The ISO 27001 requirement is that you need to comply with the rules and regulations of your country/region. If your company is based in (or has customers in) the EU, you will need to comply with GDPR. Performing an annual GDPR Assessment will help you discover the gaps that you need to fix.
This section consists of 2 steps.
Step 1: Perform the GDPR Assessment
Step 2: Process your findings in this GDPR Assessment section.
Step 1 – Perform the GDPR Assessment
- The owner of a GDPR Assessment is the Privacy Officer. They will need to perform the assessment and discuss the outcome with the ISMS Team.
- You can use the GDPR Assessment template in Compleye Online. This is a set of questions that you will need to answer to find the gaps in your organisation.
- The template is in Excel format and consists of 2 tabs: Data Processor Checklist and Data Controller Checklist.
- Make use of the other sections of Compleye Online e.g. Legal & Compliance GDPR and the wiki content to fill in the section.
- General Rule: if you are a B2B SaaS business with employees in your team, you are probably Processor (for Customer Data) and Controller (for HR & Marketing Data).
- Fill in both tabs, adjust the status (Implemented/Not Yet Implemented/Not Applicable) and justify your answer. If needed add a finding/improvement to be implemented.
- After discussing with the ISMS Team, Management/C-level will need to approve the findings/improvements to be implemented.
- See the print screen of the template below. Once finalised the compliance officer can process the Findings/Improvements.
Step 2 – Process your findings in the Compleye Online system.
Now that the actual work has been done, it’s time to assess the findings and create actual improvements for them. This is the final step and can be performed by your compliance officer.
You can simply click on the “Create New GDPR” button at the bottom left of the page.
It will open a new window where you can upload the GDPR document. This document can’t be deleted, but only downloaded once it’s attached. The GDPR card will be named by the date it’s uploaded. If you have multiple documents there is a possibility to upload more documents; make sure you upload the main document first.
After creating the GDPR you can add the findings (copy them from your main document). You can also add other relevant documents in the tab ‘Attachments’, if needed (not mandatory).
- When adding a finding, you will automatically have the option to create an improvement (in blue).
NOTE: if you don’t create an improvement, you’ll need to justify the reason to the external auditor. Perhaps you have already solved the improvement – and added the evidence in ‘Attachments’. If so, please make sure that you have addressed that in the finding (e.g., by adding, ‘Already solved by .’ ….’ evidence can be found in attachment.’) We strongly advise creating an improvement for each finding. Improvements will become part of the Management Review and show that you’re able to improve and mature your ISMS.
When you create an improvement a new pop-up screen will appear.
- The finding is already filled in, with the tag GDPR, to identify where this improvement came from.
You’ll need to assign an owner who will be responsible for the improvement.
Due Date: estimated date for first expected results.
- Once every field is addressed, you can push the ‘Create Improvement’ button and it will automatically create an improvement with an ID in the ‘Improvements’ section.
- Now, the owner will need to work on the improvement. Please make sure that the owner has access to the board and has added an e-mail address in the @people section to ensure that they receive notifications on improvement deadlines.
Make sure that the owner reads the wiki on the improvement and starts working on the improvement.
The compliance officer will check all improvements’ progress during the monthly security meeting.
- Once the improvement is closed it will be indicated as a green check-box tick in the tab along with the date and the person that closed the improvement. So, before you start a new GDPR, check if the findings of your previous GDPR have been addressed in closed improvements.
|Improvement Title||Define a name for the Improvement – this is not the finding, but e.g., the name of a project/plan that is easily recognisable to the ISMS Team||If finding is ‘Review of Security Awareness Training to include Privacy Risk’, the improvement could be ‘Address Privacy Risk at Security Awareness Training’ .|
|Owner||Person responsible for the improvement||One of your ISMS Team members|
|Finding||Findings of the information security risk assessment. ‘Column G in ISRA Template – tab Risk Assessment’. ==> this will automatically be filled in the pop-up menu once defined in the section.||Review of Security Awareness Training to include Privacy Risk|
|Due date||Always start with a due date when you want to have your first Improvement milestone ready e.g., when the project plan, proposal or first step needs to be finalised. To be used as a reminder (owner can receive notification 3 days prior to the due date).||Select the date|
|Origin||The Risk Assessment where the finding originated. In this case this will be filled in automatically, because this is the ISRA Section.||GDPR|