Helping organisations comply with the General Data Protection Regulation
Your business is likely to be impacted by GDPR compliance – can you handle it?
The TESM GDPR application has been built to help ServiceNow® customers meet the requirements set out in the GDPR regulation for their entire organisation, not just on the ServiceNow® platform.
ServiceNow® as a tool is very well positioned to help solve the challenges with GDPR compliance. The reason for this, is that it frequently has all the business services and locations the company operates in already defined and present. ServiceNow® is also a system of record and a workflow engine at its core, with built-in auditing. When you include the GRC module with its Compliance, Risk, Vendor Risk, Security Risk and Audit engine, you have the foundations of a best-in-class system to implement and run a GDPR capability.
Any business is likely to have personal data (PD) held across several areas of the organisation, not just the ServiceNow® instance. So, the TESM GDPR application provides an end-to-end solution covering all areas of an installation, with the following capabilities:
- Audit and accountability
- Lawfulness and processing consent
- Data processing statement
- Data protection impact assessment
- Incident and breach management
The App has the following key features:
Data Subject Requests
We provide a portal that allows internal and external users to submit requests to meet their data protection rights (right to access, right to object, right to rectification, etc.). These requests are tracked using SLAs to ensure they are completed within the required time frame. Each request can be configured to create tasks for system owners to provide data to complete the requests based on the associated processing activities.
Data Processing Impact Assessment
GDPR requires that any high risk data processing undergoes a formal impact assessment to ensure the processing is appropriate and the organisational and physical security measures are proportionate. Our application allows users to request to perform new data processing. This then creates a workflow that assesses the risk of the processing through questionnaires to gather further information to drive a calculated risk assessment. Finally, it provides a formal approval of the processing. This ensures that all your processing has been appropriately reviewed. The results of the assessment are then linked back to the appropriate entries in your Risk Framework to ensure Article 35 is adhered to.
Record of Processing Activities
Each piece of personal data that is processed must be documented via a Record of Processing Activity (ROPA). The tool provides a mechanism to record this that captures all the relevant information to meet Article 30.
A description of the processing is then enriched by associating the data category, relevant data processors (internal and external), controllers and recipients. The purpose is also categorised for easier communication with recipients and firm-wide reporting. The legal basis for the processing is also documented.
Each piece of personal data is classified and can be mapped to a business system or application via your configuration data. This ensures that data breaches can be effectively managed. The security measures enforced during the processing are also documented e.g. Anonymised, Encrypted.
If data is transferred to recipients outside the EU you can also document where it is being sent and what protection is in place through equivalency statements, modal clauses or corporate binding rules.
Retention schedules can also be defined against the data assets that are being processed, to ensure data is kept for an appropriate period.
To allow you to quickly and efficiently manage data breach reporting we have provided a capability to log data breaches. This allows you to capture associated incidents and the relevant record of processing statements, so you understand what data could have gone missing and who might be impacted. Each breach can also track tasks to manage and mitigate the breach within the 72-hour SLA. This allows you to meet your data breach obligations with the ICO.
These breaches can also be linked to your operational risks within your organisation to enable them to be managed and quantified.
One of the lawful bases for processing is consent. This is widely regarded as one of the hardest to implement properly, due to the complexity of requesting and maintaining those consent records. Our application provides you with a repository that can store all of the consent records from any system with their current state and can trigger renewals before they expire. This ensures you know who has consented to what processing and that it is current. The table can be programmatically updated by systems like Salesforce, Campaign monitor, etc.
Access to the application is modelled on the roles defined in the regulation so you can assign permissions to your Data Processing Officer, controllers, representatives, processors and subjects.
The ICO has the authority to ask for your record of processing statements and the associated impact assessments. Our application allows you to easily consolidate and export this information into a PDF so you can quickly provide this information without having to resort to spreadsheet manipulation.
ServiceNow® has very good native auditing capabilities that track changes to each and every field within our application. However, the data is not very consumable. We provide a more human audit log of activities that can be provided to the regulatory authorities on request making it easier to understand what element of your data processing has changed across your DPIA, DSAR, ROPA and Consent data.
The application is deployed via the ServiceNow® store and regular updates and improvements will be provided according to our product release schedule and the changes in the GDPR landscape.
A professional services engagement from TESM can also be provided to implement the application, configure and import customers data to get you up and running as quickly as possible.
The application requires you to be running a supported version of ServiceNow® with access to the store to be installed.
The application requires the GRC and Performance Analytics modules to be installed to get the full benefit, however parts of it can be used without this in place.
As well as:
- Artefact Attestation and Certification
- Company Record of Processing (ROP) definition and templates
- Binding Corporate Rules (BCR) definition and templates
- Directly/Indirectly Obtained Personal Data (D/IOPD) definitions and templates
- Data Breach Incident Tracking
- Personal Data Categorisation and Mapping
- PDF rendering and export of key GDPR documents
- Direct integration to ServiceNow® GRC for Policy and Compliance tracking
- Direct integration with Performance Analytics for in-depth reporting, trending and MI
We are very proud of this application and would love you to get in touch to find out more. Take a look on the ServiceNow® Store, or contact us using the form or details below.
Get in touch
If you require any further information, then please complete our contact form and we’ll do the rest.
Alternatively, please feel free get in touch: