GDPR Accountability Guide
      Back to home
      1. Help Centre
      2. Leo's Solutions
      3. GDPR Accountability Guide

      Leo's GDPR Accountability Guide

      We created Leo’s GDPR Accountability Framework to allow your business to comply with the GDPR principle's Privacy by Design and Privacy by Default, by embedding GDPR processes into standard operation procedures.


      With the advice of your potential advisors, follow Leo’s suggested trigger events that you could diarise then in Leo, and link those dates to your Outlook calendar.

        Leo process suggestions
      REMEMBER TO
      PERIODICALLY

      I. In Leo’s Calendar and Projects schedule review of your Privacy Polices, Privacy Notices and Record of Processing Activities; schedule Online Training for your team and an annual Compliance Monitoring (GDPR).


      II. Use Leo’s GDPR Online Training to ensure that your staff are trained periodically. With Leo you can easily assign training courses and chase staff.


      III. Populate the Compliance Monitoring (GDPR) which covers all aspects of GDPR requirements and allows you to identify areas of privacy compliance that may require your attention. It even allows you to create Remedial Actions and assign them to individual stakeholders. This is a great method to demonstrate compliance.


      IV. Provide newly onboarded employees with an Employee Declaration: Privacy Notice for signing electronically in Leo.
      ALWAYS
      MAINTAIN

      I. Register: Data Retention and Deletion: keep a record of all your personal data retention periods and implement the process as set out in that register... you will be asked about it in the Compliance Monitoring (GDPR).


      II. Register Consent: keep a record of any consent if you rely on it for personal data processing. You can use Leo’s Register: Consent or explain any other system that you may use for the management of consent.

       

      Trigger event Leo process suggestions
      OOPS!
      DATA
      INCIDENT

      I. Data Breach Self Assessment: Was there a breach? (for Employees): create a report, with you as the reviewer and assign it to the person who reported the suspected breach to you; decide whether the incident is a data breach and if so move to step II.


      II. Data Breach Self Assessment (notification to authority/data subjects): populate it based on the Data Breach Self Assessment: Was there a data breach? (for Employees), submitted for your review- consider the recommendations as generated in the report and action if appropriate.


      III. Register: Data Breach: it automatically syncs data from the Data Breach Self Assessment (Notification to the Authority/Data Subjects) - no need for manual data input! Hurray!

      NEW!
      NEW THIRD PARTY/VENDOR/

      NEW PARTNERSHIP/

      NEW BUSINESS PROCESS

      I. Consider whether you need a Data Protection Impact Assessment (DPIA); if so then complete one, and it will automatically sync data from your published DPIA Report into the Register: Data Protection Impact Assessment (DPIA).


      II. Third Party Risk Assessment (GDPR): this report provides for GDPR vendor due diligence process; if the processing by the third party involves International Data Transfer, you will be asked the relevant questions and the data relating to that transfer will be automatically synced with the Register: International Data Transfers (IDT); once published the Risk Assessment will automatically sync into the Register: Third Party Risk Assessment (GDPR).


      III. Now that you have completed the above, add the ‘New’ personal data processing to the Record of Processing Activities (Controller and/or Processor).


      IV. If you wish to use legitimate interest as the legal basis for the ‘New’ processing, remember to conduct the Legitimate Interest Assessment (LIA). Once published, the data from the LIA will be synced automatically with the Register: Legitimate Interest Assessment (LIA).


      V. Finally consider if the processing involves any special categories of data (GDPR Article 9); if so make a note of it in Register: Special Categories of Data.
      SOMEONE GETS IN TOUCH AND ASKS FOR INFORMATION Just two things to do on Leo: record the request in the Register: Data Subject Access Requests (DSAR) and keep an eye on the deadline.
      YOU ARE GOING TO SEND DATA OUTSIDE YOUR LOCAL JURISDICTION

      I. Make sure that you assess all your International Data Transfers; regular and ad hoc ones; then remember to conduct an International Data Transfer Impact Assessment (IDTIA). Once published, the data from the report will automatically sync with the Register: International Data Transfers (IDT).


      II. Next consider if you should update your Register: Record of Processing Activities.

       

      Disclaimer:
      This document while written in good faith, is not intended to provide any statement of law, or any definitive view on specific legal issues and are subject to change. Such views are given by us as an indication only and are not intended, and cannot be construed, as an opinion or a definitive confirmation of legal requirements and do not constitute legal and tax advice which is not part of our service. Any actions or reliance taken by you based on our assessments are done so by you at your sole risk and liability. You should consult your professional advisor.

       

      The Leo GPDR Solution has been built on the same principles as the FCA regulatory compliance to assist you with day-to-day privacy considerations.
      You can learn more about it here.