InfoComply Solutions for General Data Protection Regulation (GDPR)

Try Free
Product-Inner-Banner

GDPR

The main purpose of the GDPR is to increase the data privacy rights of European Union citizens, giving them more control over their personal data. Essentially, the GDPR is a set of regulatory rules and measures intended to standardize privacy rights across the EU. Because it is law, any organization that processes or controls any form of personal information relating to EU citizens must comply with it.

GDPR mandates have huge ramifications for those who participate in data collection. Some regulations that have businesses scrambling to comply include the following: data subjects may view and delete any data that concerns them; data policies must be transparent and straightforward enough that the average person can understand any risks associated with the sharing of their information; businesses are compelled to give customers notice of a data breach within 72 hours, and businesses are expected to follow “privacy by design” principles.

The InfoComply software platform helps organizations meet these GDPR requirements by automating records of processing activities, performing privacy impact assessments and data mapping, identifying privacy risks, and enforcing risk management activities in an integrated platform.

Infocomply experts are ready to guide you with industry proven solutions & best practices, with key bottom line to faster compliance and reduce risk.

Requst For Demo

Below are 10 steps that can help your organization reach GDPR compliance. InfoComply will work with you every step of the way, helping you reduce the time to reach compliance.

1 - Governance and Accountability

The GDPR requires all organizations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to prove that they take data governance seriously. These include accountability measures such as: Privacy Impact Assessments, audits, policy reviews, activity records and appointing a data protection officer a (“DPO”).

  • Privacy Impact Assessments (PIAs)
  • Policy reviews
  • Audits
  • Activity records
  • Appointment of a Data Protection Officer (DPO)

The GDPR also requires implementation of technical and organizational measures to both ensure and prove that processing is being performed in accordance with GDPR regulations, and that the data processed is being reviewed and updated as necessary.

We can help. The Infocomply Readiness Assessment automation tool is designed to identify gaps in your current privacy program as it relates to GDPR, provide executive-level visibility and reporting, and demonstrate accountability and compliance in the event of a regulatory audit.

2 - Privacy by Design and Secure Processing

Organizations have to implement technical and organizational measures to show that they have carefully considered data compliance measures and integrated them into their data processing activities.

Where processing operations may result in high risk, the GDPR requires that a Data Protection Impact Assessment (DPIA) be conducted by controllers. Many stipulations within the GDPR make this more involved than a standard questionnaire; for example, requiring a Data Protection Officer (DPO) to be involved in specific workflows, tracking mitigation activities, documenting risk as it pertains to harm to the data subject, consultations with the individual, etc.

We’ve got some questionnaires ready for you. InfoComply software provides many pre-defined screening and DPIA questionnaires to choose from, or organizations can import and tailor their own using a point and click, drag and drop interface. Infocomply provides features to extend approval and risk-tracking workflows, distribute the questionnaires to business users via email notifications or a self-service portal, and collect responses and analyze risks through automated or manual risk identification.

3 - Data mapping and Records of Processing Activities

The GDPR requires anyone who processes personal information to keep accurate records of their data processing activities.

Data mapping refers to the process of generating an inventory of the organization’s data flow and keeping it up to date. The GDPR does not mention data mapping specifically, but it does set forth the requirement that controllers and processors (both B2B and B2C) maintain an inventory of their processing activities. The requirements dictated in GDPR Article 30 are very specific, so even if an organization has previously used data mapping, it will need to update or redefine its parameters to meet GDPR requirements.

We can help leverage your organization’s existing data map and inventory to meet Article 30 obligations. InfoComply software enables the capture of data flow inventory through approaches such as surveys, scanning technologies, and workshops. It also helps keep your inventory up to date with PIA assessments for ongoing changes across the enterprise. To make it easier for you to implement, InfoComply software provides out-of-the-box extendible templates designed to address the specificity of Article 30 regulations.

4 - Data Protection Impact Assessment

Your organization will need to methodically assess risks for specific areas, projects, and systems; update roles, policies, procedures, and technical standards; and review your Enterprise Risk Management (ERM) Framework, making adjustments as necessary.

InfoComply software makes it easy to assess risks.

5 - Consent and Information Disclosures

Requests for an individual’s consent to use his or her data must be presented clearly and be easily revocable, and it is unlawful to make access to a service dependent upon an individual’s consent to the use of his or her personal data. This means your policies need to be clear, and your record-keeping accurate and complete.

InfoComply can help you ensure valid consent. Infocomply software provides a consent management solution that can be embedded into the organization’s website, or options can be provided via other notification touch points, devices or internal systems for capturing consent transactions in a standardized manner.

InfoComply helps organizations easily demonstrate consent individually to regulators, as well as provide data subjects a list of things they have consented to for acceptance or withdrawal of their consent.

6 - Data Subject Requests, Notifications and Communications

GDPR allows 30 days for the handling of Data Subject Access Requests (DSARs). Your organization will need a standardized process to review and manage DASRs, obtain the data collected on them, and correct or remove it.

InfoComply simplifies DSAR management. InfoComply software provides organizations with the ability to customize a branded web form, link to the form from the company’s privacy policy webpage, receive notification when a request has been submitted, and automatically request an extension if a deadline approaches. When the request is fulfilled, data must be securely transmitted to the individual, and the request linked to the underlying data map to efficiently record the data in order to generate the proper documentation and evidence in the event a regulator inquires about the request.

7 - Transfers, Sharing and Third Parties

Be especially aware that the transfer of personal information to individuals/parties outside the European Economic Area (EEA) is regulated and, in certain circumstances, restricted. Make sure you know where the personal data you manage is at all times.

InfoComply software keeps track of your data.

8 - Training and Competency

The stakeholders and personnel within your organization need to be trained on the intricacies and ramifications of GDPR. To be effective, GDPR awareness training should address multi-channel stakeholders. For training purposes, specific training materials should be offered to employees, Customer Support, HR, Marketing, IT, and other key stakeholder areas.

We’ve done the work for you. InfoComply’s training toolkit provides training content which can be further customized for enterprise needs, so you don’t have to spend time gathering and organizing the information needed to present an effective training session.

9 - Breach Management

Companies need to have a plan in place to help them meet GDPR’s 72-hour breach notification requirement. Without a plan, it may be difficult or impossible to meet this requirement in the allotted time.

InfoComply takes documentation seriously. InfoComply software helps organizations develop a systematic process to document an incident, understand if the incident has resulted in a breach, analyze the breach for harm to the individual, and determine whether notification is required to the supervisory authority and the data subject.

10 - Audits and Monitoring

GDPR compliance is not just important to uphold your company brand, it is required by law. To ensure that your organization is and continues to be in compliance, it is essential to conduct periodic independent audits and reviews of your existing GDPR program. This will help you determine your current compliancy status as well as identify areas for improvement.

We’ve got you covered. The InfoComply Audit and Evidence Module contains the tools needed to consider key articles of regulation and to provide documented evidence.