{% extends "base.html" %} {% load i18n static %} {% block content %}

{% trans "GDPR Registry Web App" %}

{% blocktrans %}To manage the whole GDPR process, you need a central point where information about GDPR procedures are stored and can be updated on a regular basis by dedicated personnel, including your Data Protection Officer. This central place is of fundamental importance to keep track of your current compliance status, identify issues and mitigate them. And this is exactly the role of the so-called Registry of Data Processing Activities, described in the GDPR Article 30. It can also demonstrate that GDPR is a continuous process that has become an integral part of your business. This is a key step towards an enhanced security posture. {% endblocktrans %}

{% blocktrans %}The Pluribus One GDPR Registry Web app allows you to keep track of all data processing activities according to a hierarchical structure and the various GDPR stages highlighted in this document.{% endblocktrans %}

{% trans "Key Features" %}

{% trans "Hierarchical Structure" %}

{% blocktrans %}The main hierarchical structure of the registry is showed as follows.{% endblocktrans %}

{% trans 'You may add as many entries as you require in the registry, e.g., unlimited number of organizations, business processes, activities, data audits, and so on.' %}

{% trans "Hierarchical Structure - Example" %}

{% blocktrans %}An example of hierarchical structure of the GDPR app registry is showed below.{% endblocktrans %}

{% trans "Organization" %}

{% blocktrans %} {% endblocktrans %}

{% trans "Business Process" %}

{% blocktrans %}
  • Name: Human resources
  • Description: Human resource management, overseeing various aspects of employment, such as compliance with labour law and employment standards, administration of employee benefits, and some aspects of recruitment and dismissal
{% endblocktrans %}

{% trans "Processing Activity" %}

{% blocktrans %}
  • Name: Contractualization
  • Description: Activity required to contractualize employees
{% endblocktrans %}

{% trans "Data Audit" %}

{% blocktrans %}
  • Description: identity documents of employees
  • Category: personal identifiable information
  • Scope of treatment: personnel management
  • Legal base: necessary for the execution of a contract (GDPR art. 6(1)b)
  • Inherent risk: medium
{% endblocktrans %}

{% trans "Data Management Policy" %}

{% blocktrans %}
  • Description: data is stored in a private database, in encrypted form, and can be accessed only by the following persons: Robb Jones (administrative employee)
  • Data transfers: the data is not transferred to third parties
  • Data Subject Rights: data subjects are informed and explicitly agreed our privacy policy (link to document X). The document X also explains how they can view, correct, cancel, and limit the scopes of our data management.
  • Residual risk (of data breaches): low
{% endblocktrans %}

{% trans "Data Breach Detection" %}

{% blocktrans %}
  • Description
    • each access to the private database is monitored, logged in a append-only logging database
    • anomaly-based intrusion detection capable to alert on suspicious access attempts
      • from unexpected Ip addresses
      • at unexpetected times (e.g., night, weekends)
      • too many failed access attempts
      • unexpected traffic from database app to internet
    • each alert is inspected by our security team, available 24/7, via authenticated, encrypted channel
  • Residual risk (of missing data breaches): LOW
{% endblocktrans %}

{% trans "Incident Response Plan" %}

{% blocktrans %}
  • Description
    • automatic read-only backups of the private database containing personal data
    • web app firewall capable to block traffic to/from administrative app and internet
    • data breach notification templates and database of data subjects
    • immediate notification of security incidents by the security team to Data Protection Officer via authenticated, encrypted channel
    • the administrative app runs in a virtual machine so it can be freezed for forensic analysis
  • Residual risk (of unmanaged data breaches): low
{% endblocktrans %}

{% trans "Data Protection Impact Assessment" %}

{% blocktrans %}Details about the DPIA (if any), with link to PDF document.{% endblocktrans %}
{% comment %}

{% trans "GDPR Registry App - How To" %}

{% blocktrans %}To manage the whole GDPR process, you need a central point where information about each of the four mentioned phases is stored and can be updated on a regular basis by dedicated personnel, including your Data Protection Officer. This central place is of fundamental importance to keep track of your current compliance status, identify issues and mitigate them. And this is exactly the role of the so-called Registry of Data Processing Activities, described in the GDPR Article 30. It can also demonstrate that GDPR is a continuous process that GDPR has become an integral part of your business. This is a key step towards an enhanced security posture. {% endblocktrans %}

{% blocktrans %}The GDPR Registry app allows you to keep track of all data processing activities according to a hierarchical structure and the various GDPR stages highlighted in this document. {% endblocktrans %}

{% trans 'Step 5. Associate a Data Management Policy to each Data Audit' %}

{% blocktrans %}The fifth step is to associate a data management polocy to each data audit. This policy should describe

{% endblocktrans %}

{% trans 'Step 6. Associate a Data Breach Detection to each Data Audit' %}

{% blocktrans %}The sixth step is to associate a data breach detection to each data audit. We should describe

{% endblocktrans %}

{% trans 'Step 7. Associate a Incident (Data Breach) Response Plan to each Data Audit' %}

{% blocktrans %}The seventh step is to associate an incident response plan to each data audit. We should describe

{% endblocktrans %}

{% trans 'Step 8. Associate a Data Protection Impact Assessment (DPIA) Document to the Data Audit' %}

{% blocktrans %}The eight step is to associate a DPIA Document to the data audit. This is only required if the data we manage entails a high risk for the freedoms and rights of EU citizens. Anyway, it basically will describe/motivate in detail the mitigation activities of phases 5,6,7. Thus, if we already done the phases 5,6,7, this phase should be straightforward.{% endblocktrans %}

{% endcomment %} {% endblock %}