Privacy Compliance framework and monitoring system
Designed to fulfil the requirements of the GDPR, this privacy platform is a modular system that will assist data protection officers develop, implement, monitor and maintain a GDPR compliance framework. Feature-rich, designed following international best practice, this comprehensive data protection management system provides the tools data protection officers need to fulfil their responsibilities using a single unified, platform.
Data flow Analysis - Inventory of personal information.
Data flow analysis is a technique used to identify personal information and map the sources, processing operations, storage locations, and information recipients. The GDPR process uses predefined templates to fast-track the analysis of an organisation's business processes and clarify the flow of personal information internally, and with external parties, to its various storage locations and timely destruction.
Link to Regulatory Requirements, Address Risk and Demonstrate Compliance
GDPR requires that personal information must be processed lawfully. Without a proper legal basis, personal information cannot be processed. One of the legal bases for processing personal information is compliance with an obligation imposed by law on the responsible party. The GDPR system's legal register is a repository of data protection obligations contained in current legislation. It provides a reference for data controllerss to check the compliance of their business operations against statutory obligations and record retention schedules.
Record of processing operations
Data controllers are required to maintain the documentation of all processing operations under their responsibility. For many organisations this is a considerable burden. Often spreadsheets and word documents are used to gather information from business units across the organisation. Tracking the collection, sharing information securely and maintaining version control is difficult and time consuming. There is also a risk that this "template filling exercise" doesn't lead to a proper analysis of the processing. Our step-by-step, automated process will assist data controllers and data protection officers gather the required information, and maintain the documentation at a centralised location.
Process assessment - adequate, relevant and not excessive.
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. Data controllers and data protection officers are required to ensure processing of personal information aligns strictly with the stated purposes, not be intrusive and minimised. Documentation is required to demonstrate compliance. A step-by-step, automated process will reduce the time and effort required from data controllers to ensure compliance.
Personal information impact assessments
The GDPR require data controllers and data protection officers to complete data protection impact assessments to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information. The GDPR automated process provides guidance to data controllers on performing these assessments of the impact the processing of personal information on the rights of data subjects and selecting appropriate technical and organisational measures and standards.
The platform's privacy notice and transparency management system simplifies the complex process of creating, updating, and monitoring privacy notices across websites, application systems and business processes into one central location.
Data subject request handling
Data subjects have many rights under the GDPR. The Regulation requires data controllers to give a data subject a reasonable opportunity to exercise these rights. free of charge and in a manner free of unnecessary formality. The privacy platform enables these rights using online forms for:
- Data subject information requests
- Data subject access requests
- Data subject objections
- Data subject rectification requests
- Data subject right-to-be-forgotten requests
- Data subject data export requests (in certain circumstances)
- Data subject requests for assurance.
Consent is one of the acceptable legal bases for processing personal information. However the process to obtain consent and manage the consent received, is onerous. The privacy platform's consent management system keeps track of the business processes relying on consent and enables data subjects to check and change the consent previously given. Where new or refreshed consent is required, the consent management module ensures a process to obtain valid consent is followed.
Direct marketing consent request
Before a data controller may contact a data subject for the purpose of direct marketing, the data controller must first request consent from the data subject using the form specified by the Regulator. The online process to contact multiple data subjects and request the completion of the direct marketing consent request form will reduce the time and effort required to collect consent for lawful direct marketing.
Written contracts with processors
Data controllers are required, in terms of a written contract between the controller and the processor, to ensure that the processor which processes personal information for the controller, establishes and maintains appropriate security measures. Data controllers are required to identify the technical and organisational measures needed to counter the risks and specified in a written contract with the processor. When selecting technical and organisational measures, data controllers must have due regard to generally accepted information security practices and procedures that may apply to it generally or be required in terms of a specific industry or professional rules and regulations.
Data subject notification system
Responsible parties must take reasonably practicable steps to ensure that data subjects are aware of the information being collected and the purpose for which their personal information is being collected. Where the information is not collected from the data subject, the data subject must be informed of the source from which it is collected, the name and address of the responsible party supplying the information, details of any particular law authorising or requiring the collection of the information and the consequences of failure to provide the information. This burden can be reduced through the use of the POPIA online system to organise this communication with data subjects.
Personal information classification and risk mitigation.
The classification of personal information is necessary to determine the most appropriate technical and organizational measures to counter risks to the rights and freedoms of natural and juristic persons. The personal information classification scheme will provide your organisation with a standardised, baseline approach to counter the risks to data subject rights.
Data protection vulnerability evaluation
Potential attackers have greater opportunity to interfere with the processing of personal information when an organisation's processing is vulnerable to attack. Responsible parties must continually assess the risks to data subjects and take action to minimise the vulnerability of their business processes to interference. The POPIA privacy platform enables responsible parties to configure their own assessments or select one of the pre-defined assessments from the assessment knowledge base.
Operator compliance validation.
The POPIA privacy platform enables information officers to assess and perform due diligence on operator's compliance with their contractual and legal obligations. Using a standardised due diligence process and predefined assessments for technical and organisational measures, each operator's current status of compliance is scored and the operator's actions to improve the protection of personal information tracked.
Personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed. Some information personal information must be destroyed almost immediately whilst other information can be kept for longer in accordance with an approved retention schedule. The POPIA records management process is for the management of records of an organisation throughout the records life-cycle. It includes the systematic and efficient control of the creation, maintenance and destruction of the records along with the business transactions associated with them.
Data protection incidents require early detection and prompt response. The POPIA platform provides automated tasks to identify, analyse, contain, eradicate and recover from the incident effectively and efficiently. The predefined actions provide a formalised and reliable method to respond to incidents.
POPIA Breach Notification centrally manages interference and incidents, automates tasks, and maintains records to demonstrate compliance with the legislation. The tool is powered by ta knowledge base of breach related information and typical penalties imposed by regulators. With POPIA Breach Response automated workflows will enable timely decision-making and breach notification for small and large numbers of data subjects who may be affected.
The POPIA eLearning module will enable your organisation to conduct internal awareness sessions regarding the provisions of the GDPR.
Prior authorisation requests
Once POPIA is enacted, before high-risk processing can commence, the responsible party must submit a prior authorisation request to the Information Regulator. The POPIA platform's pre-defined workflow and templates will assist responsible parties prepare successful prior authorisation requests.