The countdown to May 25th continues and we’ve spent many a happy hour over the last few months discussing the intricacies and mysteries of the GDPR with our Toolkit customers who are busily preparing their organisations for the big day. The various supervisory authorities and the Article 29 Working Party have also produced a variety of guidance documents attempting to clarify some of the vaguer parts of the Regulation and educate us all on the best approaches to take to areas such as privacy notices, consent, lawful processing and data processing agreements.
Here at CertiKit we’ve taken all of this valuable feedback and information and put it into the latest version of our GDPR Toolkit – Version 3.
So what does Version 3 have that its predecessor didn’t?
One of the comments we had about Version 2 was the shock factor experienced when opening the folder to find so many documents in one list. It was too much work to locate the right document at times and we don’t like to make you work. So we’ve grouped the documents into a (hopefully) coherent folder structure, organised by area of the GDPR as follows:
We hope you’ll agree that this makes it easier to find the right document at the right time. Because of the change, we’ve had to renumber all of the documents, but the release notes give a mapping from the old number to the new, so we’re hoping that won’t be too inconvenient.
The Guide to Preparing for the GDPR has been updated to correspond to the new folder structure and to be easier to follow, with Key Tasks listed for each step on the path to compliance. This ties in with the expanded GDPR Project Plan which, as before, is provided in Microsoft Project and Excel formats.
We’ve introduced new documents and forms in a number of key areas to help as you get further into your GDPR preparations. Firstly, the Legitimate Interest Assessment Procedure and accompanying form are intended to help with documenting the reasons why this lawful basis of processing is appropriate in any particular case. Secondly, the GDPR Controller/Processor Agreement Policy provides guidance on the changes required to contracts where personal data is involved, and the GDPR Contract Review Tool should help with keeping track of the contracts that need amending.
There’s more to address the needs of Processors too, with the document Processor Security Controls which may be used to inform controllers of the methods used by the processor to keep their personal data safe, along with a Processor Employee Confidentiality Agreement to act as a starter for meeting the need for a commitment to confidentiality.
The Privacy and Personal Data Protection Policy has been enhanced in the area of lawful processing and some simple examples of how a layered, just in time approach to privacy notices might look have been included for a Newsletter Signup and an Online Purchase, together with an example consent form.
Personal Data – Initial Questionnaire is a new document intended to be used as a first step into finding out where all that personal data is within your organisation, without using too much GDPR-speak.
We appreciate that, at the moment at least, many of our customers have to concentrate entirely on the needs of GDPR, and that wider information security considerations can be a distraction. To simplify the toolkit and provide more focus we have removed the “Insert Classification” prompt from all documents, together with a number of other references which were related to the ISO27001 standard rather than the GDPR.
We’ve added comments to most of the spreadsheet tools within the Toolkit, so that a simple mouse hover can help to clarify what information needs to entered in any particular column. And some of the sections in procedure documents that were causing people to scratch their heads have been removed (e.g. Error Recovery, Support).
There were a few areas in the Toolkit that didn’t have quite the right emphasis, so we’ve corrected that. One area was the focus of the data protection impact assessment which has been rewritten to make sure it’s the risks to the rights and freedoms of the data subject that need to be considered, not those to the organisation.
We use Microsoft Visio to create the flowcharts in the procedure documents, but not everybody has Visio installed so we’ve also provided the flowcharts in Microsoft Word format too. And for our customers that use a Mac, we’ve updated the Toolkit Completion Instructions with how to update fields using an Apple keyboard.
Many documents have been updated, often with more content to illustrate what’s required e.g. project milestones and deliverables in the Project Initiation Document. In some cases, it’s to clarify the meaning of the Regulation, such as the addition of a table of subject rights by lawful basis in the Data Subject Request Procedure.
Like you, we’ve been busy, and we hope that the changes we’ve made will help you to become GDPR compliant as quickly as possible and without any unnecessary effort or confusion.
This update is part of our schedule of regular maintenance and enhancement aimed at making our toolkits as useful to the customer as we can. As always, we’d like to thank everyone who has contributed to the improvements in this release. Feedback is very important to us so please keep it coming!
The CertiKit Team