GDPR Assessment Editor
The GDPR Assessment Editor allows you to create, record and manage assessments as you go through the whole GDPR process. There are 3 types of assessments you can create:
- Data Audit
- Data Mapping
- Risk Assessment
These assessments are required to provide a structured process to analysis data in your privacy network they also help demonstrate compliance to the GDPR framework.
The different types off assessments can be applied to carry out industry standard approaches such as a Supplier Risk/Data Asssessment, SWOT (or SLOT) analysis or a GAP Analysis.
Assessments can be linked to the GDPR framework at each Stage and Section to assist you in becoming compliant.
When creating a new Assessment you can enter the following;
- Title: Description of the assessment for example Data Breach GAP analysis
- Type: Select the basic type off assessment you are going to be doing. Options are;
- Data Mapping
- Data Audit
- Risk Matrix
- Section: If you wish to link this assessment to a particular Stage and Section within the framework, select it or leave it blank. If you click on the Show section info link a copy of the text from that Stage/Section will be displayed to help you identify what that section is trying to achieve.
- Details: Enter a description about this assessment
- Notes: Enter any supplementary notes about this assessment
At this point the Assessment must be saved, click the Save button, once saved the Assessment Items table is displayed.
Adding Assessment Items
Within your Assessment you can add any number of items as you carry out your task ffor example You might be doing a Data Mapping Assessment looking at what type of data is being collected throughout the organisation, you could then create assessment items at various operational or process points such as;
- Data Collection - Web site
- Data collection - Accounts
- Data collection - Telephone sales
- Data collection - Email/Postal sales
- Data collection - Maintenance
- Data collections - IT
For each assessment item you can specify the following;
- Item Order: A display or process order, simply used to define in what order you wish to do this task in.
- Item Type: There are 2 options for the Item Type;
- Data Mapping - Used when ever the focus of this item is data for example Looking at what types of data is being collected, where it is stored, how it is being used.
- Risk Assessment - Used when the focus of this item is risk for example Looking at how secure data is held, stored and transmitted between you and a supplier. Or assessing how secure your systems are to cyber attack.
- Item Title: Summary title for this item.
- Owner: You may assign this assessment to a memer of your GDPR team, usually if they are carrying out that task or they are the peron responsible for the data.
- Item Details: Detailed description of the item, your approach, methods used, issues found, etc.
- Notes: Any additional notes taken during this assessment.
- Mitigation: If you discover issues or high risk within this asessment item, you can explain how you are mitigating against the issues for example A Data Mapping item you may discover that telephone operators are taking down contact details in case they get cut-off from a phone call, this data needs managing and the mitigation may be the operator asks permission prior to recording the data adn the IT systems delete all temporary details every 6 weeks. Or during a Risk Assessment you assess that Smart Phones contain data being used by the sales team, the risk is they lose or get their phone stolen. Mitigation could be password protection, auto-erase on failed login attempts, bio-metrics or apps that track phones.
- Data Types: During an assessment you will be finding out types of data that are being collected, used, stored or processed. You can identify within each assessment item what are these types of data based on your Data Types list you have previously created.
- Item Severity: for Risk Assessments you specify what level of severity this items has on the privacy network, it can be one of the following values;
- Insignificant: Risks that bring no real negative consequences, or pose no significant threat to the organization or project.
- Minor: Risks that have a small potential for negative consequences, but will not significantly impact overall success.
- Moderate: Risks that could potentially bring negative consequences, posing a moderate threat to the project or organization.
- Critical: Risks with substantial negative consequences that will seriously impact the success of the organization or project.
- Catastrophic: Risks with extreme negative consequences that could cause the entire project to fail or severely impact daily operations of the organization. These are the highest-priority risks to address.
For example if the data in question was TRACKING Computer Device (Information about a device that an individual uses for personal use (even part-time or with others) IP address, Mac address, browser fingerprint.), the severity may be Insignificant however if the data was EXTERNAL Identifying (Information that uniquely or semi-uniquely identifies a specific individual name, user-name, unique identifier, government issued identification, picture, biometric data) the severity could be Critical or Catastrophic.
- Likelihood: for Risk Assessments you specify the likelihood of this item occurring, it can be one of the following values;
- Unlikely: Extremely rare risks, with almost no probability of occurring.
- Seldom: Risks that are relatively uncommon, but have a small chance of manifesting.
- Occasional: Risks that are more typical, with about a 50/50 chance of taking place.
- Likely: Risks that are highly likely to occur.
- Definite: Risks that are almost certain to manifest. Address these risks first.
For example if the item was physical theft and the data was stored in a strong room, with monitored alams, biometric entry and manned 24/7 the likelihood is probably Unlikely however if the data was being carrried in a car between offices the likelihood may be Occasional.
- Risk Rating: Based on the Item Severity and the Likelihood the system will automatically generate a Risk Rating of between 1 (low risk) to 25 (high risk). This is simply calculated by multiplying the Severity x Likelihood where Severity goes from 1 (Insignificant) to 5 (Catastrophic) and Likelihood goes from 1 (Unlikely) to 5 (Definite).
Save and Email: Click this button to save the Assessment, automatically e-mail it to the Assigned To contacts email address and close the window.
Save: Click this button to save the Assessment and close the window.
Close: Click this button to discard any changes to the Assessment and close the window.
Delete: Click this button to delete the Assessment, you are asked to confirm deleting, clicking Yes will delete the Assessment and close the window.
PDF: Click this button to generate a PDF of this Assessment.
HTML: Click this button to generate a HTML report of this Assessment in a new window.