Scribd Logo
Upload

Welcome to Scribd!

  • General Data Protection Regulation Gap Assessment PDF

    Uploaded by

    pushpendrasb
    68 views3 pages
    This document contains a gap assessment of an organization's compliance with the General Data Protection Regulation (GDPR). It lists GDPR articles and compliance controls that have been implemented and tested, along with details on risk mitigating controls, responsibility and governance. The document provides references to external information on each GDPR article.

    Original Description:

    Original Title

    General-Data-Protection-Regulation-Gap-Assessment.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains a gap assessment of an organization's compliance with the General Data Protection Regulation (GDPR). It lists GDPR articles and compliance controls that have been implemented and tested, along with details on risk mitigating controls, responsibility and governance. The document provides references to external information on each GDPR article.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    68 views3 pages

    General Data Protection Regulation Gap Assessment PDF

    Uploaded by

    pushpendrasb
    This document contains a gap assessment of an organization's compliance with the General Data Protection Regulation (GDPR). It lists GDPR articles and compliance controls that have been implemented and tested, along with details on risk mitigating controls, responsibility and governance. The document provides references to external information on each GDPR article.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.

    General Data Protection Regulation (GDPR) Gap Assessment


    Risk Mitigating Manager
    Location of Control
    Domain Compliance Control Description Controls Responsibility Skill/ Competency Control Tested Reference Link Notes
    Validated Evidence Effectiveness
    Implemented /Governance
    Chapter 1 – General provisions
    Article 1 Subject-matter and objectives https://gdpr-info.eu/art-1-gdpr/
    Article 2 Material scope https://gdpr-info.eu/art-2-gdpr/
    Article 3 Territorial scope https://gdpr-info.eu/art-3-gdpr/
    Article 4 Definitions https://gdpr-info.eu/art-4-gdpr/
    Chapter 2 – Principles
    Article 5 Principles relating to processing of personal data https://gdpr-info.eu/art-5-gdpr/
    Article 6 Lawfulness of processing https://gdpr-info.eu/art-6-gdpr/
    Article 7 Conditions for consent https://gdpr-info.eu/art-7-gdpr/
    Article 8 Conditions applicable to child's consent in relation to information society services https://gdpr-info.eu/art-8-gdpr/
    Article 9 Processing of special categories of personal data https://gdpr-info.eu/art-9-gdpr/
    Article 10 Processing of personal data relating to criminal convictions and offences https://gdpr-info.eu/art-10-gdpr/
    Article 11 Processing which does not require identification https://gdpr-info.eu/art-11-gdpr/
    Chapter 3 – Rights of the data subject
    Section 1 Transparency and modalities
    Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject https://gdpr-info.eu/art-12-gdpr/
    Section 2 Information and access to personal data
    Article 13 Information to be provided where personal data are collected from the data subject https://gdpr-info.eu/art-13-gdpr/
    Article 14 Information to be provided where personal data have not been obtained from the data subject https://gdpr-info.eu/art-14-gdpr/
    Article 15 Right of access by the data subject https://gdpr-info.eu/art-15-gdpr/
    Section 3 Rectification and erasure
    Article 16 Right to rectification https://gdpr-info.eu/art-16-gdpr/
    Article 17 Right to erasure (‘right to be forgotten’) https://gdpr-info.eu/art-17-gdpr/
    Article 18 Right to restriction of processing https://gdpr-info.eu/art-18-gdpr/
    Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing https://gdpr-info.eu/art-19-gdpr/
    Article 20 Right to data portability https://gdpr-info.eu/art-20-gdpr/
    Section 4 Right to object and automated individual decision-making
    Article 21 Right to object https://gdpr-info.eu/art-21-gdpr/
    Article 22 Automated individual decision-making, including profiling https://gdpr-info.eu/art-22-gdpr/
    Section 5 Restrictions
    Article 23 Restrictions https://gdpr-info.eu/art-23-gdpr/
    Chapter 4 – Controller and processor
    Section 1 General obligations
    Article 24 Responsibility of the controller https://gdpr-info.eu/art-24-gdpr/
    Article 25 Data protection by design and by default https://gdpr-info.eu/art-25-gdpr/
    Article 26 Joint controllers https://gdpr-info.eu/art-26-gdpr/
    Article 27 Representatives of controllers or processors not established in the Union https://gdpr-info.eu/art-27-gdpr/
    Article 28 Processor https://gdpr-info.eu/art-28-gdpr/
    Article 29 Processing under the authority of the controller or processor https://gdpr-info.eu/art-29-gdpr/
    Article 30 Records of processing activities https://gdpr-info.eu/art-30-gdpr/
    Article 31 Cooperation with the supervisory authority https://gdpr-info.eu/art-31-gdpr/
    Section 2 Security of personal data
    Article 32 Security of processing https://gdpr-info.eu/art-32-gdpr/
    Article 33 Notification of a personal data breach to the supervisory authority https://gdpr-info.eu/art-33-gdpr/
    Article 34 Communication of a personal data breach to the data subject https://gdpr-info.eu/art-34-gdpr/
    Section 3 Data protection impact assessment and prior consultation
    Article 35 Data protection impact assessment https://gdpr-info.eu/art-35-gdpr/
    Article 36 Prior consultation https://gdpr-info.eu/art-36-gdpr/
    Section 4 Data protection officer
    Article 37 Designation of the data protection officer https://gdpr-info.eu/art-37-gdpr/
    Article 38 Position of the data protection officer https://gdpr-info.eu/art-38-gdpr/
    Article 39 Tasks of the data protection officer https://gdpr-info.eu/art-39-gdpr/
    Section 5 Codes of conduct and certification
    Article 40 Codes of conduct https://gdpr-info.eu/art-40-gdpr/
    Article 41 Monitoring of approved codes of conduct https://gdpr-info.eu/art-41-gdpr/
    Article 42 Certification https://gdpr-info.eu/art-42-gdpr/
    Article 43 Certification bodies https://gdpr-info.eu/art-43-gdpr/
    Chapter 5 – Transfers of personal data to third countries or international organisations
    Article 44 General principle for transfers https://gdpr-info.eu/art-44-gdpr/
    Article 45 Transfers on the basis of an adequacy decision https://gdpr-info.eu/art-45-gdpr/
    Article 46 Transfers subject to appropriate safeguards https://gdpr-info.eu/art-46-gdpr/
    Article 47 Binding corporate rules https://gdpr-info.eu/art-47-gdpr/

    Page 1 of 3
    THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.

    General Data Protection Regulation (GDPR) Gap Assessment


    Risk Mitigating Manager
    Location of Control
    Domain Compliance Control Description Controls Responsibility Skill/ Competency Control Tested Reference Link Notes
    Validated Evidence Effectiveness
    Implemented /Governance
    Article 48 Transfers or disclosures not authorised by Union law https://gdpr-info.eu/art-48-gdpr/
    Article 49 Derogations for specific situations https://gdpr-info.eu/art-49-gdpr/
    Article 50 International cooperation for the protection of personal data https://gdpr-info.eu/art-50-gdpr/
    Chapter 6 – Independent supervisory authorities
    Section 1 Independent status
    Article 51 Supervisory authority https://gdpr-info.eu/art-51-gdpr/
    Article 52 Independence https://gdpr-info.eu/art-52-gdpr/
    Article 53 General conditions for the members of the supervisory authority https://gdpr-info.eu/art-53-gdpr/
    Article 54 Rules on the establishment of the supervisory authority https://gdpr-info.eu/art-54-gdpr/
    Section 2 Competence, tasks and powers
    Article 55 Competence https://gdpr-info.eu/art-55-gdpr/
    Article 56 Competence of the lead supervisory authority https://gdpr-info.eu/art-56-gdpr/
    Article 57 Tasks https://gdpr-info.eu/art-57-gdpr/
    Article 58 Powers https://gdpr-info.eu/art-58-gdpr/
    Article 59 Activity reports https://gdpr-info.eu/art-59-gdpr/
    Chapter 7 – Cooperation and consistency
    Section 1 Cooperation
    Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned https://gdpr-info.eu/art-60-gdpr/
    Article 61 Mutual assistance https://gdpr-info.eu/art-61-gdpr/
    Article 62 Joint operations of supervisory authorities https://gdpr-info.eu/art-62-gdpr/
    Section 2 Consistency
    Article 63 Consistency mechanism https://gdpr-info.eu/art-63-gdpr/
    Article 64 Opinion of the Board https://gdpr-info.eu/art-64-gdpr/
    Article 65 Dispute resolution by the Board https://gdpr-info.eu/art-65-gdpr/
    Article 66 Urgency procedure https://gdpr-info.eu/art-66-gdpr/
    Article 67 Exchange of information https://gdpr-info.eu/art-67-gdpr/
    Section 3 European data protection board
    Article 68 European Data Protection Board https://gdpr-info.eu/art-68-gdpr/
    Article 69 Independence https://gdpr-info.eu/art-69-gdpr/
    Article 70 Tasks of the Board https://gdpr-info.eu/art-70-gdpr/
    Article 71 Reports https://gdpr-info.eu/art-71-gdpr/
    Article 72 Procedure https://gdpr-info.eu/art-72-gdpr/
    Article 73 Chair https://gdpr-info.eu/art-73-gdpr/
    Article 74 Tasks of the Chair https://gdpr-info.eu/art-74-gdpr/
    Article 75 Secretariat https://gdpr-info.eu/art-75-gdpr/
    Article 76 Confidentiality https://gdpr-info.eu/art-76-gdpr/
    Chapter 8 – Remedies, liability and penalties
    Article 77 Right to lodge a complaint with a supervisory authority https://gdpr-info.eu/art-77-gdpr/
    Article 78 Right to an effective judicial remedy against a supervisory authority https://gdpr-info.eu/art-78-gdpr/
    Article 79 Right to an effective judicial remedy against a controller or processor https://gdpr-info.eu/art-79-gdpr/
    Article 80 Representation of data subjects https://gdpr-info.eu/art-80-gdpr/
    Article 81 Suspension of proceedings https://gdpr-info.eu/art-81-gdpr/
    Article 82 Right to compensation and liability https://gdpr-info.eu/art-82-gdpr/
    Article 83 General conditions for imposing administrative fines https://gdpr-info.eu/art-83-gdpr/
    Article 84 Penalties https://gdpr-info.eu/art-84-gdpr/
    Chapter 9 – Provisions relating to specific processing situations
    Article 85 Processing and freedom of expression and information https://gdpr-info.eu/art-85-gdpr/
    Article 86 Processing and public access to official documents https://gdpr-info.eu/art-86-gdpr/
    Article 87 Processing of the national identification number https://gdpr-info.eu/art-87-gdpr/
    Article 88 Processing in the context of employment https://gdpr-info.eu/art-88-gdpr/
    Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes https://gdpr-info.eu/art-89-gdpr/
    Article 90 Obligations of secrecy https://gdpr-info.eu/art-90-gdpr/
    Article 91 Existing data protection rules of churches and religious associations https://gdpr-info.eu/art-91-gdpr/
    Chapter 10 – Delegated acts and implementing acts
    Article 92 Exercise of the delegation https://gdpr-info.eu/art-92-gdpr/
    Article 93 Committee procedure https://gdpr-info.eu/art-93-gdpr/
    Chapter 11 – Final provisions
    Article 94 Repeal of Directive 95/46/EC https://gdpr-info.eu/art-94-gdpr/
    Article 95 Relationship with Directive 2002/58/EC https://gdpr-info.eu/art-95-gdpr/
    Article 96 Relationship with previously concluded Agreements https://gdpr-info.eu/art-96-gdpr/
    Article 97 Commission reports https://gdpr-info.eu/art-97-gdpr/
    Article 98 Review of other Union legal acts on data protection https://gdpr-info.eu/art-98-gdpr/
    Article 99 Entry into force and application https://gdpr-info.eu/art-99-gdpr/

