Imagem documentos
Imagens email
Imagens computador

We're the tool that the DPO wants to use

We're a tool of

  • GDPR  Implementation
  • Continuous governance
  • Demonstration of   conformity

What does the tool allow us to do?

Announce the role and name of the DPO and publish the Personal Data Protection Policy

  • Officially appoint the DPO, that must have the necessary competencies to perform the role
  • Write and publish a simple, perceptible personal data protection policy, that’s in-line with the business model
  • Personal Data protection is a goal of the entire organization
DPO DPO
Awareness Awareness

Identify a strategy and plan a privacy and awareness project

  • Define a strategic objective for processing personal data
  • Define a project calendar with the DPOs tasks
  • Involve all critical areas (HR, IT, Financial, Legal Risk Management and Audit)
  • Define an awareness plan with a legislation guide, brochure and online training

Identify and record personal data operations

  • Our organizations collect and treat different types of personal data, so it’s important to ensure that the inventory of the existing data is done correctly, as well as of its treatment and the registration of actions and protective measures
  • Have a clear approval process , with evidence of approval in "workflow"
  • Guarantee the lawfulness of the treatment through the consent of the holder, in accordance with the law
  • The registration of these activities is in the basis for the legal validation of data protection measures and evidence of governance
Dados Pessoais Personal Data
Transparência Transparency

Identify Individual Rights and Transparency

Individuals have the right to be informed about data and categories of data processed, recipients of data or categories of recipients, retention period and treatment criteria. Materializing:

  • Right of access
  • Right to be informed
  • Right of rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object
  • Right to data portability
  • Opposition to automated decisions and profiling

Manage the supply chain

  • Individuals have the right to be informed about the data and categories of data processed, data recipients or recipients categories
Fornecedores Third parties
incidentes Incidents

Manage incidents and “data breach management”

  • Individuals have the right to be informed about the data and categories of data processed, data recipients or recipients categories

Privacy by design, privacy by default, PIA e DPIA

  • Implement a process with adequate technical and organizational measures to protect personal data during the development phase of a product (privacy by design)
  • Ensure that controllers only process the required data in a secure and adequate manner (privacy by default)
  • PIA and DPIA are risk management and analysis tools that allow an assessment of processing operations to ensure the rights and freedoms of data subjects and identify technical and administrative protection measures
Privacy Privacy
Monitorização Monotoring

Manage compliance, risk and monitor

  • One of the biggest changes is related to compliance which imposes the correct application of the principle of "accountability." Controllers and processors are now required to demonstrate their own compliance, so organizations have to implement accountability processes and have a proper track record of activities
  • In summary, it is expected from the regulator's point of view that organizations have evidence of implementing a compliance culture far beyond tick-box compliance
  • Involve all critical areas (HR, IT, Finance, Legal Risk Management and Audit)
  • GDPR requires controllers and processors to maintain a record of processing activities in writing and to demonstrate governance and the implementation of the appropriate measures

GDPR Maturity Model

Level 1

Inicial

Ad hoc Processes

Know the legislation

Level 2

Development

Leadership

Named DPO

Initial awareness-raising

Level 3

Defined

Initial plan design

Data Protection Policy

Departmental accountability awareness

Level 4

Managed

Definition of data collection and elimination processes

Definition of third-party treatment (subcontractor)

DPIA Risk Analysis

Technical protection measures

Monitoring

Level 5

Optimized

Embedded risk culture

Individual responsibility

Continuous improvement cycle

Response to Data Breach security incidents

Recuperation plan

Demonstrate compliance

I want to be compliant