| 2000 Manage |
| 2010 GOVERANCE: Review and revise the foundations of a data governance program, including high-level goals and the set of tactical initiatives. In addition to a data governance standard and relevant procedures, also include programmatic items such as: internal acceptance among stakeholders, in both business and technical roles; an operating model that accounts for organizational structure, IT infrastructure and business needs; and empowered people who can make decisions and assign responsibilities. |
| 2011 Define the ITIL organizational model in compliance with ISO 20000 that accounts for current capabilities of data governance resources, allocating necessary budget to include personnel, as necessary. Provide necessary executive sponsors to enable data governance personnel with adequate resources. |
| 2012 Identify necessary stakeholders across the organization, both in business and technology roles. Review and revise relationships with required stakeholders. Define necessary communications and ongoing touchpoints for effective execution of projects, as well as use of processes and escalation paths. |
| 2013 Review and revise data privacy and protection policies that clearly illustrate how data subject personal data will be used and protected. These policies are easily digestible to a non-technical audience and available for distribution with the organization and to data subjects or regulators as appropriate. Policies and procedures are reviewed and updated every six months. |
| 2014 Implement a Data Loss Prevention (DLP) technology to monitor the transmission of sensitive data across the following channels: USB, email, web, print, fax, CD and DVD. As a policy, each Bespoke Application Service server rack shall NOT have a USB port, NOT support printing, NOT support a display, NOT support CD media, NOT support DVD and NOT support a keyboard. |
| 2015 Define and document the need to process young persons data, the use of this data and the applicable legal basis for processing. Create a privacy notice specifically for young persons data that is written in a way a young person could understand the processing activities. Perform considerations for all recipients, uses, transfers and stores of this data. Where the organization maintains an online service (whereby online profile or young persons data is maintained), obtain consent from a parent or guardian, depending on the young persons age. |
| 2016 Create policies with specific restrictions and requirements that identify potential employment actions consistent with applicable employment law. Policies are made available to all employees and acknowledged by employees. |
| 2017 Work with the organizations legal team to classify personal data as appropriate (see task 1020) and document legal justifications for maintaining special categories of personal data. |
| . |
| 2020 PRIVACY POLICY: Review and revise the foundational activities to identify personal data (see task 1010). Implement the necessary online service technology and hire, train, or realign appropriate personnel to be able to create privacy policies. For all relevant personal data, create a privacy policy that can be provided to applicable data subjects. |
| 2021 When creating privacy notices, maintain multiple reviews by varying audiences to create notices that are relevant for a wide-ranging audience to understand. Localize privacy notices to accommodate data subjects who speak different languages. |
| 2022 Create formal documented guidance provided by legal on privacy notices that define the necessary procedures, components and requirements for each privacy notice. |
| 2023 Perform a legal review of requirements that are necessary for privacy notices. Review all privacy notices to confirm they include all legal requirements. |
| 2024 Implement a process to validate data subjects are informed they may object to how the organization uses their personal data, when the organization first contacts them. |
| 2025 Implement online technology that automatically provides a copy of privacy notices to data subjects. |
| 2026 Review and document when personal data is collected from data subjects and ensure required privacy notices are shared with them at each instance. |
| 2027 Maintain evidence records of personal data that is collected from sources other than data subjects. Define when privacy notices are provided to data subjects. |
| 2028 Share required privacy notices with data subjects, prior to using their personal data for purposes they have not been informed of. |
| . |
| 2030 OBJECTION: Implement online technological foundations to be able to change how the organization uses a data subjects personal data (including halting processing temporarily or deleting it). |
| 2031 Implement online technology from task 1011, 1020 and 1030 to be able to identify all data subject personal data, classify it and change how it is used or delete it (especially to be able to discontinue all direct marketing). |
| 2032 Review and revise the process to share appropriate legal justifications with data subjects, when they object to how the organization is using their personal data. |
| 2033 Review and revise the ability to provide proof that processing activities were discontinued on request. This is done through online technology that logs actions taken to discontinue processing. |
| 2034 Review and revise the process for when and how to respond to data subject requests to stop using their personal data. |
