Home Knowledge Base

GDPR control framework implementation key components

Company

The name of your organisation

  • Data Protection Policy
  • Personal Data Risk Appetite
  • Personal Data Governance
  • Change management process to maintain the Data Protection Policy
  • Change management process to maintain the Personal Data Risk Appetite and Governance
  • Personal data operating model
  • Organisation chart
  • Resources
  • Standards
  • Procedures
  • Training

Address

The address, telephone and central email of your company

  • You may need to register with your country's data protection regulator

Data Protection Officer / Lead (DPO)

The address, telephone and email of the person responsible for your company's data protection

  • You may need to register this person with your country's data protection regulator
  • Justification for not registering a DPO (if applicable)
  • DPO selection, training, empowering
  • DPO is responsible for Subject Access Requests
  • DPO is responsible for data breach handling and notification
  • DPO is responsible for the ICO relationship
  • DPO is responsible for risk assessments and quality assurance
  • DPO develops and implements the Data Protection Policy
  • DPO provides information and guidance on the processing of all personal data
  • DPO produced “best practice” guidance material for staff
  • DPO organises the delivery of staff training
  • DPO monitors compliance with the GDPR across the organisation
  • DPO reports directly to the Executive level

Data use

How data is used and if it is used in automated decision making

  • An inventory of personal data use and processing
  • A mechanism for maintaining the inventory
  • Digital and physical security measures
  • Digital and physical access permission measures
  • Data breach monitoring
  • Data breach response plan
  • Change management process to maintain the data breach response plan
  • Internal instructions to refer any material or suspected data breach to the DPO
  • Internal instructions to immediately refer all desiredprocess changes to the DPO
  • Metrics gathering process to collate and send breach data to the DPO
  • An information security policy
  • Change management process to maintain the information security policy
  • Change management process to maintain security and access
  • Change management process to maintain business continuity
  • Change management process to maintain and embed quality into processing (DPIA results)
  • Recovery process to restore personal data to its pre-incident state in a timely manner
  • Change management process to maintain data use text in product and service contracts
  • Change management process to maintain data security and integrity for joiners and leavers

Legal bases

The legal bases you use for lawful processing

  • An inventory of personal data use and processing
  • The selected legal basis for justifying each process
  • Contracts for all third parties from which personal data is received stating roles, responsibilities, accountability and liability
  • An inventory of these contracts showing parties, roles, responsibilities, accountability and liability
  • Change management process to maintain the legal bases
  • Change management process to maintain the contracts and contract inventory

Recipients

Entity categories that will, access or receive the personal data

  • An inventory of personal data use and processing
  • The categories of people participating in each process
  • Contracts for all third parties that access or receive personal data stating roles, responsibilities, accountability and liability
  • An inventory of these contracts showing parties, roles, responsibilities, accountability and liability
  • Change management process to maintain participant categories
  • Change management process to oversee participant categories that are processors
  • Change management process to maintain the contracts and contract inventory
  • Change management process to maintain a list of who received personal data and what they received

Transfers

Contracts and control over where data is sent, stored and processed

  • An inventory of personal data use and processing
  • The countries participating in each process
  • Contracts for all third parties in theses countries stating roles, responsibilities, accountability and liability
  • An inventory of contracts showing parties, roles, responsibilities, accountability, liability and the chosen legal transfer control mechanism
  • A justification of the selected transfer control mechanism or derogation used as a legal basis for each data transfer
  • The selected transfer control mechanism or derogation (acceptable exception) used as a legal basis for each data transfer
  • Change management process to maintain participant countries
  • Change management process to maintain the contracts and contract inventory
  • Change management process to maintain a list of who received personal data and what they received

Retention

How long the personal data will be retained

  • A retention and deletion policy
  • Change management process to maintain the retention and deletion policy
  • Processes to ensure and verify that data is stored for no longer than is necessary

Provision

What happens if personal data isn't provided

  • A statement justifying processes that cannot be performed without personal data

Consent

The right to give and withdraw consent

  • Privacy Notices and communications written in clear English that must take into account the comprehension skills of adults and children
  • An output mechanism allowing the lawful sending of a Privacy Notice or communication
  • An input mechanism allowing the receipt of consent status in response to a Privacy Notice or communication
  • A mechanism to ask for further proof of identification in order to ensure that the consenting individual is the true owner of the personal data
  • A mechanism to ask for further proof of identification in order to ensure that the adult consenting on behalf of a child is the child’s true parent or legal guardian
  • An inventory of Privacy Notices and communications showing what was sent, when sent and the unconditional consent status (accepted/withdrawn)
  • Change management process to maintain the Privacy Notice and communication text
  • Change management process to maintain the inventory
  • Change management process to stop/start processing based on the consent status
  • Change management process to communicate the consent status to third parties who have received the data

Rights support

The right to access, change, delete, restrict, object, request a copy

  • An inventory of each data subject’s personal data
  • Internal instructions to refer all rights access requests directly to the DPO
  • An input mechanism allowing the receipt of a rights request to access, change, delete, restrict, object, request a copy
  • A process to review the rights request and decide on an appropriate course of action
  • An inventory of rights requests showing when received, action take, resolution, communication back to the individual
  • A mechanism to allow the individual to view his/her personal data
  • A mechanism to ask for further proof of identification in order to ensure that the individual requesting action is the true owner of the personal data
  • A mechanism to implement the personal data changes or deletions requested by the individual
  • A mechanism to respect the restrictions and objections to processing requested by the individual
  • Change management process to stop/start processing based on the consent status
  • A mechanism to collate, create and send personal data to the individual or another entity
  • Change management process to communicate any changes, deletions, restrictions and objections to third parties who have received the data

Complaints

The right to complain to the regulator

  • Open communication channel with the regulator
  • Immediate escalation channel to the Executive upon receipt of a complaint registered with the regulator
  • Response plan in the event of a complaint