GDPR Compliance

 

If your organization handles personally identifiable information (PII) for European Union (EU) citizens, the General Data Privacy Regulation (GDPR) is likely something that your organization is concerned about.  Our open source SimpleRisk Core product can be downloaded for free and can help you to easily track compliance with the various requirements of the GDPR framework.

Getting started with SimpleRisk is incredibly easy!  You can download SimpleRisk from our website and install it on your own servers or we offer a free 30 day trial of our SimpleRisk Hosted solution. Once you have your SimpleRisk instance up and running, we highly recommend registering your SimpleRisk instance. This is a requirement if you decide you need any of our paid-for SimpleRisk Extras, but it also gives you access to our free Upgrade Extra, which provides a one-click backup and upgrade solution, as well as our free ComplianceForge SCF Extra, which incorporates the Secure Controls Framework directly into SimpleRisk. You can register and download these by going to the Configure -> Register & Upgrade page in your SimpleRisk instance. Once downloaded, select Configure -> Extras, and click on "No" in the Enabled column of the ComplianceForge SCF Extra. Click to "Activate" the Extra and you should see a list of all of the frameworks that have been mapped into the Secure Controls Framework:

ComplianceForge SCF Extra

Find the "EMEAEUGDPR" framework in the list and then click the button to move it to the Enabled list. Now, click on the "Governance" menu in SimpleRisk and you will see "EMEAEUGDPR" in the list of active frameworks:

SimpleRisk Active Frameworks

Click on the "Controls" tab and select your framework name from the "Control Framework" dropdown list. Currently, there are 97 controls in the Secure Controls Framework that have been mapped directly to the GDPR framework. Of course, you'll want to define tests in order to verify your compliance with these controls and SimpleRisk can help you do that, too. Simply click on "Compliance" in the menu at the top and you will see the list of all available controls. Select "EMEAEUGDPR" from the Control Framework dropdown list in order to see only those controls having to do with GDPR. Here's one example of a control ensuring that you have performed a Periodic Review & Update of Security Documentation:

Periodic Review & Update of Security Documentation

Click on "Add Test" and you have the ability to define a re-usable test for this particular control where you can define the test name, tester, additional stakeholders, team, test frequency, last and next test date, objective, test steps, time, and expected results. You can define any number of tests for each of your different controls.

Now that you've defined your tests, you can initiate an audit in SimpleRisk at the framework, control, or individual test level by clicking on the Compliance menu at the top followed by "Initiate Audits" from the menu at the left.

Once you initiate the tests, you will see them show up under the "Active Audits" menu.

By clicking on the test name, you can change the audit status, the test result, any of the test information, upload evidence of your testing, and add comments for the test. All of the resources that you'll need to track the test of this control from start to finish are right here. For example, you'll probably send an email to the control owner requesting evidence for the test. In our example above, you'll probably want to verify with the Security Team that they have recently reviewed and updated their documentation. After sending that e-mail, you'd likely update the Audit Status to "Pending Evidence from Control Owner" and set the Test Result to "Inconclusive".

Modifying a Control Test

At any point, you can go back to the Active Audits page to see the complete list of all of your active audits. You can filter by framework, tester, status, test name, or even text in order to find what you're looking for. Seeing a list of all tests pending evidence or everything pending a review is just a dropdown selection away. Once the test is marked with a status of "Closed", it will disappear from the Active Audits menu, but you will still find it under the "Past Audits" menu. This menu is a great way to get a historical view into all of your tests. Here can see that my "Periodic Review & Update of Security Documentation" control failed the first two times we tested it, but has passed the last two.

Past Audits in SimpleRisk

Now, when the GDPR auditors come calling, you can show them the controls you used as well as all of the testing you've done to verify compliance with the requirements. All in a simple, intuitive interface, that is open source and downloadable for free. No credit card is required for you to get started today with a free trial or schedule a demo with us to learn more!