GDPR Registry Web App

To manage the whole GDPR process, you need a central point where information about GDPR procedures are stored and can be updated on a regular basis by dedicated personnel, including your Data Protection Officer. This central place is of fundamental importance to keep track of your current compliance status, identify issues and mitigate them. And this is exactly the role of the so-called Registry of Data Processing Activities, described in the GDPR Article 30. It can also demonstrate that GDPR is a continuous process that has become an integral part of your business. This is a key step towards an enhanced security posture.

The Pluribus One GDPR Registry Web app allows you to keep track of all data processing activities according to a hierarchical structure and the various GDPR stages highlighted in this document.

Key Features

Hierarchical Structure

The main hierarchical structure of the registry is showed as follows.

You may add as many entries as you require in the registry, e.g., unlimited number of organizations, business processes, activities, data audits, and so on.

Hierarchical Structure - Example

An example of hierarchical structure of the GDPR app registry is showed below.

Organization

  • Name: Acme SRL
  • Address: Via delle Strade, 9, 09123, Cagliari
  • State: Italy
  • Statute: Private Company
  • Data Protection Officer: Mario Rossi

Business Process

  • Name: Human resources
  • Description: Human resource management, overseeing various aspects of employment, such as compliance with labour law and employment standards, administration of employee benefits, and some aspects of recruitment and dismissal

Processing Activity

  • Name: Contractualization
  • Description: Activity required to contractualize employees

Data Audit

  • Description: identity documents of employees
  • Category: personal identifiable information
  • Scope of treatment: personnel management
  • Legal base: necessary for the execution of a contract (GDPR art. 6(1)b)
  • Inherent risk: medium

Data Management Policy

  • Description: data is stored in a private database, in encrypted form, and can be accessed only by the following persons: Robb Jones (administrative employee)
  • Data transfers: the data is not transferred to third parties
  • Data Subject Rights: data subjects are informed and explicitly agreed our privacy policy (link to document X). The document X also explains how they can view, correct, cancel, and limit the scopes of our data management.
  • Residual risk (of data breaches): low

Data Breach Detection

  • Description
    • each access to the private database is monitored, logged in a append-only logging database
    • anomaly-based intrusion detection capable to alert on suspicious access attempts
      • from unexpected Ip addresses
      • at unexpetected times (e.g., night, weekends)
      • too many failed access attempts
      • unexpected traffic from database app to internet
    • each alert is inspected by our security team, available 24/7, via authenticated, encrypted channel
  • Residual risk (of missing data breaches): LOW

Incident Response Plan

  • Description
    • automatic read-only backups of the private database containing personal data
    • web app firewall capable to block traffic to/from administrative app and internet
    • data breach notification templates and database of data subjects
    • immediate notification of security incidents by the security team to Data Protection Officer via authenticated, encrypted channel
    • the administrative app runs in a virtual machine so it can be freezed for forensic analysis
  • Residual risk (of unmanaged data breaches): low

Data Protection Impact Assessment

Details about the DPIA (if any), with link to PDF document.