DPA software

DPA protection Manager (DPA) software for Data protection Managers & Data controllers www.riesgoriskmanagement.com 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 1 Introduction • Our solution takes for steps for complying with Data Protection namely: – – – – – – – – – – – – ICO notification Policies and guidelines implementation planning and execution Project assessment Asset assessment Operational handover Data protection manager Data controllers Project managers Information security manager Internal auditors Asset owners • Our solutions is beneficial to the following stakeholders • Our intranet solution allows you to be able to deploy the solution allowing you to integrate with all your business units seamlessly. 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 2 Architectural • overview • The Data protection compliance framework 1st principle – lawful processing Stakeholders 2nd principle – business purpose Data controller 3rd principle – minimum data Internal Audit 4th principle – Accuracy 5th principle – Retention Information Security Manager 6th principle – Rights Project managers Data Protection manager 7th principle – Data Security 8th principle – outsourcing 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 4 Operational overview Org chart Policies Guidelines System setup mgmt - Data Protection - Compliance & Assurance Real time interaction Business units Business units Business units Business units Principle assessment 1st principle 2nd principle 3rd principle 4th principle 5th principle 6th principle 7th principle 8th principle 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution Contract & data processing 5 agreement - 3rd parties - Outsourced parties Alert  DPA  DPA Our Services to DP Managers New to DPA implementation New/small companies Registration with ICO Policy writing Full solution Supporting Data controller Knowledge transfer Audit Scale down solution ongoing periodic Company Some DPA implementation SME Policy writing Supporting Data controller Audit Full solution Scale down solution ongoing Gap analysis Mature DPA Implementation Large companies Full solution periodic ongoing Audit periodic 7/28/2008 Government www.riesgoriskmanagement.com || Data Security clearance clients Protection Act compliance solution 6 The • 6 steps to DPA compliance • Part1 – Data controller (DC) • • • • • • Name (correct legal title of the individual or organisation) Address ( address of the organisation or person who has filled in the form ) Company registration number ( registration number , if a company) Contact name (name of a contact person for the organisation) Email (email of the contact person) Telephone (contact telephone) Notification form Last updated – 12/03/08 – General description of the personal information being carried out by the data controller • • • • • Purpose [dropdown list of purposes] : new purpose Data subjects [ dropdown list of data subjects] : new data subjects Data classes [ dropdown list of data classes] : new data classes Recipients [ dropdown list of recipients ] : new data recipients Transfers : Yes /No • Part 2 – Security statement • DC’s general description of the measures to be taken for the purpose of protecting against authorised or unlawful processing of personal information & against accidental loss or destruction of or damage to personal information – – – – – – Statement of information security policy Controlling physical security Controls on access to information Business continuity plan Staff training security systems and procedures Detecting and investigating breaches of security when they occur Edit print Export save – – Trading names • • Trading names or aliases Do you do any processing that you are not required to notify – Yes/NO – Reason » » » » » Any processing of structured manual records Purposes of staff administration Purposes of advertising, marketing and PR Purposes of accounts and records Non profit – membership administration Statement of exempt processing – Voluntary notification www.riesgoriskmanagement.com || Data – Representative name and address [ if non EEA 7/28/2008 Protection Act compliance solution – Declaration 8 Purpose policy Accuracy guideline Contractual agreement Retention policy DPA policies & guidelines Personal Data determinator 7/28/2008 Rights compliance Minimum data guideline 9 www.riesgoriskmanagement.com || Data Protection Act compliance solution Setup organisation Setup Business units Setup Business unit Point of contact Policy confirmation 3rd step Implementation plan DPA Manager Legal Head of BU Data controller Audit BU Business purpose Retention Policy Minimum data Accuracy& relevance Rights Security Policy dissemination BU Projects DPA Assessment DPA db 1st Fairly & Lawfully 2nd Notified purpose 3rd Minimum data 4th Accuracy & kept up to date 5th Retention 6th Rights 7th 8th Security Outsourcing 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 10 Organisation setup mgmt - Data Protection -Compliance & Assurance - Information Security Manager Business units Business units Org Chart Business units Business units 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 11 4th step intro - DPA project and asset assessments Purpose Select from Purpose policy  Minimum data Associated Minimum data Project name Does this project involve the collection, storage and/or use of personal data - PD determinator Accuracy of data Select from  Accuracy guideline Retention Existing Associated Retention policy outsource Rights  Security New Contractual Data processing agreement Confirm Rights compliance Assets Does this Asset involve the collection, storage and/or use of personal data - PD determinator Risk assessment Purpose policy Accuracy guideline Retention policy Rights compliance Contractual agreement Minimum data guideline Asset database Project 1 Project 2 Report Db Project 3 Project 4 Project 5 12 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 4th step DPA project assessment (1) Project Details DPA Assessment Request DPA certificate DPA Assessment results Fail Project manager Register project pass Mitigation plan My tasks Policies BU Point of contact Projects Project name helix Date 1/2/08 Project contact M Turner Project ID 654562 Principle(s) 2, 6, 7 Gate 2 Comments Comments View BU DPA dashboard Alert View Alerts DPA View organisation www.riesgoriskmanagement.com || Data dashboard Protection Act compliance solution 7/28/2008 13 4th step - Data protection manager software – project assessment (2) DPA assessment Project characteristics DPA assessment results DPA dashboard Lawful processing Notified purpose Minimum data Client notification - who, why & choices Y N exception 1st principle Select from business purpose Minimum data associated With business purpose Options for clients to keep info up to date Retention policy associated with the business purpose - Copy of personal information -Request stoppage -Cease or not begin processing -Not to make decision -Seek compensation Risk management Business impact assessment Y N exception 2nd principle Y N exception 3rd principle Y Y Alert Project manager Accuracy Retention N N exception exception 4th principle 5th principle 6th principle Rights Y N exception 7th principle Y N exception Data security 8th principle Outsourcing 7/28/2008 Outsourcing involved Data processing agreement Y N exception www.riesgoriskmanagement.com || Data Protection Act compliance solution 14 Assets 3 Policies 7 PD determinator Updated -12/08/08 4 Purpose Updated – 11/01/07 Updated – 11/01/07 Updated – 11/01/07 Updated – 11/01/07 Updated – 11/01/07 Projects 1 Accuracy Minimum data 5th/6th step – operational handover - DPA Dashboard 2 3 Retention Security Edit 1st principle 2nd principle 3rd principle 4th principle 5th principle 6th principle 7th principle 8th principle Alert Project name helix helix helix Date 1/2/08 Project contact M Turner Project ID 102324 Principle(s) 2, 6, 7 Gate 2 Comments Comments 1/2/08 1/2/08 1/2/08 M Turner M Turner M Turner 432345 654562 987878 7 2, 6, 7 - 2 2 2 Comments Comments Comments helix Details: Project name: Helix Type: Asset/Project Project contact: Start date: Current milestone: Business unit: DPA assessment result 1st principle – pass 2nd principle - pass 3rd principle - pass 4th principle - pass 5th principle - pass 6th principle - pass 7th principle - fail 8th principle - pass DPA Manager and Analyst will be 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution able to log on the DPA compliance tool and see the Dashboard 15 Getting • Started • Getting started • Email – info@riesgoriskmanagement.com – With information of your request • Project cost negotiation – Notification solution • £3,500 + 2 weeks man hours – Entry solution • £8,750 + 2 months man hours – Hybrid solution • £17,900 + 4 months man hours – Deluxe solution • £25,950 + 4 months man hours • Project implementation • Delivery and handover • Support solutions – manned on site service (full/part time) – offsite support – On demand support 7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 17