GDPR RACI.pdf
1 like1,700 views
The document discusses using a RACI (Responsible, Accountable, Consulted, Informed) chart to assign roles and responsibilities for GDPR implementation. It provides an introduction to RACI charts, an example from the speaker's company that outlines its data protection framework, governance model and 21 GDPR activities, and the speaker's resulting RACI chart. The speaker advocates for RACI charts to provide a clear overview of participation in tasks and recommends periodic reviews to keep the chart updated.
GDPR RACI.pdf
- 1. Using RACI Chart for GDPR implementation Andrey Prozorov, CISM, CIPP/E 2020-05-25
- 2. 2 Andrey Prozorov, CIPP/E, CISM • Information Security Methodology Manager • 15 years in information security (12 years in data protection and privacy) • My Patreon (ISMS and GDPR toolkits) - www.patreon.com/AndreyProzorov • My blog (in Russian) - http://80na20.blogspot.com
- 3. Agenda • RACI Chart (intro) • My Case: • My Data Protection Framework • My Governance Model • My GDPR Activities • My RACI Chart 3
- 4. My first contact with RACI chart 2009-2010, COBIT 4.1, example: PO4 Define the IT Processes, Organisation and Relationships 4
- 5. Thanks, Wiki! A responsibility assignment matrix (RAM), also known as RACI matrix or linear responsibility chart (LRC), describes the participation by various roles in completing tasks or deliverables for a project or business process. RACI is an acronym derived from the four key responsibilities most typically used: responsible, accountable, consulted, and informed. It is used for clarifying and defining roles and responsibilities in cross- functional or departmental projects and processes. There are a number of alternatives to the RACI model (e.g. RASI, PARIS, PACSI, DACI, PDQA, RASCEIO) 5
- 6. RACI • Responsible (R): role that performs an activity or does the work. • Accountable (A): role that is ultimately accountable and has Yes/No/Veto. Also approver or final approving authority. There must be only one accountable specified for each task or deliverable. • Consulted (C): role that helps and advises. • Informed (I): role that needs to know of the decision or action. 6
- 7. Why is it effective? • Simple and short description • Adaptable • Helicopter view (complete list and links) 7
- 8. COBIT 2019: APO13 — Managed Security 8
- 9. COBIT 2019: APO13 — Managed Security We have used RACI for the ISMS implementation. Let’s use it for GDPR compliance… 9
- 10. My Case • Construction and Energy sector • >250 employees • EU + Russia • ISO 9001, ISO 27001… 10
- 11. My Data Protection Framework (33 pages) 11
- 12. My Data Protection Framework (33 pages) 12
- 13. Data Protection Governance Model Who else? • Representatives • Internal Audit • Risk Manager • Procurement • Compliance • … 13
- 14. 1. Planning (6) 2. Processing (6) 3. Security (5) 4. Control, Report and Respond (4) GDPR Activities (21) 14
- 15. 15
- 16. 16
- 17. 17 Lessons Learned: • Choose a suitable level of detail • Use other examples for inspiration • Discuss and align everything in advance • Conduct periodic reviews and update the chart
- 18. Andrey Prozorov, CIPP/E, CISM • My Patreon (ISMS and GDPR toolkits) - www.patreon.com/AndreyProzorov • My blog (in Russian) - http://80na20.blogspot.com • Email - prozorov.info@gmail.com Thanks!