3) With this feature, you can choose: Risk Assessments, Archive, Export or Delete.

In this form, there will be some different characters at the fields. See the example of characters here:

1. Is an expression of a gap. Read more about it here.
2. Is an infobox. Read more about it here.

Main information

When you open the form, the first thing you need to do is provide some main information about the IT system / information asset.

1. Title: Here you need to specify the title of the IT system / information asset used.
2. Data recipients: Here it can be specified which data recipient owns the IT system. You can do this by clicking on the line and a list of all data recipients will appear. If a data recipient is missing, you can click on ‘Add data recipient’ in the bottom right corner, after which a form will open for adding a data recipient. This is primarily relevant for systems where data is moved out of the company, e.g. via apps, hosting, cloud services or email servers. When the IT system and the data recipient are connected, the GDPR portal can help fill in the fields in ‘Work processes’ correctly so that all information matches. If it is not owned by a data recipient, remove it in the upper right corner of the field.
3. Security measures: Here all the security measures applicable to the IT system / information asset are indicated. Both technical and organisational security measures must be indicated.
4. Briefly describe what the IT system/information asset is used for in the company.
5. Physical archive: Here you need to specify whether it is a physical archive. Your choice in this field determines the form’s following fields.

If it isn’t a physical archive:

If you have chosen that an IT system / information asset isn’t a physical archive, the following fields will appear, which must be filled in:

1. Search function in the IT system? Can the IT system identify personal data about a specific person? Clicking on this field will make various choices you can make.
2. Delete function / irreversible deidentification in the IT system? Is it possible to delete data in the system? Clicking on this field will make various choices you can make.
3. Data export in the IT system? Is it possible to export data out of the system in a structured, commonly used and machine-readable format? Clicking on this field will make various choices you can make.
4. Does automated decision-making take place? You must indicate here whether automated decision-making – including profiling – takes place in the IT system. Clicking on this field will make various choices you can make.
5. Limited processing in the IT system? Can the IT system in question limit processing to storage only in the cases specified in the information box at the point? Clicking on this field will make various choices you can make.

Secure access to the IT system / information asset and division of access in the IT system / information asset

Here you must indicate whether there is secure access to the IT system / information asset. It is a requirement that there are appropriate technical measures to protect data against unauthorized access, including, for example, strong passwords or multi-factor authentification login. Clicking on the field will show the choices you can make.

You must then specify whether there is division of access in the IT system / information asset – whether access to data in the system can be divided, for example, based on the user’s roles and rights. Clicking on this field will show the choices you can make.

Completion of the form

At the end of the form, there is a field where you can provide suggestions for improvements. You can also upload files by clicking on ‘attachments’, where the option to attach files will open.