GDPR Registry Web App
To manage the whole GDPR process, you need a central point
where information about GDPR procedures are stored and can be updated
on a regular basis by dedicated personnel, including your Data Protection Officer.
This central place is of fundamental importance to keep track of your current compliance status,
identify issues and mitigate them. And this is exactly the role of the so-called
Registry of Data Processing Activities, described in the GDPR Article 30.
It can also demonstrate that GDPR is a continuous process that has become an integral part of your business.
This is a key step towards an enhanced security posture.
The Pluribus One GDPR Registry Web app allows you to keep track of all data processing
activities according to a hierarchical structure and the various GDPR stages highlighted in this document.
Key Features
- Open Source: You may freely use and modify it according to our licence.
- Sound framework and suggestion mechanisms: We implemented the Registry App exploiting to our expertise in the field of cybersecurity, and a thorough study of GDPR (which nowadays, it is essentially a cybersecurity problem) to build a comprehensive framework. As you fill in the registry, the app can suggest you how to proceed. We have inserted some useful suggestions that come from our GDPR framework and expertise.
- Report Generation: You can generate, anytime, an updated, high-quality PDF report with all your data registry. This is a very useful feature especially if you organization is under investigation by GDPR supervisory authorities.
- Multi-language: Full translation support thanks to the Django framework. Currently, the interface is available in English and Italian language.
- GDPR technology and services: If you need, Pluribus One offers advanced technology and services around GDPR (see https://gdpr.pluribus-one.it), to help you to achieve GDPR compliance.
Hierarchical Structure
The main hierarchical structure of the registry is showed as follows.
- Organization e.g., Acme SRL
- Business Process e.g., Human Resources
- Processing Activity e.g., Contractualization
-
Data Audit e.g., Identity documents of employees
- Data Management Policy How data is managed to prevent data breaches?
- Data Breach Detection How can we detect data breaches?
- Incident Response Plan How can we respond to data breaches?
- Data Protection Impact Assessment It includes a detailed document about the previous three mitigation measures for the prevention, detection and response against data breaches.
You may add as many entries as you require in the registry, e.g., unlimited number of organizations, business processes, activities, data audits, and so on.
Hierarchical Structure - Example
An example of hierarchical structure of the GDPR app registry is showed below.
- Name: Acme SRL
- Address: Via delle Strade, 9, 09123, Cagliari
- State: Italy
- Statute: Private Company
- Data Protection Officer: Mario Rossi
- Name: Human resources
- Description: Human resource management, overseeing various aspects of employment,
such as compliance with labour law and employment standards, administration of employee benefits,
and some aspects of recruitment and dismissal
- Name: Contractualization
- Description: Activity required to contractualize employees
- Description: identity documents of employees
- Category: personal identifiable information
- Scope of treatment: personnel management
- Legal base: necessary for the execution of a contract (GDPR art. 6(1)b)
- Inherent risk: medium
- Description: data is stored in a private database, in encrypted form, and
can be accessed only by the following persons: Robb Jones (administrative employee)
- Data transfers: the data is not transferred to third parties
- Data Subject Rights: data subjects are informed and explicitly agreed
our privacy policy (link to document X).
The document X also explains how they can view, correct, cancel, and limit the scopes of our data management.
- Residual risk (of data breaches): low
- Description
- each access to the private database is monitored,
logged in a append-only logging database
- anomaly-based intrusion detection capable to alert on suspicious access attempts
- from unexpected Ip addresses
- at unexpetected times (e.g., night, weekends)
- too many failed access attempts
- unexpected traffic from database app to internet
- each alert is inspected by our security team, available 24/7, via authenticated,
encrypted channel
- Residual risk (of missing data breaches): LOW
- Description
- automatic read-only backups of the private database containing personal data
- web app firewall capable to block traffic to/from administrative app and internet
- data breach notification templates and database of data subjects
- immediate notification of security incidents by the security team to Data Protection Officer via authenticated,
encrypted channel
- the administrative app runs in a virtual machine so it can be freezed for forensic analysis
- Residual risk (of unmanaged data breaches): low
Details about the DPIA (if any), with link to PDF document.