individuals are protected. Heimdall360 Ltd can produce these assessments ensuring any risk to you and you customers are identified and managed accordingly.
The most important of these is the Data Privacy Impact Assessment (DPIA) as it identifies and manages any processing that poses a high risk to individuals. If these assessments are not carried out, or are completed incorrectly, you could be left with significant risks both for you and your customers. If the worst happens, you could find yourself fined by the regulating authority. We can take the stress out of these assessments by ensuring you have a robust and repeatable process and expert advice on hand for any tricky situations.
We can also help with the most common assessment organisations will need to complete; the Legitimate Interest Assessment. If you are relying on Legitimate Interests as a lawful basis for any of your processes, you must have a balancing statement justifying your case.
Sharing the personal data of your customers with your suppliers or partners is one of the riskiest things most organistions have to do. Ultimately it means you lose control of your data and you have to trust that others will protect it in the same manner you do.
How do you know your suppliers are looking after your data correctly? Have you checked their policies and processes, and what assurance do you have that they are actually implemented effectively? It’s a difficult question that many organisations struggle with.
We can assist you in establishing a flexible yet repeatable supplier assessment process, or we can carry out the assessment for you. We can produce a risk-based report with recommendations to help you decide how to proceed.
A good supplier risk assessment will enable you:
· to understand the risks to your data.
· to know what to do to reduce that risk.
· to provide a documented record in case you are investigated by the regulator.
Like any business function, Data Protection requires you to establish a number of formal documents to communicate and embed good practice within your organisation.
Without documentation you will find it difficult to ensure employees are carrying out the required functions in a repeatable manner, you will not be able to demonstrate to your suppliers how you comply with the law or how you meet their contractual requirements, and most importantly if you were subject to an investigation you would find it difficult to build a defendable position to protect your business.
We have a full range of documents that can be adjusted to your requirements. Depending on the size, shape and function of your organisation you may be able to use a template or you may want to have something bespoke. In either case we have the expertise and ability to meet your requirements, drafting what is best for you and your business.
Once you have established your Data Protection and Information Security framework, you will need to monitor and maintain it. Controls should be regularly monitored to make sure they remain effective and documentation should be reviewed and adjusted where necessary.
While some of this can be achieved with internal audits, these are not always effective. Our audit services can provide the independent assurance you need to confirm everything is working the way you expect, and to highlight any weaknesses.
Regular independent audits are recommended by the Information Commissioner’s Office (ICO) who regulate GDPR within the UK. They also help demonstrate your commitment to Data Protection to your clients, customers, employees and suppliers.
While you cannot outsource the accountability element of GDPR as this remains with you as the Data Controller, you can outsource a lot of the implementation, monitoring and management functions to organisations like Heimdall360 Ltd.
We can ease the pressure by:
· Ensuring you have the most appropriate framework in place.
· Assisting you in monitoring how the framework is performing.
· Managing many of the processes.
· Providing regular reports to your management groups demonstrating your performance.