GDPR Intranet

This site uses cookies and similar technologies.

If you do not change browser settings, you agree to it. Learn more

I understand
You are here: GDPR Intranet

GDPR Intranet

Rate this item
(1 Vote)

RedDrum GDPR Intranet
The GDPR requires that businesses not only comply with a wide range of conditions but also that once compliant, a business is able to evidence and demonstrate a continuing compliance. The Intranet module has been designed by Paul Hilder, the MD of RedDrum, who is a Certified EU GDPR Practitioner. It assists in compliance and also then provides the necessary tools to permit, demonstrate and document compliance.

Secure working environment
Compliance normally involves a number of people working together, often remotely and with contributions from persons, external to an organisation. The Intranet provides an extremely secure, internet based environment, where a team of people can work together. It contains a secure messaging system, document and calendar sharing together with a wide range of other features. Workflows can provide alerts when documents are changed or uploaded and create document information flows. Security can be set to include dual validation for users, which requires the use of both a secure password and a text sent to a previously specified mobile phone, to gain access.

Training module (GDPR Principle 7)
A comprehensive training facility that provides online learning, multiple choice testing and a certification option, together with the ability to record and report on usage. Staff training in data protection, both initial and ongoing, is a key component in demonstrating compliance with the GDPR.

Policy acknowledgement (GDPR Article 30)
Another key aspect of compliance, being able to record and document both the distribution and acknowledgement of policies. When a staff member logs in to the Intranet, the policy acknowledgement facility blocks any intranet use, until they have accessed the specified policy. Reporting can detail the dates and times of access etc. together with users that have or haven’t accessed the required policies. This reporting provides excellent and required evidence for compliance. It is also possible to use this facility for awareness campaigns.

Secure document library (GDPR Article 35)
Data Protection Impact Assessments (DPIAs), Privacy Notices, policies, training and other manuals can be stored on the Intranet, in a permissions based system.

Subject Access Requests (SARs) (GDPR Article 15)
A digital form can be published on the Intranet to permit the organized collection of SARs from clients/customers. Further, any SARs that are received in any other way, can be logged into this section. The response time to a SAR is subject to specific time limits and warnings etc. can be configured in this section.

Breach reporting (GDPR Articles 33 and 34)
A breach reporting system is absolutely essential for compliance. Date and time stamping is built into the system, providing excellent evidence of compliance, from the reporting of a breach, together with actions undertaken in relation to that breach.

Auditing and record keeping (GDPR Article 30)
Workflows or digital forms can be used to provide evidence of audits and data processing activities.

Data Subject Access (GDPR Articles 15, 16, 17, 18, 19 and 20)
One of the biggest problem areas for organisations is to fulfill the ‘right’ of a data subject (client/customer) to have access to their Personal Identifiable Information (PII), the key and fundamental component of the GDPR. Access must be provided, together with a facility to erase, amend, transfer or stop the processing of a data subject’s PII, when it is the subject of a SAR.

Depending upon an organisation, the amount of PII data that they hold and the nature of their processing of that data, this facility can be either extremely simple or very complex. Many organisations have multiple databases, where PII information may be duplicated. In a simple scenario, where there is little processing of PIIs, few SARs being received and only one database containing the information, then it is possible to import/export the specific data into the Intranet, when a SAR is received.

The data subject would then be provided with a username/secure password to access their data, on the Intranet, where they will have the facility to amend, delete, stop processing or download a csv file copy of the data, as they require. The system would advise of any changes that they have made, which would then be replicated on to the database. A workflow system would control this, to manage, document and evidence the process.

In a more complex environment, database(s) could be fed, live into the Intranet, or uploaded at fixed intervals, to provide an automated access solution to satisfy SAR requests. The feed could work both ways so that once a data subject amended their details, any such change could be replicated back to the main database(s). Obviously, this is a complex solution, which would be determined by an organisation’s individual requirements and their existing IT systems and platforms.


GDPR Intranet - 5.0 out of 5 based on 1 vote