This document outlines 16 steps for ensuring a GDPR-standard data protection system. It involves analyzing evidence from process owners, assessing compliance of controller-processor contracts and data processing instructions, ensuring data is deleted after relationships end, providing guarantees to controllers, notifying controllers of additional processors, requiring staff confidentiality, marking data processing assets, assisting with data subject requests and rights, assisting with security breach notifications and risk analysis, demonstrating compliance as a processor during audits, and issuing recommendations to achieve full compliance.
This document outlines 16 steps for ensuring a GDPR-standard data protection system. It involves analyzing evidence from process owners, assessing compliance of controller-processor contracts and data processing instructions, ensuring data is deleted after relationships end, providing guarantees to controllers, notifying controllers of additional processors, requiring staff confidentiality, marking data processing assets, assisting with data subject requests and rights, assisting with security breach notifications and risk analysis, demonstrating compliance as a processor during audits, and issuing recommendations to achieve full compliance.
This document outlines 16 steps for ensuring a GDPR-standard data protection system. It involves analyzing evidence from process owners, assessing compliance of controller-processor contracts and data processing instructions, ensuring data is deleted after relationships end, providing guarantees to controllers, notifying controllers of additional processors, requiring staff confidentiality, marking data processing assets, assisting with data subject requests and rights, assisting with security breach notifications and risk analysis, demonstrating compliance as a processor during audits, and issuing recommendations to achieve full compliance.
This document outlines 16 steps for ensuring a GDPR-standard data protection system. It involves analyzing evidence from process owners, assessing compliance of controller-processor contracts and data processing instructions, ensuring data is deleted after relationships end, providing guarantees to controllers, notifying controllers of additional processors, requiring staff confidentiality, marking data processing assets, assisting with data subject requests and rights, assisting with security breach notifications and risk analysis, demonstrating compliance as a processor during audits, and issuing recommendations to achieve full compliance.
Analyze evidence and meet separately with each process owner
Assess compliance and relevance of the controller-processor contract
Assess if data are processed only on controller’s instructions, including
transfers outside the EEA Assess if data entrusted by the controller is deleted or returned at the end of controller-processor relationship Assess if your firm can provide controllers with sufficient guarantees Assess if the controller is notified and asked for consent before another processor is engaged
Assess if another processors commit to same duties as initial processor
Check if staff processing controller’s data is obliged to confidentiality Mark assets processing controller’s data in asset owners questionnaire to pay particular attention to them in step 7
Assess, if your organization immediately forwards data subject
requests to controller and is able to assist the controller with fulfilling all data subject rights Assess, is your organization is able to assist controller with his GDPR art. 32-36 obligations, especially by timely breach notification and management, as well as providing risk analysis results Assess, if your organization is able to demonstrate fulfillment of its obligations as a processor, including when controller exercises the right to audit
Issue recommendations, fulfillment of which brings full compliance