If adding on the GDPR framework to your existing Strike Graph instance, we recommend making a few updates to the control language to cover additional regulations.
Consult the guidance below, along with your company's legal counsel, to edit the control descriptions to ensure that they accurately describe your processes.
Automated Processing of PII
Add the following sentence to the control description: The Privacy Notice includes information about the logic involved in the automated processing, as well as the significance and the envisaged consequences of such processing for the data subject. Procedures are in place to address data subject objections to automated processing of their data.
Contracts
Add the following sentence to the control description: Contracts that concern PII include the Standard Contractual Clauses.
Contracts: Processors
Add the following sentence to the control description: The EU's Standard Contractual Clauses may be used.
Data Breach Policy
Add the following sentence to the control description: The breach procedures include notification of data subjects and supervisory authorities.
Data Collection
Add the following sentence to the control description: No additional PII will be collected solely to comply with GDPR.
Disciplinary Process
Add the following sentence to the control description: The disciplinary process includes data privacy violations.
Legislative and Contractual Requirements
The final sentence may be removed, if not applicable.
Marketing Consent
Add the following sentence to the control description: At any time, the data subject may object to using their PII for marketing purposes via paper or electronic means. Procedures are in place to address such objections. The right to object to the use of PII for marketing purposes is clearly stated within the Privacy Notice/Policy.
Privacy Notice
Add the following to this control and to the Privacy Notice, but only if personal data has not been directly obtained from the data subject: The Privacy notice clearly outlines the use of the data and related data subject rights when the data has not been collected from the data subject.
Personal Information: Procedure to Destroy
Add the following sentence to the control description: Archiving processes are in place, which include data minimization measures.
Processing on Behalf of a Customer
Replace "customer" with "controller" and add the following sentence to the control description: Processing of sensitive personal data is strictly prohibited unless by documented exception.
βProvides Personal Information Timely
Add the following sentence to the control description: This may be within one month of receipt of the request, with a 2-month extension, communicated to the data subject, if needed. The communication includes the reason for not taking action and the right of the data subject to lodge a complaint. Personal information is provided free of charge unless the requests are deemed excessive or unfounded.
Responsibility for ePHI
Change ePHI to PII in both the control description and its title.
Risk Assessment Methodology
Ensure that privacy risks are considered when documenting your risk assessment methodology (or policy). Strike Graph provides a recommended template.