GDPR Process - Data Management Policy

Data Management Policy

Once the data audit has been performed and documented, it is time to assess how such data is managed by your organization to make sure that this process fully complies with GDPR.

The result of this analysis should produce a report for each category of data identified in the data audit phase, highlighting the current management policy, together with all measures put in place to protect personal data and allow data subjects to fully excercise their rights.

Data Management Policy - How To

Add a Data Management Policy to each Data Audit

In the edit page of the data audit, click on the add (+) icon for the field "data management policy". Then, you can insert all details about the data policy. In this case, the data is handled by a web application that stores the data in encrypted form, and allows only specific (authorized) users to access the data.

Please note that in general, for each data management policy, you should specify:

  • Data Protection: how data breaches are prevented, i.e., how personal data is properly protected
  • Data Transfers: if data transfers are currently in place (e.g., your organization transfers data to third party processors), specifying the related contracts that should be GDPR-compliant, i.e., they should allow you as a data controller to fully satisfy the rights of the data subjects.
  • Data Subject Rights: how data subjects are informed and can satisfy their fundamental rights (view, correction, cancellation of data, limit the scope of processing)
  • Residual Risk (of data breaches): residual risk associated to data breach prevention; that is, an evaluation of the residual risk of data breaches given the data protection method that has been put in place. This should be the output of a detailed risk analysis that evaluates likelihood and impact of data breaches for the considered data audit and protection measure.

Add Data Management Policy Data Management Policy