| 2035 Implement online technology to automatically respond to and comply with data subject requests to stop using their personal data or inform the data subject why the requests will be denied. Also, ensure the online technology automatically logs, stores and can share evidence of discontinued personal data use. |
| . |
| 2040 CONSENT: Identify people and processes needed to perform tasks required for obtaining consent. |
| 2041 Review and revise the process to ensure data subject personal data is used only after data subjects consent to its use or appropriate legal justifications are in place. |
| 2042 Review and revise the process to manage when and how data subject consent is obtained, including information to be shared with data subjects, at the time consent is requested. Create a data subject consent workflow that considers all consent requirements. |
| 2043 Review and revise the process to inform data subjects what their personal data will be used for, at the time they give their consent, especially prior to using sensitive data, such as racial or religious. |
| 2044 Implement online technology to automatically request and obtain data subject consent to use personal data. |
| 2045 Define requirements for a young persons consent with relevant legal and compliance personnel. Review and revise the process for how to appropriately obtain the young persons consent. |
| 2046 Implement online technology and a process to confirm a data subjects age and identity or the age and identity of an adult granting consent on behalf of a young person. |
| . |
| 2050 SUBJECT ACCESS REQUEST: Review and revise an online service to communicate with data subjects on privacy matters, such as a phone number, email help-desk, or website. This online Subject Access Request (SAR) service is published and made available to data subjects. |
| 2051 Review and revise an online portal so data subjects and other individuals can submit privacy questions or requests, such as for erasure or objection. |
| 2052 Implement a tracking system to maintain requests from data subjects and enable them to view status of requests through to resolution. Keep a record of completed requests. |
| 2053 Implement relevant processes and technologies to validate the identities of individuals making inquiries. This is a predefined series of security questions to validate the requestors identity. |
| 2054 Hire, train, or realign appropriate personnel to help the organization appropriately triage and respond to privacy requests and inquiries. |
| 2055 Implement online technology to inform data recipients of changes, erasure, or use restrictions to the personal data they have received. |
| 2056 Implement online technology to enable data subjects and others to monitor the status of their privacy requests and inquiries. |
| 2057 Review and revise expected response times for given privacy inquiries and requests and make those times publicly visible. |
| 2058 Implement online technology to automatically respond to privacy inquiries and requests, as well execute requests, where appropriate. |
| . |
| 2060 AMEND: Develop a process to correct inaccurate personal data or fill in incomplete information. This will include modification to, or addition of, personal data details such as name or address. Implement online technology where appropriate to enable this process. |
| 2061 Implement comprehensive online technology and a corresponding framework to correct all instances of inaccurate personal data or complete it, when incomplete. |
| 2062 Implement online technology to enable logging, storing and sharing evidence of the organizations correcting and completing personal data. |
| 2063 Review and revise a process for when, how and by whom data subject personal data is corrected or completed. |
| 2064 Implement online technology to begin to automate correcting or completing data subject personal data as well as record, maintain and be able to share evidence of the correction and completion. |
| 2065 Expand the use of, or implement additional online technology to automate all correcting or completing data subject personal data, as well as recording, maintaining and being able to share evidence of the correction and completion. |
| . |
| 2070 DELETE: Implement online facilities and processes to review online inventories and identify and erase relevant data. |
| 2071 Identify appropriately skilled and trained personnel to manage the search and erasure of personal data on request. |
| 2072 Identify appropriately skilled and trained personnel, including cross-group stakeholders and reporting structure to assess and make determinations about data erasure requests. Ultimate responsibility for decisions shall lie with the DPO. |
| 2073 Implement a defined process for each relevant online technology to erase data, when necessary. This shall include a validation check that the data was removed as needed. |
| 2074 Review and revise a process to record, log and maintain evidence of erasures. |
| 2075 Review and revise communication with all recipients of personal data to deploy erasure requests. This communication strategy is implemented as part of an ongoing effort to identify where personal data is being transmitted, housed and processed. |
| 2076 Implement online technology and processes that enable the organization to delete personal data in all locations where personal data is stored. |
| 2077 The organization needs to assess where subject access request automation is necessary. Automation of erasure activities shall minimize or mitigate the risk of error through manual processes and ensure action is taken in a timely, accurate and consistent manner. |
