Data Privacy

Learn how to implement and operate a data protection program - long

  • Episodes13
  • Duration22m
  • LanguagesEN
Episode 6

Assets, GDPR and Flows

How Assets and Data Protection relate each-other

Introduction

Data Protection is made of two components:

  • Assets: this is the data that moves around your organization, in the context of Data Protection they come from the Asset Management module.
  • Data Flows: for every asset you will have one or more data flows, they describe how data moves around the organization.

We will describe how these two modules work together as their relation is required in order to use the Data Protection module.

Asset Management

When you create an asset at the "Asset Management" > "Asset Identification" module you can specify the type of asset. If you want to use an asset in the "Asset Management"  > "Data Protection" module then you need to set the type of asset to "Data Asset".

Only assets of that type will show under the "Data Protection" module. Once the assets show in this module you can start describing the attributes of the asset in the context of "Data Protection".

General Attributes and GDPR

Under the "Data Protection" module you can click on "General Attributes" and provide further context on this asset, in particular in relation to GDPR.

The form will ask you different mandatory (based on the regulation) attributes you must understand and document if you want to be compliant with the legislation. There are helper texts with extracts of the legislation that will make it easier for you to understand what is expected from you.

Data Flows

Each Asset will have one or more data flows - data flows describe how data moves across the organization, there are types of flows:

  • Collect: how data is collected, using online form, paper format, Etc.
  • Modified: how data is modified, by whom, Etc.
  • Stored: where and for how long data is stored.
  • Transit: how data moves around, over courier, networks, Etc.
  • Deleted: how data is discarded.

Is perfectly normal to collect the same data in three different ways (For example: digital, paper and verbal) so dont be surprised if you find yourself in the situation where multiple flows of the same type exist.

For every flow you will also describe:

  • Which Business Unit is involved
  • Which Third Party
  • What Risks exist
  • What Control are used to mitigate
  • What Projects, Policies, Etc

If you have enabled GDPR under the "General Attribute" tab, then for every flow you will also have GDPR related attributes to complete.