The hype around GDPR compliance may have died-down, but that doesn’t mean that your obligations have.
Leading up to the May 25, 2018 deadline, you couldn’t turn a corner without bumping into another article, blog post, or water cooler discussion about the EU General Data Protection Regulation (GDPR). It seemed like everyone was a buzz, all rushing to ensure compliance with this new regulation.
But GDPR compliance isn’t “set it and forget it”—it has a long list of ongoing deliverables that organizations need to stay on top of.
Data Processing Addendum (DPA)
One of these ongoing deliverables includes the establishment of Data Processing Addendums (DPAs) with all vendors. These addendums need to be set up for any vendor—like payroll or CRM—that store and process the personal information of employees or customers.
Personal data is any information related to a natural person or “Data Subject” that can be used to identify somebody. According to GDPR compliance, personal data includes:
And whether you’re a controller of that data, a processor, or a sub-processor—it’s your responsibility to establish a DPA with every relevant vendor to ensure they meet their obligations. Think of as a fail-safe way to make sure everyone does what they need to do, when they need to do it (like sending out timely notifications of a data breach or swapping of a sub-processor).
The DPA process
The process to establish a DPA is initiated when a new vendor is onboarded (e.g. during preliminary due diligence) and consists of the following four steps:
And you’re done! At least for that vendor…
How ACL can help with GDPR DPAs
Since GDPR and assessing vendors is an ongoing requirement, even for us here at ACL, we decided use ACL GRC to execute a standard DPA due diligence process. We discovered a lot of benefits from using our own software to execute this process.
In the ACL Platform, when we enter (or onboard) a new vendor, a workflow is automatically initiated if we indicate that the vendor is within the scope of GDPR. This is helpful for large or complex organizations that require multiple departments to be involved in vendor-onboarding—especially because no additional licenses are needed to include any number of employees in a workflow.
Once we’ve identified that a vendor is within scope and outlined why, the next step would be to define what we’re monitoring, which actions should be performed, and when those actions should be triggered.
In the image below, the vendor status is currently under review, because a DPA review needs to be completed by our legal department once we receive the vendor’s DPA template.
One central place to store and access files
When multiple teams are involved in a documentation process, they often save a copy of their documentation as they complete their work—sometimes to their desktop, to shared drives, or maybe within project management tools like Confluence, Asana, or Jira. These folks may also request a copy of the final version for their files.
But we all know what happens when we have multiple versions of the same document floating around: chaos and confusion. IT, legal, and InfoSec now have several signed and unsigned copies of the DPAs for each vendor! In ACL GRC, we save the final file at the end of the workflow so everyone can easily access the actual final, signed version of the document. It’s a one-stop-shop for all our DPAs.
Clear visibility with storyboards
ACL GRC also has self-serve dashboards for different teams, management, and operations. By integrating information from all of our processes, these dashboards provide our teams with visibility into the DPA progress, and we can help easily spot where things get hung-up, and mitigate those issues.
Auditable trail of who did what
All of the data and metadata is stored in ACL GRC, so at anytime, for any record, we can look back and see who added what, which steps they took, and when. This helps us to build a defensible position and show appropriate due diligence.
Ready to get started?
Managing your data processing addendums doesn’t have to be a pain. With the right technology in place—and processes that are tailored to your organization’s needs—you’ll easily be able to meet your obligations, and have a fail-safe way to make sure everyone is doing what they need to do, when they need to do it.
White paper: GDPR:
How to establish a strong defensible position
Find out the key actionable steps you should take as part of your GDPR planning. In this whitepaper, produced in cooperation with Information Management, we discuss how you can: