New Suite of Privacy Management Questionnaire Templates Available at OneTrust

With the EU General Data protection Regulation coming into effect on May 25, 2018, it’s important for organizations to prepare for how they will handle personal data of customers. Employees and vendors, as well as how they will conduct record-keeping to demonstrate compliance

As part of the library of more than 30 privacy assessment templates in OneTrust’s comprehensive privacy management platform, we have added new EU regulator guidance-based privacy templates for GDPR compliance. The new templates include:

• Privacy Impact Assessment Pre-Screen (PIA)
• Data Protection Impact Assessment (DPIA)
• Records of Processing (Data Mapping) template based on deep research and regulatory guidance issued by EU Data Protection Authorities (DPA) and the Article 29 Working Party (WP29).

Operational and record-keeping requirements are addressed in both Article 35 and Article 30 of the GDPR.

• Article 35: “Where a type of processing in particular using new technologies … is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
• Article 30: “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”

OneTrust’s in-house privacy research team analyzed and incorporated guidance from well-respected EU regulator-based sources and industry standards to create PIA and DPIA templates. Instrumental sources include:

• Article 29 Working Party’s group of EU regulators
• the German Standard Data Protection Model
•  the CNIL PIA Manual & GDPR Toolkit
• the UK ICO PIA Code of Practice, and ISO/IEC 29134:2017 Guidelines for PIA

Although data inventory and mapping is not explicitly mentioned in the GDPR, it is widely recognized that Article 30 requires an organization to conduct a data inventory and mapping exercise, and most importantly, keep it up-to-date. In creating the Records of Processing (Data Mapping) template to support this requirement, OneTrust’s research team incorporated available guidance including the CNIL’s GDPR Toolkit, the Belgian Privacy Commission’s Recommendation Concerning the Register of Processing Activities, and many additional sources.

For more information, read our press release and watch a video overview of the regulatory guidance incorporated in OneTrust’s privacy assessment templates.