GDPR Readiness Review
GDPR is now law. It is therefore important to understand at what level an organization is ready to meet compliance requirements. Our GDPR review program assists organizations to understand the impact on the organization. This is made possible by a Specialized team of industry experts; who conduct a review program. Our deliverables are complete knowhow on what is expected to change at the organization level.
1. Is the legal basis for each processing activity documented? Article 6(1) EU GDPR.
- “The organization should maintain a log of each processing activity it engages in, as well as the corresponding legal basis. The processing activity has a valid legal basis only if one or more of the following apply:
- The data subject provides valid consent;
- Processing is necessary for entering into; or for the performance of a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or other individual;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or third party, to the extent it does not infringe on the fundamental rights and freedoms of the data subject, particularly where the data subject is a child” - Article 6(1) EU GDPR.
2. Is the purpose for each processing activity documented? Article 4(2) EU GDPR
- "Every processing activity should be documented.
- "Processing" is defined as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
If your business outsources any function to a third party, it is quite likely that the third party will be a data processor. The outsourcing contract might be an HR function, a marketing service or you might have engaged an IT service provider to provide support services to your business.
Where contracts are in place currently, they are unlikely to have been drafted to be GDPR compliant, and as a result existing contracts need to be reviewed and often re-drafted.
Articles 1(3), 44, 45, 46, 47, 49 of the GDPR sets out certain provisions that must be included in the contract between the controller and processor
Data Privacy Impact assessment. DPIA is a process which assists organizations in identifying and minimizing the privacy risks of projects and policies.
DPIA is now mandated. Before GDPR; DPIAs were best practice. They are now legally required. DPIAs are an integral part of taking the “privacy by design” approach. GDPR states that data protection impact assessment is required when the processing is “likely to result in high risk to the rights and freedom of natural person”. This would be based on consideration such as nature , scope , context , purpose , type of processing and use of new technology .
GDPR COMPLIANCE ASSISTANCE
Our team(s) can assist companies to comply with GDPR along with setting up frameworks for various internal audits from a compliance perspective. Along with this; businesses should be ready with policies and procedures for their processes and departments. GDPR is a law, and law insists on “Demonstrable evidences” to prove GDPR compliances so it is important to re-audit for any prospective PI data breach and the company should prepare procedures and policies for organizations and IT controls well in advance as the absence of those will be considered as a deliberate attempt of the organization to avoid GDPR regulation.
Most important demonstrable evidences are reports as per Article 30 & 35. We can prepare a framework to produce PI and DI reports required by ICO and controllers for audit purposes.
As per GDPR organizations needs to demonstrate incident response preparedness, response and notifications to help companies meet the 72 hours breach notification requirement along with GDPR awareness programs for stakeholders ensuring client specific drivers are fully reflected in procedures and policies.
GDPR compliance is not a one-time process but review and audit of existing GDPR program and related practices are required. We as experienced GDPR implementers can provide regular and independent audit services for the same.
As per GDPR, one needs to act on their data to make sure data is accurate and irrelevant data should not be kept (principal of data minimization) thus data cleansing becomes a regular and periodic activity for organization.
The most important part of data cleansing will be consent from your contacts. Improving the quality and compliance of customer contact data takes an organisation-wide approach that starts at the top.
Our Audit Services Include:
LEVEL 1 GDPR READINESS AUDITS
In response to a number of clients’ concerns regarding their readiness for the new regulations we now offer a short Five-day GDPR Readiness Audit including:
Two-day on-site consultation consisting of 3-5 interviews with Senior Data Protection Staff (typically your Data Protection Officer, Head of IT & one other senior manager with responsibility for compliance).
Two-day off-site document review, report generation and interview transcription
Half-day on site presenting your Readiness Audit Report & Recommendations to Senior Management Team
Enhanced Audits are provided basis current practices, systems and controls; weaknesses or Challenges.
We can help organizations in maintain collected information across multiple data fields. We rectify all irregularities in data, updating old and obsolete data. When you outsource data management to us we make sure data is maintained as per GDPR guidelines.