| . |
| 2080 PORTABILITY: Maintain the capability to export personal data in a machine-readable (CSV) format. Develop a process to provide this to the data subject when requested, with a direct-download opportunity for data subjects. |
| 2081 Implement a process or online technology to send personal data to data subjects in a machine-readable (CSV) format. A PDF file is not considered machine readable. Examples of correct formats are CSV and HTML. |
| 2082 To minimize the burden of processing data portability requests, online technology is used to automate responses to data portability requests. |
| 2083 Review and revise a process to securely transfer personal data to another controller in a machine-readable format, when requested by a data subject. |
| . |
| 2090 LIMIT: Review and revise a policy and process for how the organization can limit processing personal data, when required. |
| 2091 Identify and maintain necessary personnel to deploy restriction requests. Create or use a technological ability to limit workflows and otherwise prevent processing activity of personal data. |
| 2092 Review and revise the mechanism to identify other recipients storing or processing a data subjects personal data and notify them about restrictions to processing. |
| 2093 Implement online technology to automatically notify processors for all processing activities that have personal data restricted. |
| 2094 In addition to activities required in task 2050, a communication mechanism and necessary personnel to oversee communication are maintained for notifying data subjects, when a restriction of processing has been lifted. |
| 2095 Implement online technology to automatically notify applicable data subjects when processing activities have been resumed. |
| 2096 Enable evidence of when processing activities were restricted. |
| 2097 Enable evidence of when processing activities were restricted and then resumed. Capture an explanation from the individual who makes the decision to resume processing. |
| . |
| 2100 PROFILING: Create a mechanism to flag decisions (e.g. credit worthiness, employment candidacy) that are made in part or completely by automated means (e.g. credit check or verified research data). |
| 2101 Define necessary legal and compliance review required for automated decisions. This review shall include a documented business justification and rationale for use of automatic decisions, as well as considerations for human intervention. |
| 2102 Review and revise a policy that identifies when human intervention is required for each decision made by automatic means. Assign responsibility of maintaining the policy to relevant personnel. |
| 2103 Perform analysis of possible inconsistencies in automated decisions and evaluate those that are most prevalent. Identify the points at which human intervention is required for decisions with the most inconsistencies. Review and revise a procedure for required human intervention. |
| 2104 Provide a mechanism to collect communication from data subjects when they request more information on an automated decision. This can be an embedded functionality within the communication mechanism documented within task 2050. |
| 2110 Determine whether a Data Protection Officer (DPO) is required for the organization. Assign or appoint, as necessary, a DPO that meets requirements for the organization. |
| . |
| 2111 EDUCATION: Identify appropriate personnel to perform and attend data privacy training. Create a training program that is performed at a regularly defined intervals and is inclusive of all necessary requirements for handling personal data. |
| 2112 Determine relevant internal and external parties to communicate with as part of the DPO role. Maintain a regular interaction of ongoing communications to understand the changing regulatory environment, industry standards, or operational needs related to data protection and privacy and how industry peers are addressing them. |
| 2113 Enable the DPO to maintain an appropriate amount of oversight and independent review, as required by GDPR and ICO. |
| 2114 Help maintain necessary privacy training and relevant memberships or subscriptions to privacy related organizations. Help define these requirements for the organizations industry, as well as the amount and type of personal data the organization maintains. |
| 2115 Help identify key data privacy positions and assign necessary responsibilities and roles to the relevant personnel. Perform this analysis on an ongoing basis. |
| 2116 Maintain ongoing assets of all regulatory requirements and the applicability of the requirements for the organization to reference, in the event of a change to the regulatory environment. |
| . |
| 2120 RISK MANAGEMENT: Implement a risk management program that includes consideration for the active prevention of unauthorized access to identifiable personal data. Perform risk analysis to be able to identify potential data privacy risks. |
| 2121 Create risk management principles and guidelines commensurate with the value of assets, risk appetite and threat context of the organization. These principles and guidelines will reduce risk and support the mission of the organization. Once these principles and guidelines are defined, a risk management program and strategy are implemented. |
| 2122 Implement a defined risk management framework compliant with ISO 31000 that addresses the organizations need to identify and proactively manage data privacy as a tenet of the risk management framework. |
| 2123 Maintain risk register with all relevant risks for the organization. For all risks that require additional action, create plan to mitigate or transfer risk. Document these procedures and use in conjunction with data protection impact assessments. |
| 2124 Within the organizations defined risk register, maintain a mechanism of evaluation for identifying the highest value business assets. High value assets must be identified via financial or operational impacts. |
| 2125 For any risk maintained within the risk register, identify those that could include mishandling of personal data. If no risks address mishandling of personal data, identify potential risks that are applicable for the organization. |
| 3000 Protect |
| 3010 TEAMS: Identify the people in the organization that utilize data that is subject to GDPR and ensure relevant people are trained on data protection and privacy and incorporate GDPR compliance in their daily management of personal data and long-term strategies. |
| 3011 For all personal data used, assess the benefits of pseudonymizing personal data. By default and by design, deploy pseudonymizing techniques for all personal data. Implement such pseudonymizing techniques and necessary online technology, where additional protections from pseudonymizing personal data are relevant for data protection design. |
| 3012 Assess the business justification of all personal data used for business operations. Review and revise a process to maintain the data that is a minimum requirement to perform these operations and discontinue collection of all personal data that does not maintain a valid business justification. |
| 3013 Design personal data access controls (such as segregation of duties) that prevent personnel from mishandling personal data. Continually review and update these access controls, as necessary, for all relevant data stores. |
| 3014 Maintain the principle of least privilege for all personal data. Document this consideration in relevant policies and procedures. For example: First Level Support shall NOT have any access to any personal data and system administrators shall NOT have access to any personal data. Create a procedure to continually validate that least privilege to personal data is maintained. |
| 3015 Review all policies and procedures for relevant technologies to ensure data protection and privacy tenets are incorporated and have appropriate personnel review on a regularly scheduled interval. |
| 3016 Create a data protection and privacy training program, including online facilities and resources, for all personnel engaging in activities relating to personal data, applicable managers and support functions (e.g., legal and HR). Executives have emphasized the importance of data protection and privacy to set the culture of the organization. |
| 3017 As part of relevant online technology deployment life-cycle, include relevant data protection and privacy considerations, requirements and approvals. |
| . |
| 3020 ENCRYPT and REPLICATE: Analyze all available personal data within the organization and determine where encryption and replication is appropriate, taking into account the impact if that data were compromised and any operational impacts of available technology. Take appropriate measures to encrypt and replicate all personal data. |
| 3021 Create encryption policies and procedures for relevant technologies, including what personal data to encrypt, how to encrypt it and why to encrypt it. Regularly update these policies and procedures. |
| 3022 Review and revise a data protection standard that clearly defines why all personal data needs to be encrypted and replicated to prevent personal data from being stolen or lost. |
| 3023 Implement and maintain at a minimum industry standard encryption technologies. |
| 3024 Have appropriate personnel evaluate encryption technology on an ongoing basis to ensure organization is using industry standard technology, at a minimum. |
| . |
| 3030 CONFIDENTIALIT: Identify confidentiality, integrity and availability (CIA) controls needed to properly protect personal data. |
| 3031 Review and revise policies and procedures that specifically lay out how organization personnel and systems protect the CIA of personal data. |
| 3032 Publish formal, tactical policies and procedures explaining how personnel can deploy CIA protection requirements for personal data. |
| 3033 Create a formal program or process to regularly improve CIA protections by (1) hiring or realigning relevant expert personnel, (2) deploying improved online technology and (3) researching and enabling personnel to learn current best practices. |
| 3034 Review and revise process or technological controls that prevent or significantly reduce personal data being used against organization policy, such as requiring tax reference numbers be used only for certain purposes or in certain systems or by certain personnel. |
| 3035 Identify all partners and service providers that use personal data from the organization and execute agreements with them that they will use the personal data only as the organization allows in writing. |
| 3036 Review and revise processes that specifically outline how to restore personal data access, when it becomes unavailable and implement technology to promptly do this, such as using redundant data and power sources. |
