DPA software

DPA protection Manager (DPA) software for

Data protection Managers & Data controllers www.riesgoriskmanagement.com

7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 1



Introduction

• Our solution takes for steps for complying with Data Protection namely:

– – – – – – – – – – – – ICO notification Policies and guidelines implementation planning and execution Project assessment Asset assessment Operational handover Data protection manager Data controllers Project managers Information security manager Internal auditors Asset owners



• Our solutions is beneficial to the following stakeholders



• Our intranet solution allows you to be able to deploy the solution allowing you to integrate with all your business units seamlessly.

7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 2



Architectural

•



overview

•



The Data protection compliance framework

1st principle – lawful processing



Stakeholders



2nd principle – business purpose



Data controller



3rd principle – minimum data



Internal Audit

4th principle – Accuracy



5th principle – Retention



Information Security Manager



6th principle – Rights



Project managers

Data Protection manager



7th principle – Data Security



8th principle – outsourcing

7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution 4



Operational overview

Org chart Policies Guidelines



System setup

mgmt



- Data Protection - Compliance & Assurance



Real time interaction



Business units



Business units



Business units



Business units



Principle assessment



1st principle

2nd principle 3rd principle 4th principle 5th principle 6th principle 7th principle 8th principle

7/28/2008 www.riesgoriskmanagement.com || Data Protection Act compliance solution Contract & data processing 5 agreement - 3rd parties - Outsourced parties Alert







DPA







DPA



Our Services to DP Managers

New to DPA implementation

New/small companies



Registration with ICO Policy writing Full solution



Supporting Data controller

Knowledge transfer Audit



Scale down solution ongoing periodic



Company

Some DPA implementation

SME



Policy writing Supporting Data controller Audit



Full solution Scale down solution



ongoing



Gap analysis Mature DPA Implementation

Large companies Full solution



periodic



ongoing

Audit periodic 7/28/2008



Government www.riesgoriskmanagement.com || Data Security clearance clients Protection Act compliance solution



6



The

•



6 steps

to DPA compliance



•



Part1

– Data controller (DC)

• • • • • • Name (correct legal title of the individual or organisation) Address ( address of the organisation or person who has filled in the form ) Company registration number ( registration number , if a company) Contact name (name of a contact person for the organisation) Email (email of the contact person) Telephone (contact telephone)



Notification form

Last updated – 12/03/08



–



General description of the personal information being carried out by the data controller

• • • • • Purpose [dropdown list of purposes] : new purpose Data subjects [ dropdown list of data subjects] : new data subjects Data classes [ dropdown list of data classes] : new data classes Recipients [ dropdown list of recipients ] : new data recipients Transfers : Yes /No



•



Part 2

– Security statement

• DC’s general description of the measures to be taken for the purpose of protecting against authorised or unlawful processing of personal information & against accidental loss or destruction of or damage to personal information

– – – – – – Statement of information security policy Controlling physical security Controls on access to information Business continuity plan Staff training security systems and procedures Detecting and investigating breaches of security when they occur



Edit print Export save



– –



Trading names

• • Trading names or aliases Do you do any processing that you are not required to notify – Yes/NO

– Reason » » » » » Any processing of structured manual records Purposes of staff administration Purposes of advertising, marketing and PR Purposes of accounts and records Non profit – membership administration



Statement of exempt processing



– Voluntary notification www.riesgoriskmanagement.com || Data – Representative name and address [ if non EEA 7/28/2008 Protection Act compliance solution – Declaration



8



Purpose policy



Accuracy guideline Contractual agreement



Retention policy

DPA policies & guidelines Personal Data determinator

7/28/2008



Rights compliance

Minimum data guideline

9



www.riesgoriskmanagement.com || Data Protection Act compliance solution



Setup organisation Setup Business units Setup Business unit Point of contact Policy confirmation



3rd step Implementation plan

DPA Manager Legal Head of BU Data controller



Audit



BU

Business purpose Retention Policy Minimum data Accuracy& relevance



Rights



Security



Policy dissemination



BU Projects DPA Assessment



DPA db



1st Fairly & Lawfully



2nd Notified purpose



3rd Minimum data



4th Accuracy & kept up to date



5th Retention



6th Rights



7th



8th



Security



Outsourcing



7/28/2008



www.riesgoriskmanagement.com || Data Protection Act compliance solution



10



Organisation setup

mgmt

- Data Protection -Compliance & Assurance - Information Security Manager Business units Business units



