To manage the whole GDPR process, you need a central point
where information about GDPR procedures are stored and can be updated
on a regular basis by dedicated personnel, including your Data Protection Officer.
This central place is of fundamental importance to keep track of your current compliance status,
identify issues and mitigate them. And this is exactly the role of the so-called
Registry of Data Processing Activities, described in the GDPR Article 30.
It can also demonstrate that GDPR is a continuous process that has become an integral part of your business.
This is a key step towards an enhanced security posture.
The Pluribus One GDPR Registry Web app allows you to keep track of all data processing
activities according to a hierarchical structure and the various GDPR stages highlighted in this document.
Open Source: You may freely use and modify it according to our licence.
Sound framework and suggestion mechanisms: We implemented the Registry App exploiting to our expertise in the field of cybersecurity, and a thorough study of GDPR (which nowadays, it is essentially a cybersecurity problem) to build a comprehensive framework. As you fill in the registry, the app can suggest you how to proceed. We have inserted some useful suggestions that come from our GDPR framework and expertise.
Report Generation: You can generate, anytime, an updated, high-quality PDF report with all your data registry. This is a very useful feature especially if you organization is under investigation by GDPR supervisory authorities.
Multi-language: Full translation support thanks to the Django framework. Currently, the interface is available in English and Italian language.
GDPR technology and services: If you need, Pluribus One offers advanced technology and services around GDPR (see https://gdpr.pluribus-one.it), to help you to achieve GDPR compliance.
The main hierarchical structure of the registry is showed as follows.
Organization e.g., Acme SRL
Business Process e.g., Human Resources
Processing Activity e.g., Contractualization
Data Audit e.g., Identity documents of employees
Data Management Policy How data is managed to prevent data breaches?
Data Breach Detection How can we detect data breaches?
Incident Response Plan How can we respond to data breaches?
Data Protection Impact Assessment It includes a detailed document about the previous three mitigation measures for the prevention, detection and response against data breaches.
You may add as many entries as you require in the registry, e.g., unlimited number of organizations, business processes, activities, data audits, and so on.
Hierarchical Structure - Example
An example of hierarchical structure of the GDPR app registry is showed below.
Name: Acme SRL
Address: Via delle Strade, 9, 09123, Cagliari
Statute: Private Company
Data Protection Officer: Mario Rossi
Name: Human resources
Description: Human resource management, overseeing various aspects of employment,
such as compliance with labour law and employment standards, administration of employee benefits,
and some aspects of recruitment and dismissal
Description: Activity required to contractualize employees
Description: identity documents of employees
Category: personal identifiable information
Scope of treatment: personnel management
Legal base: necessary for the execution of a contract (GDPR art. 6(1)b)
Inherent risk: medium
Data Management Policy
Description: data is stored in a private database, in encrypted form, and
can be accessed only by the following persons: Robb Jones (administrative employee)
Data transfers: the data is not transferred to third parties
Data Subject Rights: data subjects are informed and explicitly agreed
The document X also explains how they can view, correct, cancel, and limit the scopes of our data management.
Residual risk (of data breaches): low
Data Breach Detection
each access to the private database is monitored,
logged in a append-only logging database
anomaly-based intrusion detection capable to alert on suspicious access attempts
from unexpected Ip addresses
at unexpetected times (e.g., night, weekends)
too many failed access attempts
unexpected traffic from database app to internet
each alert is inspected by our security team, available 24/7, via authenticated,
Residual risk (of missing data breaches): LOW
Incident Response Plan
automatic read-only backups of the private database containing personal data
web app firewall capable to block traffic to/from administrative app and internet
data breach notification templates and database of data subjects
immediate notification of security incidents by the security team to Data Protection Officer via authenticated,
the administrative app runs in a virtual machine so it can be freezed for forensic analysis
Residual risk (of unmanaged data breaches): low
Data Protection Impact Assessment
Details about the DPIA (if any), with link to PDF document.