Using complyThing to deal with real world GDPR challengesJulie WhitingAugust 22nd 2018
To show how complyThing, our data governance, risk and compliance management tool works, we tested it against a scenario we found on LinkedIn which will hopefully help you to further understand how our GDPR tool can be applied and what it offers...
In the past year, organisations and individuals have been shouting over many social media channels, blogs, adverts and more about how the GDPR was going to destroy companies and transform how we do business forever. While there may be a shred of truth to the point that failure to comply with the regulation is not a great business strategy, it has become very difficult what is real advice and what is pure hyperbole to get clicks on an article.
We recently introduced complyThing, our data governance, risk and compliance management tool. It has been used internally at cloudThing for a number of months, and beta-tested by some trusted customers to ensure there’s nothing we missed. We built this solution to make data governance as calm and boring as it should be, without any claims of company-ending fines or panic, we just wanted something that was automated, scalable and made ongoing management simple, easy and inexpensive.
To show how complyThing works, we tested it against a scenario we found on LinkedIn which will hopefully help you to further understand how our GDPR tool can be applied and what it offers. In this ‘Nightmare Letter: A Subject Access Request under GDPR’, you can read examples where our tool will turn this ‘nightmare’ into nothing more than a blip in your data protection officer’s otherwise restful, regulation compliant sleep.
The below 6 extracts outline the scenario of a customer requesting their information from a company, an action they can demand for according to Article 15 of the Directive 95/46/EC - General Data Protection Regulation, and below each one is an explanation of how complyThing’s elements can help resolve this issue.
First and foremost, any requests for personal data must be accepted and acted upon by the receiving company. According to Article 15 of the Directive 95/46/EC - General Data Protection Regulation, the ‘controller’ (the company receiving the request) is obliged to ‘provide a copy of the personal data undergoing processing’. This can be a major worry for organisations who do not have a single view of where their data sets are held, and who’s data they hold in that set. So how can our Subject Requests element help this? Our Subject Requests element will help you to manage your data and gather all the information together before to enable an efficient and accurate response to your customer regarding where their data is held, why it is held and who can access it. There is no need to use expensive plugins scanning multiple data sources, and a response can be generated by a contact centre agent with no need to hire a dedicated team for these types of enquires, best of all our solution be customised to integrate with your current system.
In some cases, the requester may want to know whether their data is being processed and in which categories, information systems, databases (which can include e-mails, documents and other media used), servers, and countries that their data is stored and accessible from. Our Data Inventory element can be used here to help automate the manual processes and give a detailed and accurate inventory breakdown, therefore making it quick and easy to provide the requested information.
In this extract, the customer wants a list of all the third parties who have accessed or had their personal data shared with. This is where the Sharing Agreement is ideal as it helps to deliver up-to-date reports about the customer’s personal data, including where it has been shared and how it has been used. Our Impact Assessments are created against data inventory items to determine if the data is high risk or not. It also includes assessments on integrated supplier registers, supplier assessments and screening,which provides you with the satisfaction and comfort that your data access is controlled, compliant and secure.
Another feature of complyThing is its Logs, Dashboards & Reporting that are available for a quick and simple to understand high level overview of your data posture. With end to end auditability, users are empowered to work in a process driven, compliant manner as all data is held to consistent levels of scrutiny and accountability. So, if a customer wants to know if their personal data has been disclosed inadvertently as a result of a privacy or security breach as seen in the extract above, these logs and reports will be able to provide that information. We have integrated breach reporting into our solution so that you can quickly assess the situation, and notify the relevant parties should a break occur, using information made available across every data asset’s access and action logs.
In some instances, the person concerned may request to know what information policies and standards the company has in place, such as if they adhere to ISO27001 for information security (of which cloudThing do, along with ISO9001). The tool can be customised with specific compliance requirements, business rules and user roles to ensure that it can work beyond the GDPR, that it can enforce scalable, consistent compliance across data governance regardless of the requirements. In addition, where the tool queries data that is entered and finds it to be non-compliant, it will recommend remedial action and the impact of leaving it non-compliant, helping to ensure that all users understand the risks and requirements of whatever information security standard you wish to reach.
The final element of complyThing is its Modular Extensions which can scale and evolve your solution to fit your organisation’s needs and requirements. We built this solution for the future and will be actively building and deploying new modules to ensure it is an end-to-end compliance tool for multiple standards of security. Personal data is now firmly back in the hands of the person and it is expected that customers may ask about the training and awareness measures that the organisation has taken in order to ensure that employees and all those involved in accessing and processing their personal data, are conforming with the General Data Protection Regulation. With extensions such as deeper Risk Management, Systems Management, Auditing, Policy Lifecycle Management and Training Management, complyThing is a long-term solution built to grow with your business as your requirements evolve.
So, there you have it, our data management tool helps you to become and remain compliant with the GDPR, with minimal fuss. After reading all that, you’re probably feeling inspired to work with us and get complyThing customised to your company so that you can be provided with security, risk and data management. Do you feel that your data is as secure, controlled and as well-managed as complyThing has demonstrated? If not, drop us a message or call us- we would be more than happy to have a chat about any problems or concerns you have and will be happy to hear your requests. Come and join us, Build Future.