Set the right controls
Navigate to the controls library by selecting the library icon from the main menu. Click on show templates to see all available templates and then navigate to the GDPR Control set. You can also use the search function to quickly find the right control set. Click on the instantiate button to make the control set editable and visible to other member of the organisation in Alyne. You can now browse through all the controls.
Adapt Controls to your Organisation
Use the context menu to switch to edit mode. Review the control set under the following aspects:
- Are all controls relevant in your context? Potentially there are controls that are not applicable and need to be removed. You can of course add further controls from the alyne library to the control set as needed. Tip: if you have specific communities you want to address individually, create a copy of the control set and remove the controls not relevant for the specific audience. This is a great way to remove complexity for your users.
- Are the variable settings fitting? You will notice parts of the controls highlighted in red. These are variables that can be adapted for your organisational context.
- Is there additional Information you would like to convey to your audience? You can add additional information under the info icon. This might include links to further information, guidelines around specific implementations of the controls or any other additional detail. You can also attach relevant documents to the control or add custom references to other controls or policies using the standards editor.
Run a Gap Analysis
Understanding your current state of maturity in relation to GDPR requirements is important for prioritising your activities and planning your implementation projects. Alyne has an easy way to run assessments and Analyse resulting risk. You have two options to launch this assessment:
Go to your control set and in the context menu select create assessment. Advantage is that if you have removed or added any controls from the control set, these are automatically reflected in the assessment. The drawback is you have to set the target maturity yourself. Alternatively you can navigate to Alyne’s assessment section using the button in the main menu and once again show all templates. You will now find a GDPR assessment template. Select the template and begin configuring the assessment. Please note that changes in composition to the control set you have made will not be reflected in this assessment set. You will, however have a suggestion for the maturity target for each question. During configuration you can adapt these target maturities as needed.
You might also send different parts of the assessment to different recipients. For this, create a copy of the assessment and remove questions not relevant for the recipients. Results can be consolidated later for reporting. Once all requested responders have submitted their answers, you can create reports and analyse the identified gaps and raise risks for mitigation accordingly.
Setup Privacy Impact Assessments
One of the new requirements compared with previous privacy legislation in many European countries is the requirement to perform privacy impact assessments on processes, projects or any organisational changes impacting personally identifiable information. Alyne provides a Funnel as a way to document this. To set up the Funnel, open the Funnels from the main menu, and select the privacy impact assessment template. Review the outcome options and adapt as needed. It is recommended to provide a message to the Funnel users to notify them of the outcome and the potentially further required action. For higher impact outcomes, your data privacy officer may want to be informed through an email. This can be also configured. If you want to perform a further risk analysis based on the outcome, you can configure the automatic sending of a risk assessment as a further Funnel Trigger. Finally, review the questions that should determine the privacy impact. Alyne provides suggestions for these questions, however you may want to add, remove or update these to match your organisation’s requirements. Once the Funnel has been set to active, notify the process or project owners of the Funnel and ask them to start populating their privacy impact assessments using the newly created Funnel.
Setup Processing Registers
Alyne has a workflow tool we named “Funnels” that allows capturing objects and performing a classification based on defined criteria. This functionality is very well suited for setting up a processing register. To start, navigate to the Funnels section using the main menu. You can either start by creating your own Funnel from scratch or select one of Alyne’s templates. We recommend implementing the Privacy Impact Assessment Funnel, Identification of Commissioned Data Processing to capture vendors as well as the Data Processing Register. A Funnel for Information classification might be a helpful asset for people in the organisation looking to determine the correct rating for a specific data set.
Once you have configured the desired outcomes, defined the triggers you would like to use (e.g. send an email to the data protection officer for some outcomes, run detailed assessments for high risk cases identified) and adapted the questions to your needs, you can roll out the Funnel to the wider audience. A short summary with lots of screenshots on how to fill out the Funnel can be helpful to get the process started with process, data or vendor managers. Where access has not been deliberately restricted, all users will be able to contribute to Funnels. Only Expert and Admin Users will be able to view responses.
Establish Continuous Privacy Risk Management
We believe that implementing GDPR is not a one off project, but needs to become a continuous management process. Core to this process is identifying, managing and mitigating data privacy related risks. Alyne’s risk management capability is an easy and smart way of implementing this. To get started, follow these three steps:
Setup Risk Tags
Risk tags are labels that can be applied to individual risks to categorise them by a specific topic, theme, geography, etc. Each Risk Tag must have a title and a description. You can also define thresholds for your risk appetite for this specific area. For a privacy organisation the following risk tags are recommended: Top Risks, External Data Processing, Data Privacy Processes, Technical Security, Organisational Security, Awareness.
Once the Risk Tag structure is established, this is a great guide to start brainstorming privacy risks for each Risk Tag. If a privacy risk register already exists, you can include these risks in the register as well. Risks identified through the privacy assessment are also a great source of risks and can be directly flagged from risk reports. Risks are defined through a title and description along with a rating of impact and probability and a financial loss potential. Each risk needs to be assigned to at least one Risk Tag, but can be included in multiple different tags. This is a powerful tool for looking at different segments of privacy risks from different perspectives.
Build Mitigation Plans
If you have added financial loss potentials to your risks and defined your financial loss appetite for each Risk Tag, you can now define mitigation plans for all risks that exceed your risk appetite. Mitigation tasks are defined through a task title and description, a due date and the potential this task has to reduce impact and / or probability of the underlying risk. You can also assign this task to another user. All assigned tasks are summarised in the Task Manager that can be accessed from the main menu.
Run Awareness Program
Up until now, much of the focus of the work in Alyne has been focussed on establishing a privacy baseline organisation to meet the GDPR’s core requirements. Getting the rest of the organisation involved and aware of the privacy organisation. You can invite users to the organisation by opening the notification centre from the top right indicated through your avatar and opening the “Manage Organisation” menu. You can copy email addresses separated by commas, a CSV or just a “To” line from outlook to add new users. You can also amend a personal message to give them context.
Setting up a dedicated Control Set with controls that are relevant to a specific user group is a great way to make people aware of specific privacy requirements relevant to them. Users can use the reactions on each control to document their interaction with the content or add comments to clarify questions or raise issues.
A privacy assessment based on the controls that are relevant to a specific organisational unit or function is also an effective way of measuring current maturity levels across the organisation and raising awareness of identified gaps with the accountable stakeholders.
Finally, a Funnel can be setup to document participation in a privacy awareness training. Simply create a new Funnel based on the object type Employee and add one Funnel question asking the respondent if the privacy requirements were reviewed and understood. Outcomes in this case could be “Requirements read and understood” or “Requirements read but not fully understood”. The Funnel now captures the participation of all employees in awareness programs with an appropriate audit trail.
Working through the steps above establishes a sustainable baseline for dealing with GDPR requirements. There may be additional detailed questions where you will obtain legal counsel in addition to the insights gained in the gap analysis. You can always contact firstname.lastname@example.org for further questions.