Comprehensive GDPR solution

What does solution cover?

Span Personal Data Protector is your central point for managing business processes that deal with personal data.

This solution facilitates supervisory and advisory roles of the data protection officer and demonstrates compliance to the supervisory authority.

Features

Records of Personal Data Processing Activities

Comprehensive records compliant with GDPR requirements. Which and whose personal data your organization collects, why are the data processed, where are they sent and how are they protected.

X

Records of Personal Data Processing Activities

Data controllers and processors are obligated to maintain and regularly update records of processing activities in accordance with the requirements stipulated under Article 30 of the GDPR.

Such records are leveraged for managing processing activities and help monitor GDPR compliance; they are provided to the supervisory authority carrying out supervisory activities.

Records have to be in writing, including when created and stored electronically. GDPR does not prescribe the exact form of processing activity records, but the United Kingdom GDPR regulatory authority – Information Commissioner’s Office (ICO) – has introduced a prevailing template which is used as a base template for exporting processing activity records from Span PDP.

Consent Management

Central point for collecting and recording data subjects’ consent for consent-based processing acitvities.

X

Consent Management

Personal data should only be collected for special, explicit and legitimate purposes and may not be processed in a manner that is inconsistent with these purposes. Personal data processing not based on legal or contractual obligations, but on legitimate interest, is subject to gathering and recording consent.

Text used to obtain consent from data subjects should be specific, informative and unambiguous, and data subjects have the right to withdraw or deny their consent at any time. Span PDP enables customers to effectively obtain and manage consent, especially organizations that collect a large volume of consent and/or have numerous business processes deployed for the purpose of collecting personal data based on consent.

Data Subject Portal

Data subjects can directly provide or withdraw consent via Data Subject Portal.

X

Data Subject Portal

Data subject can at any time ask for information on his/her personal data kept by the organization and purposes for which they are used. Data Subject Portal provides control and transparent overview to data subjects of how their personal data are used, as well as the option to give or withdraw consent for activities based on consent.

Minimum data required for unambiguous identification of individual data subjects is entered into Span PDP and all processing activities are then linked to his/her personal data.

All users of this solution are also data subjects, and administrators can decide which data subjects will be assigned advanced user rights and take part in administering the solution in accordance with their privileges.

Dashboard

Centralized overview of all data managed by Span Personal Data Protector, data protection officer module.

X

Dashboard

Dashboard is the key tool used by data protection officers to review and control data managed by the solution. All the most important data is available in a single place – solution can be quickly navigated by simply selecting preferred modules: processing activities, data subjects, requests, incidents.

Dashboard displays expiration data within individual modules, e.g. regarding processing activities or requests with approaching deadlines.

Quick Start Guides

Helpful guides through basic and GDPR-related settings make it easy to get familiar with the solution and provide assistance with initial administration.

X

Quick Start Guides

Two guides assist the user with quick and easy entry of basic data: organization and affiliates, supervisory authority, data subjects, personal data, storage systems, etc. This step-by-step solution helps guide the user by providing instructions on what data to enter and how.

Given the complexity of GDPR compliance, these guides provide a brief overview of data that needs to be collected, classified and recorded in order to create records of processing activities. All the prerequisites for creating records of data processing activities have been met once the main data is entered into the solution.

Reporting

All data managed by Span Personal Data Protector are available as Excel-based reports with a single click, including records of processing activities in accordance with Article 30 of the GDPR.

X

Reporting

Span PDP provides simple export of data via several predefined Excel-based reports: records of processing activities pursuant to Article 30 of GDPR, user list, storage system list, data subject list /w status of consent by processing activity, etc.

Combined reports are also available, with the option of configuring specific reports.

Consentio

Module for collecting and recording consents using existing web forms.

X

Consentio

This module allows customers to easily configure and embed javascript components with consent text from Span PDP into existing web forms for the purpose of obtaining consent and importing it directly into Span PDP.

This does not change communication with data subjects, Span PDP simply carries out all the administrative tasks for you.

Consentio module is especially useful for organizations with many different websites and forms used for collecting personal data whose processing is based on consent.

Requests

Record and manage requests by data subjects exercising their rights under GDPR.

X

Requests

Span PDP allows for entry and administration of data subjects’ requests for individuals to effectively exercise their rights within a specified deadline for handling the request (e.g. 30 days).

Tasks may be assigned to individual employees and more than one employee may be engaged on solving a single request; request status changes are also monitored.

Requests can be submitted directly via the Data Subject Portal, and request status may be reviewed and tracked directly within the solution.

Incidents

Records of undesired events related to personal data.

X

Incidents

Span PDP ensures timely response and administration in case of personal data breaches.

When a data subject reports an unwanted event related to personal data breach to the organization, data protection officer or other responsible person decides whether the event is considered an incident, records it within the solution, and continues to manage the incident record using the application to store evidence of actions taken.

Documentation Center*

Templates and examples of GDPR documents and a repository of all GDPR-related documentation of your organization.

X

Documentation Center*

Span PDP module with predefined GDPR document templates and storage of created GDPR documents (privacy policy, decision on the appointment of data protection officers, third party agreements, etc.).

Span PDP is a unique single solution for all GDPR-related information and documentation of your organization.

*Module is in development, expected deployment is fall of 2019.

DPIA (Data Protection Impact Assessment)

Data Protection Impact Assessment records.

X

DPIA (Data Protection Impact Assessment)

In accordance with Article 35 of GDPR, Data Protection Impact Assessment (DPIA) is a procedure that the data controller has to carry out where a type of processing – in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing – is likely to result in a high risk to the rights and freedoms of individuals.

DPIA module is used to check if there is any need for carrying out impact assessment and, if the answer is yes, record assessment outcomes.

API (Application Programming Interface)

Well-documented API provides simple connectivity with other systems.

X

API (Application Programming Interface)

Span PDP can be easily linked with other systems using the API. Data subjects and relevant consent can be synchronized between these systems without needing to update the same data in both locations.