Org Chart



Business units



Business units



7/28/2008



www.riesgoriskmanagement.com || Data Protection Act compliance solution



11



4th step intro - DPA project and asset assessments

Purpose

Select from Purpose policy







Minimum data



Associated Minimum data



Project name



Does this project involve the collection, storage and/or use of personal data - PD determinator



Accuracy of data



Select from  Accuracy guideline



Retention Existing



Associated Retention policy



outsource



Rights







Security New

Contractual Data processing agreement



Confirm Rights compliance



Assets



Does this Asset involve the collection, storage and/or use of personal data - PD determinator



Risk assessment

Purpose policy Accuracy guideline Retention policy Rights compliance Contractual agreement Minimum data guideline Asset database



Project 1 Project 2



Report



Db



Project 3 Project 4 Project 5

12



7/28/2008



www.riesgoriskmanagement.com || Data Protection Act compliance solution



4th step DPA project assessment (1)

Project Details DPA Assessment Request DPA certificate DPA Assessment results

Fail



Project manager



Register project



pass



Mitigation plan



My tasks



Policies



BU Point of contact

Projects Project name

helix



Date

1/2/08



Project contact

M Turner



Project ID

654562



Principle(s)

2, 6, 7



Gate

2



Comments

Comments



View BU DPA dashboard



Alert



View Alerts DPA View organisation www.riesgoriskmanagement.com || Data dashboard Protection Act compliance solution



7/28/2008



13



4th step - Data protection manager software – project assessment (2)

DPA assessment Project characteristics



DPA assessment results



DPA dashboard



Lawful processing Notified purpose Minimum data



Client notification - who, why & choices



Y



N



exception



1st principle

Select from business purpose Minimum data associated With business purpose Options for clients to keep info up to date Retention policy associated with the business purpose - Copy of personal information -Request stoppage -Cease or not begin processing -Not to make decision -Seek compensation Risk management Business impact assessment



Y



N



exception



2nd principle

Y N exception



3rd principle

Y

Y



Alert



Project manager



Accuracy Retention



N

N



exception

exception



4th principle 5th principle

6th principle



Rights



Y



N



exception



7th principle

Y N exception



Data security



8th principle



Outsourcing 7/28/2008



Outsourcing involved Data processing agreement



Y N exception www.riesgoriskmanagement.com || Data Protection Act compliance solution



14



Assets

3



Policies

7

PD determinator Updated -12/08/08



4



Purpose



Updated – 11/01/07

Updated – 11/01/07 Updated – 11/01/07 Updated – 11/01/07 Updated – 11/01/07



Projects

1



Accuracy Minimum data



5th/6th step – operational handover - DPA Dashboard



2



3



Retention Security



Edit

1st principle 2nd principle 3rd principle 4th principle 5th principle 6th principle 7th principle 8th principle

Alert Project name

helix helix helix



Date

1/2/08



Project contact

M Turner



Project ID

102324



Principle(s)

2, 6, 7



Gate

2



Comments

Comments



1/2/08

1/2/08 1/2/08



M Turner

M Turner M Turner



432345

654562 987878



7

2, 6, 7 -



2

2 2



Comments

Comments Comments



helix



Details: Project name: Helix Type: Asset/Project Project contact: Start date: Current milestone: Business unit:



DPA assessment result 1st principle – pass 2nd principle - pass 3rd principle - pass 4th principle - pass 5th principle - pass 6th principle - pass 7th principle - fail 8th principle - pass



DPA Manager and Analyst will be



7/28/2008



www.riesgoriskmanagement.com || Data Protection Act compliance solution able to log on the DPA compliance tool



and see the Dashboard



15



Getting

•



Started

•



Getting started

• Email – info@riesgoriskmanagement.com

– With information of your request



• Project cost negotiation

– Notification solution

• £3,500 + 2 weeks man hours



– Entry solution

• £8,750 + 2 months man hours



– Hybrid solution

• £17,900 + 4 months man hours



– Deluxe solution

• £25,950 + 4 months man hours



• Project implementation • Delivery and handover • Support solutions

– manned on site service (full/part time) – offsite support – On demand support



7/28/2008



www.riesgoriskmanagement.com || Data Protection Act compliance solution



17