Personal data protection management system
The application organizes, automates and supports processes related to personal data protection (GDPR)
RIG GDPR Module
Supports in the implementation of GDPR requirements by obtaining and maintaining registers
Register of processing activities
The functionality allows you to build a register of activities:
- Fully compliant with the regulations and recommendations of the Office for Personal Data Protection
- Based on dictionaries used simultaneously in many places in the application, which allows you to standardize records and speed up work
- Allowing you to show which resources in the company are used in the process of implementing individual processing activities
- Includes a system that automatically supplements technical and organizational security measures by linking them to assets
- Includes a system that automatically supplements such data as processors, categories of recipients, third countries, security in the event of data transfer outside the EEA – based on their connections built in dictionaries
Overall risk assessment
The Module implements the requirements of Articles 24 and 32 of the GDPR. It is the most automated functionality of the system possible, allowing for the comparison of all processing activities performed with the threats related to them, through the supporting assets (resources) used. Such a layout, in the form of a table, for each combination of threat-supporting asset-processing activity allows for:
- Identification of resource owners and risk owners.
- Identification of the vulnerability of resources that may contribute to the materialization of threats and indication of the security measures that these resources have that can counteract these threats
- Assessment of the probability of the threat materializing and the loss of a specific security attribute by data: confidentiality, integrity, availability, compliance with the law
- Estimation of the risk value, based on the assessment of the probability and assessment of the severity of the consequences for data subjects, derived for each of the processing activities in a separate panel
- Development of a detailed risk management plan for individual threats, assets or activities, including assigning one plan to many combinations
- Execution of a forecast of the impact of the risk management plan on the risk value from the original estimate
- Assessment of the need to conduct an impact assessment for data protection based on the results of the risk assessment. Thanks to the group editing function, each of the above-mentioned operations can be performed simultaneously for even several hundred records
Data Protection Impact Assessment (DPIA)
This functionality allows you to conduct a full data protection impact assessment by:
- Assesing of whether there are grounds for or against the obligation to conduct a data protection impact assessment.
- Assessment of the likelihood of a high risk of infringement of the rights and freedoms of natural persons.
- Collecting all necessary information necessary to conduct the assessment:
– Description of the planned processing operations
– Assessment of proportionality and necessity
– Assessment of the risk of infringement of rights and freedoms
– Description of the measures planned to address the risks
– Documentation of any consultations, including consultations with the supervisory authority.
Processing activity category register
This functionality is used to develop a processing activity category register that is fully compliant with the requirements of the relevant authority, in which the organization records activities performed on behalf of other entities. The Module allows you to define a category and rewrite it multiple times for multiple administrators (if a service with the same scope is offered to multiple entities).
Register of authorizations
The functionality allows you to instantly generate print-ready authorization documents for the processing of personal data.
- The Module uses the linking of authorizations with processing activities and the scope of data processed in them.
- It has flexible mechanisms that facilitate the creation of subsequent authorizations based on previously defined models.
- Full control over the validity of authorizations, thanks to the linking with the register of processing activities and the status system.
Legitimate interest assessments
This functionality is used to assess and document whether the legal basis for a given processing activity may be the legitimate interest of the controller or a third party, as listed in Article 6 paragraph 1 letter f) of the GDPR. This assessment, in accordance with the guidelines, is carried out by:
- Performing the Interest Test
- Performing the Necessity Test
- Performing the Balance Test
- Performing a full assessment report.
Register of entrustment agreements / Register of joint administration agreements
These Functionalities allow you to:
- Record entrustment agreements
- Perform processor verification
- Storage of copies, scans, draft agreements
- Recording, archiving and supervision of agreements between joint administrators.
Document Repository / RIG Document Repository
These functionalities allow for:
- Storing and recording policies, procedures, templates and any other company documents related to personal data protection.
- Using document templates prepared by RED INTO GREEN
Incident and violation register
This Functionality allows for:
- Evaluation of the event and its qualification as a security incident or data protection breach.
- Risk assessment in the event of a personal data protection breach and determination of the recommended procedure regarding reporting to the supervisory authority, informing the administrator and data subjects.
- Risk assessment of the breach using two methods – ENISA and DAPR.
- Automatic preparation of a report to the supervisory authority, a message to the data administrator and data subjects in the RIG assessment form.
- Recording of security incidents and personal data protection breaches.
- Maintaining records relating to the incident/breach.
