This web site uses cookies. You are free to manage your cookie settings in your web browser at any time. For more about how we use cookies, please read our data privacy policy.

GDPR control framework key components

GDPR control framework key components

GDPR control framework implementation key components
Preparing your GDPR control framework for implementation

If you do not know or are confused about what the GDPR looks like, we built this page to put order around the apparent chaos surrounding the key components of a GDPR control framework.

We simplify the GDPR so that you get a better understanding and can implement the GDPR control framework you need in an orderly manner.

Organisation

GDPR control framework key components

Company

The name of the company registered with the Information Commissioner's Office


  • Data Protection Policy
  • Personal Data Risk Appetite
  • Personal Data Governance
  • Change management process to maintain the Data Protection Policy
  • Change management process to maintain the Personal Data Risk Appetite and Governance
  • Personal data operating model
  • Organisation chart
  • Resources
  • Standards
  • Procedures
  • Training
GDPR control framework key components

Address

The address, telephone and central email of the company registered with the Supervisory Authority


  • Registration with your Supervisory Authority
GDPR control framework key components

Data Protection Officer

The address, phone and central email of your organisations's Data Protection Officer


  • Justification for having/not having a DPO
  • If a DPO is needed: select, train, empower
  • Responsible for Subject Access Requests
  • Responsible for data breach handling and notification
  • Responsible for the ICO relationship
  • Responsible for risk assessment and quality assurance (DPIAs)
  • Develop and implement the Data Protection Policy
  • Provide information and guidance on the processing of all personal data
  • Produce “best practice” guidance material for staff
  • Organise the delivery of staff training
  • Monitor compliance with the GDPR across the organisation
  • Report directly to the Executive Board

Collection

GDPR control framework key components

Data use

How data is used and if it is used in automated decision making


  • An inventory of personal data use and processing
  • A mechanism for maintaining the inventory
  • Digital and physical security measures
  • Digital and physical access permission measures
  • Data breach monitoring
  • Data breach response plan
  • Change management process to maintain the data breach response plan
  • Internal instructions to refer any material or suspected data breach to the DPO
  • Internal instructions to immediately refer all desired process changes to the DPO
  • Metrics gathering process to collate and send breach data to the DPO
  • An information security policy
  • Change management process to maintain the information security policy
  • Change management process to maintain security and access
  • Change management process to maintain business continuity
  • Change management process to maintain and embed quality into processing (DPIA results)
  • Recovery process to restore personal data to its pre-incident state in a timely manner
  • Change management process to maintain data use text in product and service contracts
  • Change management process to maintain data security and integrity for joiners and leavers
GDPR control framework key components

Legal bases

The legal bases you use for lawful processing


  • An inventory of personal data use and processing
  • The selected legal basis for justifying each process
  • Contracts for all third parties from which personal data is received stating roles, responsibilities, accountability and liability
  • An inventory of these contracts showing parties, roles, responsibilities, accountability and liability
  • Change management process to maintain the legal bases
  • Change management process to maintain the contracts and contract inventory
GDPR control framework key components

Recipients

Entity categories that will, access or receive the personal data


  • An inventory of personal data use and processing
  • The categories of people participating in each process
  • Contracts for all third parties that access or receive personal data stating roles, responsibilities, accountability and liability
  • An inventory of these contracts showing parties, roles, responsibilities, accountability and liability
  • Change management process to maintain participant categories
  • Change management process to oversee participant categories that are processors
  • Change management process to maintain the contracts and contract inventory
  • Change management process to maintain a list of who received personal data and what they received

Storage

GDPR control framework key components

Transfers

Contracts and control over third countries where data is sent, stored and processed


  • An inventory of personal data use and processing
  • The third countries participating in each process
  • Contracts for all third parties in theses countries stating roles, responsibilities, accountability and liability
  • An inventory of contracts showing parties, roles, responsibilities, accountability, liability and the chosen legal transfer control mechanism
  • A justification of the selected transfer control mechanism or derogation used as a legal basis for each data transfer
  • The selected transfer control mechanism or derogation used as a legal basis for each data transfer
  • Change management process to maintain participant countries
  • Change management process to maintain the contracts and contract inventory
  • Change management process to maintain a list of who received personal data and what they received
GDPR control framework key components

Retention

How long the personal data will be retained


  • A retention and deletion policy
  • Change management process to maintain the retention and deletion policy
  • Processes to ensure and verify that data is stored for no longer than is necessary
GDPR control framework key components

Provision

What happens if personal data isn't provided


  • A statement justifying processes that cannot be performed without personal data

Rights

GDPR control framework key components

Consent

The right to give and withdraw consent


  • Privacy Notices and communications written in clear English that must take into account the comprehension skills of adults and children
  • An output mechanism allowing the lawful sending of a Privacy Notice or communication
  • An input mechanism allowing the receipt of consent status in response to a Privacy Notice or communication
  • A mechanism to ask for further proof of identification in order to ensure that the consenting individual is the true owner of the personal data
  • A mechanism to ask for further proof of identification in order to ensure that the adult consenting on behalf of a child is the child’s true parent or legal guardian
  • An inventory of Privacy Notices and communications showing what was sent, when sent and the unconditional consent status (accepted/withdrawn)
  • Change management process to maintain the Privacy Notice and communication text
  • Change management process to maintain the inventory
  • Change management process to stop/start processing based on the consent status
  • Change management process to communicate the consent status to third parties who have received the data
GDPR control framework key components

Rights support

The right to access, change, delete, restrict, object, request a copy


  • An inventory of each data subject’s personal data
  • Internal instructions to refer all rights access requests directly to the DPO
  • An input mechanism allowing the receipt of a rights request to access, change, delete, restrict, object, request a copy
  • A process to review the rights request and decide on an appropriate course of action
  • An inventory of rights requests showing when received, action take, resolution, communication back to the individual
  • A mechanism to allow the individual to view his/her personal data
  • A mechanism to ask for further proof of identification in order to ensure that the individual requesting action is the true owner of the personal data
  • A mechanism to implement the personal data changes or deletions requested by the individual
  • A mechanism to respect the restrictions and objections to processing requested by the individual
  • Change management process to stop/start processing based on the consent status
  • A mechanism to collate, create and send personal data to the individual or another entity
  • Change management process to communicate any changes, deletions, restrictions and objections to third parties who have received the data
GDPR control framework key components

Complaints

The right to complain to the Supervisory Authority


  • Open communication channel with the regulator
  • Immediate escalation channel to the Executive upon receipt of a complaint registered with the regulator
  • Response plan in the event of a complaint