We are taking a structured approach in helping companies increase their privacy compliance. However, privacy compliance is not a one-time project, so we also help them develop a privacy-compliance culture inside the organization. We develop accountability mechanisms for all departments in the organization to help everybody understand why personal data is so sensitive.
We have over 90 customers who implemented a privacy-first culture inside the organization. Our successful approach is based on several steps:
Gap Assessment Audit
- We are working with all the key stakeholders in the organization (HR, Marketing, Sales, Operations, Post-Sales, Support, Services etc) to understand the data processing culture.
- We perform then the Adequacy Audit – checking all the documentation which is already deployed: policies, procedures, codes of practice, guidelines, data protection agreements.
- We are then performing a Compliance Audit: checking if the organization actually operates in accordance with the existing documented policies, procedures, guidelines and codes of practice.
- We are auditing the entry points, exit points and storage locations for personal data.
- We are checking the IT inventory of all desktops, laptops, mobile phones, servers, printers, routers, switches to see if they can offer an adequate level of security.
- At the end of this stage we will have a Gap Assessment Report with a compliance score for each department.
- In this step we identify all the data flows in the organization, and we perform DPIAs (Data Protection Impact Assessments) for all the personal data processing activities that we find to be sensitive.
- Also, in this step we identify all the third parties (including “hidden” third parties) to whom personal data is shared.
- At the end of this step we will have clear data flow maps and data exchanges between Data Subjects, Data Controllers and Data Processors.
Risk Analysis and Mitigation
- Based on the previous step we identify key risks from compliance perspective, based on probability and business impact.
- We are paying extra focus on international transfers of personal data in order to make sure that adequate measures are taken to ensure the safety of personal data that is processed by the importer.
- We propose mitigation measures – technical and organizational – to address these risks.
- At the same time these measures include optimization of processes and digital transformation tactics to increase the efficiency of business processes.
- We are also using growth-hacking tactics to propose tests for these measures to see how they work in business environments before scaling-up to the whole organization (too many times compliance-projects affected the profits and KPIs of different organizations).
- Following the information from the previous steps we will provide, as needed, the following documents (and others if necessary):
- Record of Processing Activities (mandatory).
- Data Protection Agreements – to be signed with third parties:
- DPA – Controller to Processor
- DPA – Processor to Controller
- DPA – Controller to Associate Controller
- Data Protection Agreements – to be signed with employees and vendors/temp workers.
- DPIA Register – a register with all the DPIAs, risks and mitigation measures.
- Privacy Notices – at all the entry points for personal data (websites, stores, physical locations, events, social media assets etc).
- Privacy Disclaimers.
- IT Security Policies – depending on the existing IT infrastructure together with the IT Team or with our IT consultants we will propose security measures that will be reflected in the final IT Security Policies.
- Business Procedures for key departments – HR, Marketing, Sales, Operations, Services, Post-Sales etc.
- Security Incident Reporting – Internal Procedures.
- Guideline for DPO Role.
- Other documents, depending on each case
- Throughout the project, we are also offering assistance in Data Protection Agreements negotiations with third parties, including vendors, partners and customers.
- Setting up a privacy-compliance scorecard to ensure alignment of all departments.
- Timely audits and risk analysis of new personal data processing operations.
- All soft controls in place.
- All hard controls in place.
- Keeping DPIAs up to date.
- ROPA in place with all processing operations.
- Legitimate Interest Assessments documented.
- International Transfer Impact Assessments documented.
- Timely response to Data Subject Requests.
- Setting up a regular rhythm of compliance reviews – usually in-line with monthly/ quarterly business reviews.
- Review of new processing operations, new risks, and technical & organizational measures to address risks.
- Review compliance-scorecard.
- Discuss new business needs in order to identify future personal data processing operations and associated risks.