What is The General Data Protection Regulation (GDPR)?
The GDPR, is an EU/UK data protection and data privacy regulation in the European Union, UK and the European Economic Area (EEA). It requires companies to meet what are considered to be the strictest privacy laws in the world regarding the collection and use of personal data. The GDPR is made up of 99 Articles with requirements involving cyber security, mandatory data breach notification, recourse of EU citizens and data transfers to other countries, to name a few.
What Will The Privacy Group Do For You?
This is a fair question. For starters, we will help you. Advice is only as good as the communication skills used to deliver it. We know a lot about data privacy but that is of little benefit if it doesn't yield value for the client. We are seasoned professionals and we won't waste your time (or money) with complex explanations and jargon. Our job is to present you with options to meet your business need and give sound advice.
A few ways The Privacy Group can help...
How do you know where you're going if you don't know where you are? The first right step is understanding your company's data privacy compliance processes and inventory assets. Our team will assess and prioritize action items based on GDPR requirements and your goals.
Small and medium businesses experience the GDPR differently than large organizations. On the one hand, they don't typically have the complexity a multi-national would. On the other hand, they also don't have the head count to focus on compliance. We're a small business so we understand. We offer services tailored to the needs of small and medium businesses. Here are some key services we offer.
- Privacy software evaluation
- On-demand and managed services
- Technology and vendor onboarding
One sure way to make a security or data breach worse is to not have a plan for when it happens. From the data privacy perspective, there are strict requirements for notifications for major events and trying to figure out what to do when the clock is ticking is unlikely to yield the best outcome. Here are a few key items.
Frameworks for:
- Notification requirement assessments
- When you should notify data authorities
- When you should notify data subjects
- External communication content requirements
- Harmonizing information security with data privacy requirements
Not every company needs or has the resources for a dedicated DPO. The Privacy Group offers a cost effective option to meet this need. If your company has an Article 37 requirement but hiring a fulltime Officer isn't right for you, DPO as a service might be the right solution. Not sure if you need one? Give us a call, we're happy to help.
What Does This Mean For Your Company?
Maybe the most significant but least talked about impacts of the GDPR is having to change the way we assess risk. Normally, we look at risk (as a company) from the standpoint of our assets (brand, data, infrastructure, etc.). Did you know you now need to look at risk from the perspective of the data subject? This means everything from your company's information security or data breach remediation plan to your risk management roadmap has to be considered with the EU GDPR in mind. This also means potential changes to your company's leadership in the form of a Data Protection Officer (DPO).
When Do You Need A GDPR Consultant?
The simple answer is, any company doing business in the EEA who doesn't have the in-house expertise to navigate data privacy laws should seek advice from a competent privacy professional. Did you know fines for violations can be as high as 4% of your company's annual revenue?
Our IAPP certified GDPR experts will:
- Work with your team to understand your current compliance process
- Perform a GAP analysis
- Perform GDPR training for all business areas
- Identify high-risk data processing
- Develop breach notification and incident response plans
- Deliver a scalable data privacy plan that your team can grow
- Consult as needed
GDPR FAQ
Yes, the GDPR is likely to still be in scope for your company.
Presently, there is not a company certification for GDPR compliance.
There are training certifications for individuals. These are awarded by demonstrating competence with EU/UK data privacy laws. We strongly recommend the IAPP certifications. Also, using tools like NIST Privacy Framework or tools built from it does help. Regulators want to see that your company did everything it could to protect the privacy of the people whose data it uses.
Not exactly. It really depends on the violation. If the violation is minor and poses little or no risk to the data subjects involved, then notification is probably not needed. Violations should be recorded with your compliance team and can be voluntarily disclosed at some point in the future.