GDPR Compliance & Services

The EU’s General Data Protection Regulation (GDPR) is an important international standard for data privacy.   This regulation governs the way businesses collect and protect EU data.  We can help you if you are concerned about “the right to be forgotten,” “data sovereignty issues,” or anything in between.  We will help you with a risk-based approach so that you are doing only what is necessary.

We have helped data controllers and data processors with the following:

  • Data inventory completion
  • Data Protection Officer requirement determination
  • Policy and procedure review
    • Data classification
      • Prospects
      • Customers
      • Employees & candidates
      • Vendors
    • Consent practices
    • Third-party vendor management
    • Incident response planning
    • Data Protection Officer options analysis
    • SDLC for privacy by design
    • Data portability
    • Data erasure
    • Right to access
  • Data Protection Impact Assessment
    • Determine if necessary
      • Using 10-point scoring system from EU’s Data Protection Working Party
      • Document determination
    • Proceed with DPIA when necessary
  • Program Testing

Ancillary Benefits

In addition to the need for compliance, our clients also see additional benefits to following GDPR guidelines.  Some say the data inventory process can be like cleaning your garage.  You may find all kinds of things that have been forgotten or are no longer needed.  So that at the end of the day, in addition to being compliant, you have a clean garage, or better “data hygiene” for another analogy.

  • Cybersecurity benefits – the process of evaluating your infrastructure, people and processes can benefit your cybersecurity posture through tightening loose ends previously unnoticed.
  • Security training – any opportunity to remind your employees of the threats to data (your data and your customers’ data) can be valuable in the “human firewall” line of defense.
  • Data management – are there obsolete data in your live environment or your backups?  Removing that data may reduce your risk of exposing confidential information.  It may also save time and money in the future as data archives are moved or searched.  Now is a time to save what’s important and delete what’s not needed.
  • Efficient marketing – this process may force the organization to think more thoroughly about what marketing data is truly valuable.  Perhaps much as been saved in the hopes that it may be useful someday.  Likely, much of that information is not unique or particularly useful and can be deleted.  This can reduce the data inventory and can also help marketing retain only what is valuable going forward.
  • International marketing – many domestic companies may not require your GDPR compliance, or care, but when marketing to international companies, your ability to demonstrate GDPR compliance proves that you serve their markets and are savvy to international business practices.
  • Privacy is good – demonstrating respect for privacy can set the tone in your culture that people matter.  Your employees and customers may see this as a sign that your organization is responsible and trustworthy.
  • Cyber insurance rates – we recommend contacting your insurance carrier during this process.  There may be key milestones that will enable your carrier to reduce your rates as you reduce your risk.