When you work in a group portal, you have admin rights over all companies that are connected to the group. This allows you to control and create, for example, a photo audit. Work processes, data recipients, inspections, IT systems / information assets for each company connected to the group, without having to log in to each company’s portal account.

It also means that you can create risk assessments for all companies in the portal at once. It is also possible to select specific companies, and thus only create risk assessments for the relevant companies.

 

Risk assessments are assessments that you as a data controller must make of the risks to which the data subjects (customers, employees, etc.) are exposed.

Risk assessments are important because the regulation basically requires risk assessment to ensure that technical and organizational security measures are proportional to the information you as a data controller process. This means that you plan your security measures based on what data you handle to achieve the best possible security and protection of the data subject’s information.

Risk assessments are carried out in three steps:

• First, a risk is defined
• Then any risk categories are defined
• Finally, a risk assessment is carried out that describes how the risk specifically affects the individual category, work process, IT system or data recipient.

Navigation of the different items

When you click on ‘risk assessments’, a sub bar will open with the following options:

Navigation to risks

To access, create and edit risks, you must log in to the GDPR portal. Inside the portal, on the left side, you will find a bar where you must click on ‘Risk assessments’, after which a subbar will open. Here, click on ‘Risks’ to open the overview of risks. The overview is divided into different areas:

1. Create a risk. When you click here, you will open a smaller form. The form will be reviewed below.
2. Edit an existing risk. When you click here, you will open the same form as when creating a new risk.
3. Delete risk.
4. Archive risk.
5. With these functions you can either link or unlink a risk. Beware that if you unlink a risk, you will delete the group element but keep the local elements.
6. Convert local: Here you can convert local work processes that are already created in a local portal into the group portal. Read more about this function here.

How to create a risk

When clicking on ‘create’ (1), the following form will open:

1. Choose the local portals which the risk should be connected to. You have the options to select or deselect all or manually choose which local portals you want to create the group risk for.
2. The next part of the form is settings. The settings you choose here will affect whether the local portals can; delete the risk, create a local reassessment and measures themselves and if the local portal can edit group risk assessments. The settings you choose will be the settings that apply to all the local portals, which you assigned the risk to.
3. Here you need to give the risk a title. What title you choose is up to you, but we recommend choosing a title, that you will recognize the risk on.
4. Here you can create a risk assessment of the risk. When clicking on the dark blue icon, a small window will open. This is the form of creating a risk assessment, which you can read more about here

Navigation to risk categories

A risk category is a grouping of work processes, IT systems/information assets and/or data recipients that have the same risks associated with them and where therefore a single risk assessment can be carried out for the category.

It is a fundamental requirement from the regulation that risk assessment is carried out to ensure that technical and organizational security measures are proportional to the information you as a data controller process.

As the regulation does not impose requirements on how detailed the risk assessments must be, you can group your work processes, etc., if these are subject to the same risks. This makes the risk assessment process more efficient and manageable.

How to work with risk categories

To access, create and edit the risk category, you must log in to the GDPR portal. Inside the portal, on the left side, you will find a bar where you must click on ‘Risk assessments’, after which a subbar will open. Click here on ‘Risk categories’ to open the overview of the categories. The overview is divided into different areas:

1. Create a new risk category. When clicking here a form will open, that you need to fill in. Read about filling the form below.
2. Function icons that are from left to right: Edit, which will open the same form as when creating a risk category, delete the risk category, which will remove the risk category from both the group portal and the local portals connected. If you want to archive the risk category the last icon is the one you use.
3. Here it’s possible to link and unlink. To link you need to click on the dark blue icon. This function can be used, when you, as an example have a local portal in which you have a category which is the same as the category for the group and you want to connect the two. If you want to unlink you should click on the yellow item. Beware that when you unlink you delete the group element but keep the local elements.
4. Here you can see the title of the risk category and how many local portals the risk category is assigned to.
5. Convert local: Here you can convert local work processes that are already created in a local portal into the group portal. Read more about this function here.

Creating a risk category

The form that opens when you click on create in risk categories looks like this:

1. Give the risk category a title.
2. Description of the risk category. Here you should explain what the risk category contains.
3. When you open the form, this part is folded, and in order to set if the category can be deleted, you must click on the bar ‘settings’ and it will fold out. Keep in mind that the setting you choose here applies to all the local portals you choose to assign the category to.
4. When assigning the category to local portals you also need to unfold the bar in order to see the local portals. You can choose between selecting all or deselect all and if you want to choose some specific local portals yourself, you can do it by clicking the icon next to every local portal on or off.
5. Here the elements you can choose in the field below is shown, if you have chosen any.
6. Here you can add elements. When clicking on the field a menu will show where you can choose between work processes, IT systems / information assets or data recipient.

Suggested risk categories

It is important that the categories are made on the basis of the individual company’s specific circumstances. Below you can see GapSolution’s suggestions for which risk categories that may be relevant to consider:

• Enforcement of the data subject’s rights (requests for access, rectification, etc.)
• Processes for IT development that the company handles internally
• IT systems/information assets using only ordinary personal data and not used for critical functions
• Processing of contact information (customers, suppliers, etc.)
• Customer-facing services
• Accounting
• Employee data (HR)
• Physical security of the company (alarms, monitoring, etc.)

The above is only an inspiration list, and the categories should be based on a specific assessment in the individual company. IT systems with a particularly critical function should always be risk assessed separately.