| 3037 Review and revise internal research efforts or notification systems to track legal requirements and accepted means for safeguarding personal data transfers or use outside legal counsel to do the same. Use the preceding knowledge to set up appropriate technical and organizational safeguards for personal data transfers. |
| 3038 In addition to encryption, implement protections to maintain personal data confidentiality, such as file permissions, access control lists and physically securing computers and network equipment. |
| 3039 Use online technology and procedural safeguards to protect personal data integrity, such as hashing, replication and input validation. |
| . |
| 3040 BREACH: Define categories of potential breaches, based on personal data used within the Bespoke Application Service. Set-up appropriate response plans, prioritized by the anticipated impact of the potential breaches. These response plans will include steps for detection and analysis of breaches, their containment, eradication and post-incident recovery. |
| 3041 Define a procedure for responding to data breaches. Include basic impact assessment and risk determination pertaining to ongoing impact to data subjects. Define the notification procedures used to inform data subjects and supervisory authorities about personal data breaches in a timely manner (72 hours for supervisory authorities). |
| 3042 Create templates for data breach notifications and the guidelines for when to use each template. Write notices in clear and plain language and include information, such as breach nature and impact, contacts within the organization and actions taken to remedy damages from the breach. |
| 3043 Implement a capability to detect data breaches across the organization that is focused on high-risk personal data. This is accomplished through a combination of technical and artificial intelligent controls, including Data Loss Prevention (DLP) facilities, Security Information and Event Management (SIEM) facilities and people-driven controls. |
| 3044 Review and revise an online service of data breach records that helps ensure breaches across the organization are consistently documented and reported. Include information on the origin, impact and remedies of data breaches with root cause analysis that was performed. |
| 3045 Extend the organizations data breach repository to include documentation of lessons learned from the data breach response process. Discuss lessons learned with appropriate personnel and encourage change within the organization based on lessons learned. |
| 3046 Define a process to regularly review data breach response procedures and online technology and update them to stay current with emerging online facilities and threats. |
| 3047 Define metrics to track effectiveness of data breach response. |
| . |
| 3050 TESTING: Perform necessary security testing at defined intervals. Create an ongoing schedule that will include various forms of testing, such as automated scans, penetration testing and phishing campaigns. These tests shall account for the organizations security controls and identify ongoing opportunities to secure personal data. |
| 3051 Review and revise a process for testing security measures, with frequency and rigour of testing based on the risk associated with each security measure. Include both technical and non-technical measures in the testing process. Develop a procedure for addressing measures that do not perform adequately during testing. |
| 3052 Engage with an external partner to perform security testing and validation of the effectiveness of security measures. A combination of security control, maturity assessment, penetration test, adversarial simulation and security audit are mandated. |
| 3053 Implement online technology to assist with testing technical security controls. Examples include automated data gathering, iterating test cases in bulk and attempting to circumvent security safeguards. |
| 3054 Hire or realign personnel to test security controls and train them on scoping and testing methodology to validate the effectiveness of implemented safeguards. |
| 4000 Report |
| 4010 EVIDENCE: Review and revise a way to track processing activities as online evidence. Determine which activities require detailed record keeping, as well as what additional information to capture with each activity. Create a policy and procedures to help enforce the tracking capability. |
| 4011 Extend record keeping to include at least the following metadata for each processing activity: the name and contact details of the controller, purposes of processing, categories of personal data, recipients and their locations, time limits for retention and a description of security measures related to the processing activity. |
| 4012 Train personnel throughout the organization who are responsible for data processing activities on how to document new activities and changes to existing activities. |
| 4013 Select and implement an online service as the central repository for data processing activities. Configure the online service to record both processing activities and categorical information about the activities and provide procedures and training to applicable people. |
| 4014 Develop and document a process to record new processing activities, changes to processing activities and categorical information about the activities. Include information about when and where this data is recorded and who is responsible for keeping data current and accurate. |
