The General Data Protection Regulation (GDPR) came into effect on May 25, 2018 across the European Union. As one of the most far-reaching pieces of data protection and privacy legislation ever enacted, the GDPR introduces a wide range of new requirements for how organizations must handle personal data. Non-compliance with GDPR regulations can result in fines of up to 4% of annual global turnover or €20 million - whichever is greater. With these strict penalties in place, businesses are scrambling to ensure they have the proper GDPR services and solutions in place to avoid costly mistakes.

 

State of Compliance

A survey conducted in early 2018 found that over half of companies had yet to begin their GDPR compliance efforts. With less than six months until enforcement, many businesses were unprepared for the changes required. According to reports, the amount of work required for full compliance caught many off guard. Small and medium sized enterprises in particular struggled with allocation of resources and budget needed for GDPR projects. Lack of expertise around data protection regulation contributed to difficulties as well.

 

GDPR Consulting Services

One of the most common GDPR services selected by organizations is consulting. Privacy consultants can help with an extensive range of activities including:

- Data mapping and audit to understand what personal data is held, where it came from, who it is shared with

- Risk assessment of current data processing activities

- Review and update of privacy policies and consent mechanisms

- Implementation of subject access request handling procedures

- Staff training and awareness programs on new responsibilities under GDPR

- Guidance on international data transfers outside the EU

- Advice on technical and organizational measures required by GDPR

 

Consultants with deep experience designing and implementing privacy management programs can help companies navigate complex GDPR requirements and prioritize efforts based on risk. Their expertise helps maximize resource use for critical projects while minimizing compliance gaps.

 

Data Protection Officer Services

Under GDPR, public authorities and some private companies must appoint a Data Protection Officer (DPO) whose responsibilities include:

- Informing and advising the organization on obligations to comply with GDPR Services  and other data privacy laws

- Monitoring compliance and risk associated with processing activities

- Acting as point of contact for supervisory authorities and data subjects

 

With the duty to report directly to highest levels of management, the DPO role is challenging. Many organizations outsource the role through DPO services rather than hiring full-time. Qualified external DPOs have broad knowledge of privacy regulations and information security frameworks. They can quickly get up to speed on a company's operations and provide strategic, independent oversight of compliance programs.

 

Audit and Compliance Review Services

As part of demonstrating accountability, organizations must be able to verify through internal audits that appropriate technical and organizational measures are in place. External auditors can provide objective assessments of GDPR compliance status. Auditors will:

- Review documentation like data inventories, risk assessments, records of processing activities, policies

- Interview staff to evaluate privacy awareness and training efficacy

- Test technical security controls in place to protect personal data

- Identify any gaps or weaknesses requiring remediation

 

Compliance reviews help address obligations for ongoing evaluation and improvement. They also provide evidence that a company took every reasonable step to comply with GDPR should enforcement actions or lawsuits occur down the line.

 

Data Protection Impact Assessment Services

GDPR introduces the notion of Privacy by Design, requiring organizations to consider data protection early in system design and development. For high risk processing like large-scale profiling or use of new technologies, companies must conduct Data Protection Impact Assessments (DPIAs). DPIA services can:

- Guide the DPIA process from scoping to documentation to risk treatment

- Provide templates, checklists and expertise on criteria to assess

- Help identify and recommend controls to mitigate privacy and compliance risks identified

 

Get more insights on GDPR Services