Yesterday we released the first version of the 'Risk Register' in GDPR Mentor which aims to address the Data Protection Impact Assessment challenge.
During our research and development for the platform we've seen many people creating Microsoft Word and Excel templates to carry out assessments, and whilst these might work on a very small scale, once you go beyond a handful of processes or systems the cracks in this approach start to appear.
A typical challenge is where you might use a system to support multiple processes (very common), if you are assessing a process where does the system assessment fit in? You might also have the same data used across systems and processes (always the case), and by separating the assessments into documents you create duplication (making the data problem worse), and often introduce inconsistency in what you are documenting.
With GDPR Mentor we've broken the assessment into a modular approach, where you define your roles, data, systems & companies as reusable items, and then use these when you define your processes (Records of Processing).
The benefit of this modular, multi-dimensional approach, is that when you assess a particular system, if that is used across multiple processes you only assess and document the system once. What this also leads to is a single Risk Register workbench that applies across all areas, so if you identify a risk against one system or company all processes that use this item are flagged.
The Risk Register has just been released in it's first iteration, and includes an initial 7 risk rules, we expect this list to grow to nearer 50 over the coming weeks., but good to get the module released and start receiving customer feedback so we can make it better.
The new features use the built in rules, with a combination of your assessment survey responses, and what data is used within each system to identify the risks. You are then presented with these to assess based on your own risk appetite by setting your own Impact and Likelihood as in a traditional risk assessment giving you a score of 1-5. You can then record your mitigations, and of course work to reduce the high risk items over time.