KÜRT Zrt. creates the GDPR support functions based on its current GDPR project experiences and the feedback provided by SeCube customers. The SeCube GRC system can be used to perform maintenance on compliance tasks and data regarding the following.
- Data management activity and personal data records (Inventory)
- Data protection effects and risk analysis (RISK)
- GDPR compliance audit (Compliance)
- Data breach records (Governance)
SeCube’s modular structure also supports partial modular use based on requirements.
Records of data processing activities, inventory of personal data items
Inventory can be used to keep records of data processing activities and personal data categories (data sets) with the information required by the GDPR (e.g. legal basis, purpose limitation, the deadline for deleting personal data, etc.). Personal data sets and data processing activities can be organized into operating relations to specify the IT systems that handle those, the processes in which they appear, and the data media on which they are stored. This allows the performance of incident simulations and impact analyses. Graphic figures can be created to illustrate simulations and operating relations. Data maintenance responsibilities can be allocated to business area responsible persons.
- The records of processing activities can be exported in Word and Excel formats.
- Dependency matrices:
- Data processing activities X Personal data sets
- Data processing activities X IT systems
- IT systems X Personal data sets
- Records of data processing activities reports (Word) can be generated with the following content:
- GDPR organizational data
- Comprehensive records of data processing activities
- Records of the categories of personal data processed
- List of IT systems included in the processing of personal data categories
GDPR Compliance audits (audit, gap analysis)
The Compliance module can be used to perform detailed compliance situation assessments against a list of requirements based on the requirements and methodologies of the GDPR and other international recommendations. Requirement audit packages can be customized and any list of requirements can be developed, which can be used as the basis of audits. Action plans can be prepared for instances of non-compliance and for the management of inadequacies within the audit, with automatic email reminders, and the implementation of corrective measures can be monitored. These can be reviewed at regular intervals, thus assisting in the continuous compliance of the organization. Reports and text-based audit reports can be prepared for current and future states.
Current GDPR audit packages:
- 2016/679 GDPR + Kürt best practices (in Hu and Eng languages)
- NIST Privacy framework v1.0 2020 (Eng)
- ISO/IEC 29151:2017 (Eng) – The supplement on personally identifiable information protection to standard ISO27001
The 2016/679 GDPR + Kürt best practice audit package includes the audit requirements applied during Kürt audits (~300 audit points).
Data protection impact assessment, data protection impact assessment (DPIA)
The Risk module can be used to perform and maintain data protection impact assessments and data security risk analyses. The assessment can help evaluate data protection and data security threats, taking into account existing available and technical protection measures and current vulnerabilities and deficiencies. It is also suitable for evaluating the possible business and data protection (material, goodwill, legal consequences, the aspects of data subjects) damage effects of the outcomes of these events. Data protection risk reports and management plans can be prepared.
The data protection impact assessment is a risk assessment developed by taking internal recommendations into account, where:
- The resource scope of the assessment can be customized (data processing activities, data sets, IT systems and the subordinated resources, human resources, etc.).
- Developed data protection threat, vulnerability and protective measure lists that can be freely expanded and customized.
- The examination of the results of the various events by way of the relationships between resources. Status spread and impact tracking based on a cause and effect graph. The status change of dependent resources can be followed starting from the entry of threats to the status change in resources causing data protection damages. All this can also be displayed in a graphical format.
- A customizable data protection damage table is available for the uniform recording of impact values, which table also contains the damage effect aspects that the data subjects can incur. It also takes the possible dimensions of the company’s business damages into account.
- The system provides data protection risk lists with reports. The risk evaluation methodology can be customized (scales, risk matrices, equations).
- The software created graphical dependency diagrams of individual risks, which can be used to trace back parameters of certain risks and with its help risks can be easily revised
- Management measures can be assigned to the data protection risks, the implementation of which is traceable.
Risk management decisions can be made concerning data protection risks. Risk management measures can be defined depending on this decision, then the state of implementation can be monitored. Certain measures can be planned in detail by taking into consideration the human and financial costs. The implementation of risk management measures can be monitored in real time. Thus, risk reports on the initial state, current risk management status and future status to be achieved can be prepared and compared.
A comprehensive Risk Analysis Report on the risk analysis activity can be exported, which includes:
- records of processing activities
- the applied data protection risk analysis methodology
- the method for executing the methodology and the identified data protection risks
- risk analysis measures and their current status
GDPR action plans
Action plans, bolstered with future reports, can be written for the deficiencies and data protection risks identified in the course of the compliance assessment, which can be assigned to responsible persons (with email reminders) and their implementation can be tracked. By monitoring these measures, GDPR compliance can be continuously checked and current reports can be generated.
Data breach records
The Governance module incident record-keeping function can be used to keep historical records of data breaches.