We are taking a four-step approach in helping companies become GDPR-compliant. However, compliance is not a one-time project so companies mult develop a privacy-compliance culture inside the organization! For this, all departments in the organization must be made accountable for maintaining privacy and for understanding why personal data is so sensitive.
We have over 40 customers who implemented a privacy-first culture inside the organization. Our successful approach is based on four steps:
- We are working with all the key stakeholders in the organization (HR, Marketing, Sales, Operations, Post-Sales, Support, Services etc) to understand the data processing culture.
- We are auditing the entry points, exit points and storage locations for personal data.
- At the end we have a map of “data islands” (including legacy data, digital and paper-based) and of who and why has access to data.
- In this step we identify all the data flows in the organization and we perform DPIAs (Data Protection Impact Assessments) for all the personal data processing activities that we find to be sensitive.
- Also, in this step we identify all the third parties (including “hidden” third parties) to whom personal data is shared.
- At the end of this step we will have clear data flow maps and data exchanges between Data Subjects, Data Controllers and Data Processors.
Risk Analysis and Mitigation
- Based on the previous step we identify key risks from compliance perspective.
- We propose mitigation measures – technical and organizational – to address these risks.
- At the same time these measures include optimization of processes and digital transformation tactics to increase the efficiency of business processes.
- We are also using growth-hacking tactics to propose tests for these measures to see how they work in business environments before scaling-up to the whole organization (too many times compliance-projects affected the profits and KPIs of different organizations).
- In this step we are also offering legal and tactical support for the organization in deploying the documents needed for compliance:
- Record of Processing Activities (mandatory).
- Data Protection Agreements – to be signed with third parties:
- DPA – Controller to Processor
- DPA – Processor to Controller
- DPA – Controller to Associate Controller
- Data Protection Agreements – to be signed with employees and vendors/temp workers.
- DPIA Register – a register with all the DPIAs, risks and mitigation measures.
- Privacy Notices – at all the entry points for personal data (websites, stores, physical locations, events, social media assets etc).
- Privacy Disclaimers.
- IT Security Policies – depending on the existing IT infrastructure together with the IT Team or with our IT consultants we will propose security measures that will be reflected in the final IT Security Policies.
- Business Procedures for key departments – HR, Marketing, Sales, Operations, Services, Post-Sales etc.
- Security Incident Reporting – Internal Procedures.
- Guideline for DPO Role.
- Other documents, depending on each case
- Throughout the project, we are also offering assistance in DPA negotiations with third parties, including vendors, partners and customers.