We can Support You at Any Stage of Your Journey
Whatever stage you are at with your GDPR compliance we can support you. If you are clueless where to start, or just stuck on a specific area, we can help you by providing data protection specialists to conduct an assessment of where you are regarding compliance, and then tailor practical action plans to get you where you should be.
When GDPR became law in May 2018, you should have made sure that all practices, policies and processes relating to the collection and use of personal data across your organisation have been assessed and brought into alignment with the requirements of the new Regulation. However, many companies still haven’t started…if you are one of these, don’t panic – we can help you!
As a GDPR consultancy our professionals can conduct a GDPR audit, gap analysis and data mapping exercise to establish exactly how your organisation currently stores, secures, manages and accesses personal data. Based on that we can assess the risks your personal data processing poses to your organisation and set about putting in place comprehensive yet practical procedures to safeguard your personal data and ensure you comply with the GDPR.
Since it covers personal data, the GDPR focuses on having the right governance structure, policies and operational practices, as well as monitoring, detection and response processes in place. While virtually all organisations will have to implement some changes to become compliant, the challenge for many will be trying to balance the granularity of compliance activities versus available budgets, resources and time. Typical pitfalls for many organisations centre around a poor understanding of the scope of activity required and the amount of time needed to implement key actions. This is where we come in. Just contact us to arrange an initial informal chat.
COMPLETE GDPR COMPLIANCE SOLUTIONS
We can Provide Everything You Need To Comply with the GDPR
Under the GDPR companies are subject to new requirements; which for most organisations raises the bar above current privacy practices. Despite its complexity, QualityCERT has developed a comprehensive end-to-end data privacy management solution to help you manage all phases of GDPR compliance.
Since we specialise in management systems compliance and provide expert advice across a broad spectrum of standards and business improvement services, our experience enables us to act as a highly collaborative and full service partner. This ensures that our customers can move forward at pace, and with confidence, to deliver timely and cost effective GDPR compliance.
7 STEPS TO GDPR COMPLIANCE:
INCREASE GDPR AWARENESS
The first step to ensuring compliance is to ensure that key people within your organisation (including decision makers) are aware that the law is changing around data protection. They need to appreciate the impact that this is likely to have and identify areas that could cause compliance problems under GDPR.
During this step we shall also discuss such topics as; who will be in the project team, budgets, specialist resources such as whether there is a requirement to appoint a Data Protection officers etc. At this stage training is a key element and we have comprehensive training courses in a variety of formats to cover all requirements.
Understand the GDPR legal framework
The next step is determining what data you currently hold by conducting a compliance audit against the GDPR legal framework (identifying the “as-is” and the “to-be” situations via a gap analysis). No matter the size of the company it is imperative to get a full account of what personal data you hold, understanding where it comes from, what it is used for (and why) and where it goes through the construction of data mapping. A solid understanding of the organisations data life-cycle may provide the opportunity to fundamentally re-engineer data structures, which may in turn deliver greater efficiency and reduce risk.
Creation of a Data Register
Once we have established a clearer idea of your readiness to meet the regulatory requirements, we will need to keep a record of the various process.
This will be done through the keeping of a Data Register, since each country will have a Data Protection Association (DPA), who will be responsible for enforcing GDPR. It is this organisation that will judge whether your business has been compliant when determining any potential penalties for being breached.
Should a breach occur during the early stage of implementation, the business should be able to show the DPA its progress towards compliance through its Data Register.
This step is all about understanding what data your business needs to protect and how that is being done. We shall firstly locate any Personal Identifiable Information (PII) – information that can directly or indirectly identify somebody being of EU citizens.
It’s important to identify where it is stored, who has access to it, who it is being shared with etc. From this we can determine which data is more vital to protect, based on its classification. This also means knowing who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.
Clarify your Data Breaches Procedure
This important next step is the creation of a data breach plan to ensure that you have the right procedures in place to detect, report and investigate a personal data breach.
While nobody wants to imagine failure, it is always important to have a plan for every scenario, even the worst-case ones. Should your company find itself in the midst of a breach we suggest setting up a plan for proper communication, as well as pre-emptive courses of action your company can attempt to take in order to fix the error. As a part of the new GDPR the EU will be enforcing a new breach notification duty for all organisations, which mandates that any breach resulting in the harm of an individual, such as identity theft or a confidentiality breach, will have to be reported to the ICO.
Failure to report these breaches properly could result in more fines, on top of the initial penalty for the breach itself. While not every breach needs to be reported, it is best practice to treat every breach with equal significance so that you are well prepared for even the worst-case scenarios.
Implementation Through Prioritisation
Once the data has been identified, it’s important to start evaluating the data, including how it’s being produced and protected. With any data or application, the first priority should be to protect the user’s privacy. Additionally we will assist and guide you through the process of completing a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) for all security policies, evaluating data life cycles from origination to destruction points.
Aside from the most sensitive data, we shall also assess and document other risks, with the goal of finding out where the business may be vulnerable during other processes. As this is being done, it is vital businesses keep a roadmap document to show the DPA how and when they are going to address these outstanding risks. It is these actions that show the DPA that the business is taking compliance and data protection seriously.
At this stage we shall also think about what you can do to reduce the amount of data that you collect and process since the GDPR states that personal data collected should be:
• Limited to what is necessary for the purposes for which they are obtained (‘data minimisation’).
• Kept for no longer than is necessary for the purposes for which they are retained (‘storage limitation’).
Accountability and Demonstrating On-going Compliance
The final step and a key principle of the GDPR is that of accountability. This means having demonstrating compliance. We will schedule periodic audits to regularly review your compliance activities and house all supporting documentation that can be used for both internal and external reporting in a central repository.
QualityCERT’s experienced data protection consultants can help and advise on all aspects of GDPR Compliance. We can provide expert data protection knowledge and the tools, processes and documentation necessary to significantly reduce the resource overhead required to complete the process. This ensures that the findings and recommendations are the most accurate and appropriate as expected by the supervisory authority, the ICO.
Our Compliance Service is conducted by IAPP Certified Information Privacy Professionals. As well as being highly qualified in General Data Protection Regulations our consultants are fully qualified auditors in other quality standards and business management systems.
We are industry practitioners who specialise in data protection, compliance, risk and governance and we are well versed in helping companies become GDPR and ISO certified.
Our GDPR practitioners cover all the key elements of the regulation to ensure you fully understand the steps and approaches your company needs to become GDPR compliant by focusing on providing practical approaches that can be easily implemented into your organisation.
Additionally our consultants have a wealth of ‘hands on’ industrial and commercial experience in the real world. All in all this ensures that you get the best GDPR compliance service available anywhere in the UK.
DONT PANIC !
If you haven’t already started planning your GDPR compliance there is still time, we can help you to comply.
However, NOW is the time to start. Whatever your GDPR requirements and wherever you are in your compliance journey our consultancy services can be flexibly tailored to meet your exact requirements.