IT systems / information assets are programs and assets that contain information. It can be software, as well as it can be physical things like laptops, external hard drives, etc.
3) With this feature, you can choose: Risk Assessments, Archive, Export or Delete.
In this form, there will be some different characters at the fields. See the example of characters here:
- Title: Here you need to specify the title of the IT system / information asset used.
- Data recipients: Here it can be specified which data recipient owns the IT system. You can do this by clicking on the line and a list of all data recipients will appear. If a data recipient is missing, you can click on ‘Add data recipient’ in the bottom right corner, after which a form will open for adding a data recipient. This is primarily relevant for systems where data is moved out of the company, e.g. via apps, hosting, cloud services or email servers. When the IT system and the data recipient are connected, the GDPR portal can help fill in the fields in ‘Work processes’ correctly so that all information matches. If it is not owned by a data recipient, remove it in the upper right corner of the field.
- Security measures: Here all the security measures applicable to the IT system / information asset are indicated. Both technical and organisational security measures must be indicated.
- Briefly describe what the IT system/information asset is used for in the company.
- Physical archive: Here you need to specify whether it is a physical archive. Your choice in this field determines the form’s following fields.
- Search function in the IT system? Can the IT system identify personal data about a specific person? Clicking on this field will make various choices you can make.
- Delete function / irreversible deidentification in the IT system? Is it possible to delete data in the system? Clicking on this field will make various choices you can make.
- Data export in the IT system? Is it possible to export data out of the system in a structured, commonly used and machine-readable format? Clicking on this field will make various choices you can make.
- Does automated decision-making take place? You must indicate here whether automated decision-making – including profiling – takes place in the IT system. Clicking on this field will make various choices you can make.
- Limited processing in the IT system? Can the IT system in question limit processing to storage only in the cases specified in the information box at the point? Clicking on this field will make various choices you can make.
Most of these fields can show a red exclamation mark, which is an expression of a gap.
Read more about gaps here.
Secure access to the IT system / information asset and division of access in the IT system / information asset
Here you must indicate whether there is secure access to the IT system / information asset. It is a requirement that there are appropriate technical measures to protect data against unauthorized access, including, for example, strong passwords or multi-factor authentification login. Clicking on the field will show the choices you can make.
You must then specify whether there is division of access in the IT system / information asset – whether access to data in the system can be divided, for example, based on the user’s roles and rights. Clicking on this field will show the choices you can make.
If you tap the cross in the upper right corner, the form will automatically open a window asking if you want to discard changes. By pressing ok, you close the process without saving your changes. If you want to save the changes, press cancel in this window and close the document at the bottom of the form in the right corner.