Are your impact assessments and reporting procedures in place for GDPR? Danielle Cussen from Wizuda examines these important requirements in her guest blog post, ‘Where is your data going and why?’ Danielle explains what you need to do to comply and how Wizuda GDPR features will simplify compliance. Danielle is Managing Director at Wizuda.
It’s rare that a day goes by without a mention of the GDPR. Businesses across the globe are striving to achieve compliance by 25 May 2018. That’s when it comes into full force, with no grace period. The GDPR applies to any business collecting or processing personal data belonging to EU citizens.
The UK’s ICO issued a 12 step guide to preparing for the GDPR. The first step is about being aware of the GDPR and its impact. The second is about finding out what personal data you hold, where it’s collected from and where it’s being sent.
As you can imagine, a lot of these questions are going to land on IT’s desk. IT will need to identify transfers between systems and between internal departments, plus transfers to external parties. This might include third party data processors, within the EU and across the globe. IT will need to work with other stakeholders across the business who understand the data and the reasons for the transfer.
Wizuda GDPR impact assessments
Under the GDPR it is now mandatary to conduct Data Protection Impact Assessments (DPIA) wherever there is a possible high risk (Article 35). If the risk level is unknown, doing an impact assessment is probably a good way to find out. Impact assessments will vary across organisations and departments but you’d expect to see certain questions where data transfer is concerned. These would relate to the sensitivity of the data, whether it’s being sent within or outside the European Economic Area (EEA), who will have access to it, and the risk category, among other factors.
Wizuda allows users to build their impact assessments within the software. Users complete a question set, which forms the impact assessment. The system then guides users through the transfer process based on the requirements they have set out. For example, if the user has specified that the data needs to be encrypted in transit, it will guide them towards using SFTP or HTTPS. The system also guides users through any approval process.
This feature helps users to check their transfers are aligned to the requirements specified in the impact assessment. The impact assessments themselves are readily available for reporting and auditing purposes.
Wizuda GDPR reporting
For the GDPR, reporting visibility is key to compliance. Article 5 (and many others) stress the need for “accountability” and “transparency” over all processing activities, not just cross-border transfers. IT need to be able to provide accurate details of the transfers in place at any given time. This is not just come 25 May 2018, but on an on-going basis. They may need to show all of the cross-border transfers outside of the EEA, with impact assessments showing the business reason and sign-off process. An automated process reduces this workload and provides process assurances.
A number of Wizuda features assist the user in accurate reporting of data transfers:
Wizuda’s Geographic Visual Maps show real live transfers that are in place across your organisation from one central hub. This view can be filtered by region, such as EEA, Non-EEA, BCR, Model Contracts and so forth.
Alternatively, Diagrams can be used to visualise the data flows across your network.
Both the Geographic Maps and Network Diagrams have full drilldown capability to view details of the files transferred, the full audit trail, authorisation workflows, and the corresponding impact assessments where applicable. This simplifies the path to demonstrating compliance.
There’s more information available on the Wizuda vendor page.
This is the first in a series of guest blog posts from the leading vendors, highlighting how a file transfer solution can add value to your organisation.