This article will walk you through how to add a third-party app to your Naq platform! This includes any applications and cloud software tools you use across the business, such as email, application hosting, online document storage and HR systems.
Any suppliers of people's time (such as accountants, outsourced developers, consultants etc.) should be added under the Suppliers section of Naq only.
App Name
Here you will select the app or system you want to add. If the app you would like to add is not listed, please click here to request it be added by the Naq team.
App Owner
Here you will select who is responsible for managing and overseeing this app within your organisation.
Business Critical
Business-critical refers to any element, such as service, application or supplier, that is essential for a business to function.
Disruptions or failures in these elements can have significant negative consequences, such as service disruption, financial losses or reputational damage.
Where is the data in this app hosted?
Adding third-party apps to your Naq platform is great for understanding what data you are storing and where, but figuring out where that data is hosted can sometimes be tricky.
Here's a handy tip:
If the application is a non-hosting application, you would use their company Headquarters address
If the application is a hosting application (i.e. AWS), you would select what region you are using it in
Why do you use this app?
This will be a tickbox exercise to understand why you are using this application. You are able to select more than one option here and it is important to be as thorough as possible.
Whose data do they have access to?
Here you will select whose data the app has access to (i.e. the 'data subject'). This may be employee, customer, or stakeholder data.
What data do they have access to?
For each data subject, you can select what data this application stores. This may include, for example, their name, address or job title.
To add a new data subject, simply click 'Add new subjects' within your Naq platform.
Legal basis of processing
The legal basis of processing is a form of justification for collecting and using personal data. Each processing activity is associated with specific requirements and obligations and is a fundamental principle of GDPR.
For more information on how to select the legal basis of processing for each data subject, please see here.
Retention period
Under GDPR, personal data should be kept only for as long as necessary for the purposes for which it was collected.
In most instances, retention periods are classified as either legal retention or retention based on contract validity i.e. for as long as the underlying contract remains valid. Here's how to differentiate between the two:
Standard legal retention periods are often defined by industry-specific regulations or national legislation. They are universal and apply regardless of the contract status. For example, in the context of an application that manages employee records, retention periods are often legally mandated (e.g., 6 years for employment records post-termination)
Retention for as long as the contract remains valid means that the data or records are kept for as long as the contract is in force. For example, CRM applications often store customer data for as long as the contract with the CRM provider is active.
Source
The source of data may be from the data subject themselves, for example, if data subjects directly provide personal data through forms, surveys, or public profiles.
It can also be through your customers, for example, this may occur when customers create accounts, make purchases, or interact with the business in any way that involves sharing personal information.
Alternatively, the data source can be a third party if the information is obtained from an external organisation. This often happens through partnerships or publicly available sources, such as accessing data from public databases.
Number of records
Number of records refers to the number of data pieces you hold on a specific data subject within that application. For example, if you have 50 employee first names stored within Google Workspace, the number of records would be 50.
By recording this information, it helps provide an overview of the amount of personal data your company holds on a specific individual.
Purpose
What is the purpose of storing this data? For example, if you are storing an employee's name, home address and email address in Google Workspace, the purpose would likely be to ensure business continuity, as well as for administrative and operational purposes.
Confidentiality, Integrity and Availability
Confidentiality, Integrity, and Availability (or the CIA Triad) are the basic building blocks of keeping information secure. In the context of third-party apps, it’s crucial to ensure that they adhere to the CIA principles.
The principle of Confidentiality is to ensure that only authorised users have access to information. For more information on how to select confidentiality ratings, click here.
The principle of Integrity is to ensure that only authorised subjects can make authorised modifications. For more information on how to select integrity ratings click here.
The principle of Availability is to ensure that authorised subjects are granted timely and uninterrupted access to information. For more information on how to select availability ratings, click here.
What is the highest classification of data on this asset?
In order to determine the highest classification of data on a third-party application, it requires an assessment of the most sensitive type of information that the app handles. For guidance on how to determine this, please see here.
Does this asset hold any UK government-classified data?
Does the third-party app process or store data that is classified as secret by the UK government?
Examples of this type of data include national security information, defense-related data, intelligence reports, or sensitive law enforcement operations. Such data typically has heightened sensitivity and confidentiality requirements and will therefore be subject to more stringent compliance measures.