How does it meet the requirements imposed by the GDPR?
Managing personal data manually, sometimes using spreadsheets, requires a huge effort to keep information updated as required by the GDPR. It also makes it more difficult to demonstrate accountability, provide necessary evidence, and respond quickly to requests from data subjects or the supervisory authority.
In light of this reality, our DPMS – Data Protection Management System provides a broader perspective, enabling your organization to do more with its assets (personal data) while ensuring a more responsible, measurable, and fully controlled approach. This is achieved through recorded evidence to maintain compliance with the GDPR.
We have supported institutions from a wide variety of backgrounds and core businesses and from experience we know that a “one size fits all” approach is not the solution.
This system (which can also be integrated into the SGI) allows for the centralization of all personal data management, making it easier to demonstrate the accountability required by the regulation.
① RECORD OF PROCESSING ACTIVITIES (ROPA)
Still managing ROPA in spreadsheets?
Enhance the perfect management of Processing Activities
Take advantage of searches, filters, exports, and dashboards
Engage processors and controllers
Understand the flow of personal data across your entire business
Assess the risk level associated with data processing and related assets
In accordance with Article 30 of the GDPR, each data controller and, where applicable, their representative must maintain a Record of Processing Activities (ROPA) under their responsibility It is true that this obligation does not apply to institutions with fewer than 250 employees unless:
The processing is likely to pose a risk to the rights and freedoms of the data subject;
The processing is not occasional;
Or if special categories of data are being processed.
Nevertheless, it is advisable for all institutions to keep these records up to date at all times. With this module, you will be able to manage:
Data controllers and/or their representative
Joint controllers, if applicable
DPO (Data Protection Officer), if appointed
Purposes of data processing (objective/purpose of processing)
Categories of data subjects and categories of personal data
Categories of recipients to whom personal data has been or will be disclosed
Data transfers to third countries or international organizations
Safeguard measures for transfers to third countries
Data retention periods
General description of the technical and organizational security measures adopted
etc.
The software also allows each SUBCONTRACTOR and/or their representative to maintain a record of all categories of processing activities carried out on behalf of the data controller.
In these cases, the software also enables the management of:
Subcontractors (Processors)
The data controller on behalf of whom the subcontractor acts and/or the representative of the data controller
Categories of personal data processed on behalf of the data controller
Data transfers to third countries or international organizations, if applicable
Safeguard measures for transfers to third countries
Digital and encrypted storage of contracts/agreements with subcontractors on our platform
It is possible to export a ROPA to be made available, upon request, to the supervisory authority (CNPD).
The Record of Processing Activities is a living process, and therefore, our software keeps all versions, allowing you to identify what the list of processing activities was on any given date.
② DATA PROTECTION IMPACT ASSESSMENTS
A DPIA (Data Protection Impact Assessment) describes the processing, assesses the necessity and proportionality of that processing, and helps manage the risks (resulting from the processing of personal data) to the rights and freedoms of individuals, in order to determine the necessary measures to address those risks.
With this management in our software, we simplify the process for data controllers, not only to meet the GDPR requirements but also to demonstrate that appropriate measures have been taken to ensure compliance. This applies whether at the beginning of any major project involving personal data use or when making significant changes to your processes. In line with a risk-based approach, conducting a DPIA is not mandatory for all processing activities.
It should be done whenever the data processing operations may result in a high risk to the rights and freedoms of individuals, where the data controller must conduct a DPIA to determine the nature, scope, and context, as well as assess the risk, taking the necessary measures to ensure that personal data processing complies with the regulations.
With this, you will be able to manage:
Manage all DPIAs (New, Open, Closed)
Open DPIAs before processing (pre-processing) and/or during changes to processes
Specify the information on who conducts the assessment (identification and role of the controller, DPO, etc.)
Record the need for the DPIA
Describe the flow of information (planned processing operations, purposes, context, objectives)
Consult and request opinions from stakeholders
Assess the necessity and proportionality
Identify privacy and related risks
Identify measures to mitigate risks
Close with validation of results
Integrate the results into the project plan
In some situations, the data controller may determine that a processing operation is not likely to result in a high risk. In such cases, they must justify and document the reasons for not conducting a DPIA and include and record the DPO’s opinions/recommendations in our software.