    Page 2 of 3
    THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.

    General Data Protection Regulation (GDPR) Gap Assessment


    Risk Mitigating Manager
    Location of Control
    Domain Compliance Control Description Controls Responsibility Skill/ Competency Control Tested Reference Link Notes
    Validated Evidence Effectiveness
    Implemented /Governance

    KEY
     Compliance Control Description - A description of the control is provided so the compliance manager, analyst or auditor can determine the intentions of the risk mitigating control.

     Risk Mitigating Controls Implemented - it is necessary to identify any and all controls used to satisfy the risks which this control objectives it attempting to mitigate. In most organizations the integration of controls is imperative to operationalize risk mitigation. Most organizations are managing multiple
    control frameworks and multiple statutory, regulatory and contractual obligations so by conducting this exercise controls can be rationalized saving time and money in maintenance and reviews.

     Manager Responsibility /Governance - risk mitigating controls often fall within the operational procedures and policies of the management team. It is important to ensure that the manager who has been delegated this reasonable is aware of their responsibilities and has communicated that responsibility to
    employees and other managers so there is no confusion about who is accountable or who should be making final decisions concerning control implementation or changes to those controls. This step often empowers managers and is seen as a positive activity.

     Location of Validated Evidence - it is necessary to located and record evidence of testing to validate the overall operational effectiveness of security standards and the use of risk mitigating controls.

     Skill Level /Competency - following the internationally accepted methodology used to create curriculum and test for knowledge Blooms Taxonomy carefully constructed questions can determine the level of skills needed to effectively administer, maintain and test controls. In addition, the competency of
    administrators, auditors and security testers is critical to operational excellence and compliance with most control frameworks.

     Control Tested - the regular testing of control frameworks is essential to establishing and maintaining the effectiveness of carefully designed and implemented risk mitigating controls. Regular testing helps to verify and validate the successful implementation of these controls. If controls are not tested and
    have not been implemented effectively the organization could fail internal and external audits, they could also suffer a breach of security and unplanned expenses.

    • Control Effectiveness - control effectiveness is the result of quantifying qualitative data gathered to regular reviews of risk mitigating control frameworks. Similarly to the risk management calculation used to create a risk rating out process will use the data gathered during the review of risks and existing
    controls to establish a percentage of control effectiveness.

    • Reference - this is an embedded link back to the source of the regulation added here for convenience and quick reference during discussions.

    Page 3 of 3

    You might also like