GDPR Assessment

General Data Protection Regulation

GDPR is the European Union’s new data protection law that replaces the Data Protection Directive (“Directive”), which has been in effect since 1995. It gives students, faculty and staff members greater control over their personal data and imposes many new obligations on institutions that collect, handle or analyze personal data. GDPR also gives national regulators new powers to impose significant fines on organizations that breach the law.

What Institutional Data is Covered Under GDPR?

GDPR regulates the collection, storage, use, and sharing of “personal data.

Personal data is defined very broadly under GDPR as any data related to an identified or identifiable natural person.

“Personal data” includes any data that relates to an identified or identifiable individual, which
includes IP addresses, databases, student services data, feedback forms, location data, biometric data, CCTV footage, health and financial information.

Personal data that has been “pseudonymized” can be personal data if the pseudonym can be linked to a particular individual.

GDPR Challenges

Third Party Risk Management

Re-negotiation of third-party contracts to enable compliance and management of contract inventory

Data Privacy Impact Assessment

Significant additional resources need to be allocated to develop an effective data privacy assessment program and to implement privacy controls in the service and development lifecycle

Breach Notification

To understand the details and nature of data breach and notify DPA within 72 hours of data breach incident

Increased Record-keeping

Need to identify and inventory
processes and systems handling personal information and maintain audit trails of processing activities for all data subjects

Stringent Data Security

Implement technical controls to pseudonymize, encrypt, or otherwise secure personal data and maintain ongoing CIA of personal data

Data Lifecycle Management

Data subjects have the right to be forgotten and can request personal data to be rectified or to be transferred to any party, including competitors

GDPR Assessment Services Methodology From OculusIT

Start

  • GDPR compliance assessment
  • Compliance gaps driven business case
  • GDPR awareness sessions for management

Assets

Checked during gap assessment

  • PII data discovery and mapping
  • Privacy impact assessment
  • Document review
  • Dataflow assessment (among other steps)

Management presentation and reporting based on gap assessment

  • Remediation strategy & roadmap
  • Remediation project plan

Plan & Remediate

  • Establish privacy program management office
  • Create policy & procedures
  • Incident response structure set-up
  • Data protection technical control implementation
  • Third party data governance

Fully Matured Model

  • Data Protection Officer-as-a-Service
  • Policy and process review
  • Data breach management
  • Data inventory management
  • Data subject right request managment
  • Supervisory authority request management
  • GDPR compliance periodic audits and assessment
  • Periodic training & awareness
  • Analytics driven compliance management
  • Data breach simulation

DPO-as-a-Service

  • Breach Management
  • Data Rights Management
  • Training & Awareness
  • Data Security Management
  • Audit & Assessment
  • Policy & Procedures Review