Exports to spreadsheets and PDFs are possible, with an excellent range of filters to quickly access the information you need.
③ PERSONAL DATA INVENTORY
Managing a personal data inventory is highly recommended because, in addition to being easy to do with our software, data flow maps (Data Mapping) are part of the documentation required under Article 30 and are also an essential step in completing a Data Protection Impact Assessment (DPIA).
This way, you can obtain a personal data inventory at any time for any period, with an overview of personal data flows across various assets.
We analyze data in line with strategic business objectives to identify data breaches, assessing the risk of personal data with a mindset of protection and privacy in order to guarantee full compliance.
It is also in this mapping process that we define, for each piece of personal data or category of personal data, which are the legal bases for processing, among other requirements that the GDPR demands of us.
With a single click, you’ll have answers to questions such as:
Where is personal data stored within my institution?
Why are we processing certain data?
What categories of personal data are being processed?
What are the details of data transfers to other countries?
What is the data retention period?
What technical and organizational measures for safeguarding personal data do we have in place?
What is the current average level of risk?
In addition to searches, it is possible to export a PDI (Personal Data Inventory) to PDF, allowing you to keep a file-based inventory for use whenever needed.
④ EXERCISE OF RIGHTS BY DATA SUBJECTS
We generate an automatic form for integration into your institutional website
All online requests are recorded and sent directly to the platform
These requests are automated and immediately assigned to designated responsible parties
Monitor via a timeline to ensure no request expires
Use our dashboard to track requests graphically and in real time
This feature allows the centralization of data subject rights requests (either manually or automatically) through the option of online submission on the platform, with the responsible party being immediately notified. This way, no request is overlooked thanks to the automation implemented in our software.
When following up on the request, the person in charge will be able to record all the necessary actions, all the communications between the interested parties, as well as requesting expert advice on the process. These communications, requests for opinions, and attachments are always associated, ensuring immediate proof of compliance.
The person in charge will be able to follow the entire process via the dashboard, viewing the status of all requests graphically by type, as well as a timeline alerting them to upcoming deadlines.
It is therefore possible to manage:
Data subject rights requests
Management of the exercise of rights by holders
Registered internally or externally (online)
Analysis of the exercise of registered rights (right of access, rectification, oblivion, erasure, restriction of processing, portability, opposition and information)
Automatic delegation to those responsible with instant notifications
Status of requests (To be started / Being processed / Closed / Expiring,...)
Alert management and much more...
⑤ DATA BREACH MANAGEMENT
The GDPR introduces the requirement to notify the personal data breach to the national supervisory authority (or, in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data has been affected by the breach.
This feature allows you to manage the information required in the event of a data breach incident and prepare the appropriate notification to the supervisory authority.
This way, you will be able to manage:
Nature of the personal data breach
Category and number of affected data subjects
Approximate number of personal data records involved
Identification of the DPO, if applicable (name and contact details)
Likely consequences (effects)
Measures adopted or proposed by the data controller and/or measures to mitigate any negative effects
Evidence repository (recorded in encrypted form) and with access control.
The notification of the data breach is centralized in the Management of Interactions with the Supervisory Authority.
It is possible to communicate these records to the supervisory authority for verification of GDPR compliance (Article 33).
⑥ INTERAÇÕES COM AUTORIDADE DE CONTROLO
If a Data Protection Impact Assessment (DPIA) indicates that personal data processing results in a high risk in the absence of measures taken, the GDPR allows (and considers best practice) for the data controller to conduct a prior consultation with the supervisory authority.
In this module, it is possible to efficiently manage the prior consultations, authorizations, and notifications that need to be handled.
Thus, the permitted operations are, but are not limited to:
Definition of responsibilities (between the data controller/joint controllers/potential processors)
Purposes and means of processing
Measures and safeguards in place
Contact details of the Data Protection Officer (DPO)
DPIA related to the processing
Information required/requested by the supervisory authority
Evidence repository (recorded in encrypted form) and with access control
Alert management for ongoing deadlines
Among other capabilities…
In short:
Our cloud platform allows you to easily:
Involve the responsible parties in collaborating on all GDPR processes
Effectively manage ROPA (Record of Processing Activities)