| 4015 Appoint a department to take responsibility for staying current with regulatory developments regarding GDPR, especially the publication of codes of conduct and binding corporate rules. Develop a process to learn about these developments either through a news feed or manual discovery efforts. |
| 4016 As codes of conduct and binding corporate rules are published, determine appropriate means for demonstrating adherence to them. Beyond performing any specified activities, focus on collecting and maintaining evidence of the activities. |
| . |
| 4020 TRANSFER: Identify all processes involving transfer of personal data into and out of the UK. Review and revise an inventory of all personal data types that are being transferred and review additional considerations for those data transfers. |
| 4021 Review and revise a central repository to track ongoing processing activities. Ensure transfers of data into and out of the UK are included in this repository under the relevant processing activity. Log instances where personal data is transferred outside of the UK or between countries outside the UK. Take care that England and Scotland may end up with different regulations. |
| 4022 While GDPR matures as a regulation, additional guidance will be released periodically. Review and revise a process to stay up to date with changes in the regulatory landscape, including changes in adequacy decisions for third-party transfers. |
| 4023 Assign responsibility for managing personal data transfers out of the UK and across international boundaries. Train relevant personnel who may perform these transfers in proper handling and documentation procedures and in the appropriate escalation path for decisions regarding international data transfers. |
| 4024 Select and implement technologies that can track and record data transfers crossing (or intending to cross) known international boundaries. Focus initially on repeated data processing activities where source and destination are predictable. |
| 4025 Define and socialize a process to update the record of processing activities that involve transfers of data outside the UK. Include criteria to determine what processing activities need to be tracked and use a review process for new activities. |
| . |
| 4030 SUPPLY CHAIN: As part of an ongoing effort to identify all personal data, implement an online inventory of all processes that involve transmission or storage of personal data to and by any third-party providers such as suppliers. Identify ongoing opportunities to assess those third-parties for appropriate data management of any personal data. Embed requirements and communications necessary to verify effective data protection for personal data. |
| 4031 Create a mechanism to assess third-party service providers data protection capabilities. This can be via internal people and processes or from a vendor as a service. At a minimum, assess third parties, prior to starting any new processing activities and when activities or requirements change. |
| 4032 Expand upon the third-party data protection standard by creating an inventory of which third-party service providers need to adhere to the standard, what processing activities they perform and the appropriate review time-frame for each. |
| 4033 Create a process to include provisions from the third-party data protection standard in contracts and agreements with third-party providers. |
| 4034 Expand upon the third-party data protection standard by defining procedures for auditing third-party service providers on a periodic basis. |
| 4035 Include changes to personal data handling requirements in regular communications with third-party service providers. Define the interface between internal efforts to maintain data protection and privacy standards and third-party communications. |
| . |
| 4040 IMPACT ASSESSMENT: Perform analysis of potential impacts for when personal data is used. This analysis will consider the impact to the data subject in the event of misuse, mishandling or unauthorized disclosure of the data. A defined risk management framework is used to enable this analysis as ISO 31000. |
| 4041 Define the risk levels for each potential impact based on severity, probability and exposure. This is a rating of each impact as high, medium and low. |
| 4042 For all potential personal data processing identified as high risk, perform a Data Protection Impact Assessment (DPIA) to define and implement mitigating procedures for high risk impacts. |
| 4043 Define a formal template with frequency of use standards to continually maintain an up-to-date risk assessment and DPIA portfolio. Review and revise criteria for when a new assessment needs to be performed, such as when using new technologies for processing. |
| 4044 Implement online technology to flag all new personal data stores for an assessment, prior to their storing personal data. |
| 4045 Define necessary privacy advocates and notify all required parties, when a Data Protection Impact Assessment occurs. Maintain relevant points of contact for when results of assessments need to be communicated or addressed. |
| 4046 Review and revise a process to notify stakeholders for personal data processing deemed high risk and prepare necessary documentation to support mitigation of that risk. Maintain points of contact with regulators and an ongoing communication strategy, as necessary, for predefined assessment scenarios. |
| 4047 Integrate the Data Privacy Impact Assessment (DPIA) process with IT and/or enterprise risk management activities. |