Register of the implementation of data subjects’ rights
This functionality allows for:
- Recording and classifying data subjects’ requests.
- Supervision of timely execution of requests – when a new request is added, an appropriate processing date is automatically assigned.
- Comparing individual requests with each other.
- Storing documents related to the request, such as scans, response content, and others.
Register of personal data disclosures
This functionality allows for:
- Recording all personal data disclosures made by the organization.
- Classifying the type of recipient and recording the types of data and the size of the shared sets.
- Storing documents with a basis for disclosure, e.g. applications, contracts.
DPO Journal
This functionality allows you to:
- Keep accurate records of activities within the scope of the performance of the data protection officer function, ensuring accountability.
- Store documents confirming the performance of activities.
- Plan DPO activities.
- Collect information on completed trainings, audits, and prepared recommendations, along with the possibility of storing their documentation.
Reports
This functionality allows for
- Export, as a xlsx format file, summary data from all key functionalities present in the application for archiving or auditing purposes.
- Prepare clear and easy-to-read reports that give an overview of the processes, resources and risks generating the highest risk values in the organization. The reports also support the development of effective action plans.
- Develop reports that support an analytical view of the company’s processes. They enable risks to be located and assessed, and appropriate changes to be made to management activities.
- Generate reports in a clear and readable form, ready to be printed and presented to the organization’s management in the form of a so-called heat map.
- Include in the extended reports analytical hazard maps for further detailed analysis (so-called drill-down).
- Generate a report showing the distribution of risks in the company by organizational unit.
- Make possible easy browsing of risks according to any criteria, thanks to pivot tables (e.g. checking which processing activities are affected by the failure of a company server).
Extensive help system
A comprehensive set of instructions for each Module, containing over 300 articles, which not only describes the operation of individual functionalities, but also describes the adopted methodology and is a valuable source of knowledge on the principles of personal data protection. The help portal is a platform for extensive know-how provided by DAPR sp. z o.o. to application users. Individual articles guide the user step by step through the functionalities, immediately including their substantive justification, which is crucial from the perspective of ensuring accountability.
If you want to learn more about the product, get details about the subscription, price, access or have other questions, please register!
FAQ
How does the RED INTO GREEN methodology support the Data Protection Officer?
- The DPO sees the results of the risk analysis in the form of clear reports.
- High degree of work automation (the system saves many hours of work while increasing the quality of the analysis carried out).
- The DPO works in an Excel-like environment
- Possibility for multiple data entry
- Logical, transparent methodology for carrying out a risk analysis under the GDPR, including risk estimation and impact assessment (DPIA).
- Intuitive handling of processing activity logs functionally linked to risk analysis.
- Reports that enable prioritisation of tasks assigned to relevant functions, including the Data Protection Officer.
- Full factual justification for each Module of the application.
What do the RIG GDPR reports provide? Are registers alone not enough?
The registers alone and the other Modules necessary to be compliant with the requirements of the GDPR are enough for us, but… Since we have already gone to so much trouble, devoted the time of several or a dozen people to gather information about the processes taking place in the company, activities to…. We have virtually complete data on the IT infrastructure, technical security and much other valuable information. Why not use them in an even more productive way? Give the information to decision-makers in an aggregated way, use it to improve the organization, support its development? And, at times, prevent a slip-up due, for example, to a lack of some simple security feature? Or perhaps to improve a process? All the data you need for this is in the reports. All you need to do is look at them or think about what other report your organization could ‘use’. We will put it together for you.
How long does it take to implement the RIG GDPR Module?
From as early as 1 week after signing the contract, the customer can be fully operational with the RIG GDPR Module.
D+0 – signing the contract, defining system users.
D+1 – launching a new instance, configuring user accounts (actual time depends on the involvement of the Client’s IT department; statistically, the workload is completed in less than 4 hours).
D+2/D+3 – user training (1-2 days).
D+3/D+4 – the Client starts working in the application, with constant availability of technical and substantive support from RED INTO GREEN.
How does RIG make the work of the Data Protection Officer easier?
To make the work easier and allow most of the work to be done by people who are not professionally involved with GDPR – at each stage of work with the application, we use a system of hints consisting of information: why the activity is being performed – what legal provisions we are fulfilling, how to perform a given activity so that it is performed correctly. We want the application to relieve the DPOs and allow the data needed for risk analysis to be entered by specialists who take care of the areas of the company’s activity covered by it on a daily basis.