GRACE - General Data Protection Regulation

The European Union’s General Data Protection Regulation (GDPR) came into force on May 25, 2018 and has been described as the most significant overhaul to data protection laws in a generation. The regulation applies to organizations worldwide that offer goods or services to individuals in the EU, and the penalties for non-compliance are severe

GDPR seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and 'processing' this data, anywhere in the world. The Regulation also introduces rules relating to the free movement of personal data within and outside the EU.

The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, upto 20 million Euros or 4 % of worldwide annual turnover (revenue), whichever is higher

Companies are mandated to develop and implement data governance, protection and privacy of client information including where data is managed by outsourced third parties.

All breaches have to be reported within to the regulators within 72 hours

GRACE is a web based SaaS model solution that provides a secure and efficient way for both the front office as well as the compliance staff work in collaboration to achieve the goal of effective compliance and GDPR processes through its comprehensive set of functions GRACE provides a single repository of information that can be easily retrieved for audit purposes. The SaaS model nature of GRACE- can help you as a customer to start your Compliance Monitoring program as soon as you sign up without having to create any hardware infrastructure.

  • Gather GDPR data of all the information infrastructure of the organization into one centralized database

  • Management of centralized policy management, training and attestation across the organization through its online portal

  • Easy to use data load functions, workflows, email alerts and dashboards that enable all data across data processors, locations, business lines and users to be monitored from a centralized system

  • Conduct security and control risk assessments through standardized checklists that can identify risks in data processor organizations

  • Calendar based risk assessment and continuous security monitoring process to ensure all data processors are monitored for risks and mitigation action taken early

  • Online Portals for Data Processors for risk assessments, online reporting of client management status, security controls report and breaches

  • Functionality for Breach management including breach reporting and monitoring mitigation steps to closure can be undertaken

  • Valuable dashboards of information can show trends in risks and failures of data processors to ensure early mitigation action is taken

  • Organized, continuous and standardized risk monitoring process can be implemented through GRACE across all data processors

Establish GDPR processes in the organization

Define Policies and Procedures that need to be followed by the organization to address GDPR

Establish process for Client Management
Client agreements legal documents and disclosures that need to be used by the organization with its clients to cover the GDPR provisions

Processes for client data interaction for consent management including data sharing, revoking rights to usage of data, erasure of data and disposal of data including all the backups not only within the organization but every data processor and sub processors if any that are used

Establish Data Processor Processes
Revisit all data processor agreements to include provisions for GDPR that need to be followed by them to ensure compliance

Conduct Risk Assessments for both Internal processes and Vendors, identify risks, and manage their mitigation

Establish Attestation processes

Conduct Risk Assessments

Set up Standardized Checklists / Questionaires for Both Internal and Vendor Risk Assessments

Set Up Vendor Information base

Provide On-line access to Vendors to fill up Questionaires

Conduct Risk Assessments Online thru Questionaires

Auto Risk Score / Risk Rate processes to identify Risks

View Risks and Identify Mitigation requirements

Manage Mitigation

Vendor Risk/ Data Processor Risk Management

Reviewing existing contracts for compliance (applying a view on historic contracts and renewal)

Gather data of personally identifiable information being processed by them

Set up Security risk assessment framework to identify security and internal control process deficiencies in their systems

Conduct impact management and identify changes needed (if any) to manage the deficiencies

Monitor vendor processes on a periodic basis for GDPR failures

Manage any data breach situations if they arise

Create risk based scores for vendors and monitor them on an ongoing basis

Data Breach and Incident Management

Conduct vendors reviews to assess and evaluate for the effectiveness of technical and organizational measures for processing security, and risk to data subjects.

Attestation

Set up Attestation Calendar

Monitor that all staff have read policies and procedures to ensure adherence