The GDPR is for life, not just 25th May 2018. Getting compliant is more than a one-off exercise, it’s a culture change, a shift in how your organisation uses personal data.
It’s also an opportunity to reconnect with your customers and redefine how they perceive your organisation compared to your competitors.
To appreciate your current level of risk and to plan to achieve your goals, you first need to know where you stand in relation to the GDPR’s requirements, as laid out in the 99 Articles and 173 Recitals of the legislation, together with guidance provided by the Information Commissioner and the Article 29 Working Party. In our experience, organisations also need to assess their compliance with the related electronic marketing rules laid out under the ePrivacy Directive (also known as PECR).
With our proven readiness assessment toolkit we can help you identify where you are already compliant with the GDPR and PECR, where you have capabilities which can be developed into compliance, and where you have fundamental gaps.
We work with you to assess the business, financial and reputational risk/impact of each development area and define a right-sized approach to achieving your desired level of compliance. If required, we can supplement your internal resources to execute the remediation plan.
Call us now to book your assessment.
Your website is your shop window. It is also your biggest GDPR risk:
- It is where you gather customer data
- It is where you tell customers what you will do with their data
- It is where you gather customer consents and preferences
- It is where the customer journey begins for building brand loyalty
- It is public: anyone can see whether you are compliant or not
Our Data Privacy Fundamentals Package helps you get your website right and reduce GDPR risk.
What you get:
1. A GDPR-compliant customer privacy notice ready to upload to your website.
We walk you through the Data Mapping process and gather information about the key aspects of your business, how you collect and how you use customer data. From that we write your privacy notice which is reviewed by our practice principal before we send it to you. If you want to tweak it to reflect your business’s unique voice, a review of one set of updates is included in the price.
2. Consent review
We review how you gather consent for each of your methods of direct marketing, whether via email, telephone, messaging, social media, viral marketing or other methods.
We suggest wording and presentation changes and discuss with you any tweaks to reflect your business’s unique voice. We also cover consent for any data you share with third parties, including group companies which may use a different brand, and any other necessary areas, such as processing of sensitive personal data.
3. Employee privacy notice
Also included is a privacy notice for your employees, to help protect you from frivolous data privacy-related lawsuits from disgruntled former workers.
You can add this to your HR portal or your employee handbook and use it for your current team and future hires.
4. GDPR Readiness Toolkit
Our comprehensive GDPR Readiness Toolkit allows you to assess your readiness and take the appropriate action.
5. Procedure pack for new customer rights
We provide standard procedures for dealing with the 8 rights that GDPR gives to every individual that you can embed within your customer service function.
For example, anyone can ask any organisation to provide all the information it holds on them within 30 days, known as a Data Subject Access Request.
Any company which can’t respond to this type of query within 30 days is drawing a target on itself. Add on the right to object, the right to be forgotten and all the others, this can be significant, so to have procedures in place is key to achieving readiness.
6. Monthly updates
You can join our monthly newsletter highlighting data privacy developments.
Until the GDPR is tested in law no one knows for certain how it will be applied and policed and how high the fines will actually be for each type of transgression. Additionally, the impending release of the final text of the Privacy and Electronic Communications Regulations will most likely have further impacts on direct marketing.
This is your easy way to keep up-to-date with the evolving data privacy risks to your business. If you need any assistance you can contact us and we will be happy to discuss your further needs.
How are your Senior Executives engaging to ensure your organisation complies with data privacy laws? What governance structures do you have in place to ensure the compliance message is driven from the top in a sustainable fashion? What is your data privacy strategy?
In case of data breach, the Information Commissioner will look to the organisational processes implemented by the Board and how they have been driven through the organisation to assess how seriously you have addressed data privacy: comprehensive, up-to-date and embedded governance processes are mitigating factors when deciding the scale of fines.
Successful organisations will assess the risks, threats and opportunities that data privacy regulations pose to their activities. They will set out a strategy to fix the high priority items, manage the residual risks, and take advantage of the opportunity to get ahead of their competitors and maximise the utility of their data assets.
Senior Executives must take the lead to ensure the message is heard and understood, by not only ensuring staff are trained, but by embedding monitoring and evaluation processes to track ongoing compliance and to enable prompt identification and escalation where issues occur.
We can help you create an executive plan to achieve these objectives, ensuring clarity around priorities and goals for data privacy change. We can assist leaders to become change drivers to make data privacy change happen and help staff members to accept that change.
We offer this assistance as a bespoke service, either through personal one-to-one development or by way of leadership team development.
What data do you hold? How and where do you hold it? Do you have golden copies or multiple, inconsistent versions? Who has access to your data? What do they use it for? How is access and use controlled? How long do you keep data? Do you have the ability to destroy data? And the big question: could you do more with the data you have?
Business owners and leaders are increasingly looking to use the GDPR as an opportunity to overhaul their data assets and create a permanent competitive advantage. Three key themes can be addressed together for efficient solutions:
Firstly, many of our customers ask us how the GDPR can help them improve how they control and exploit their data assets: if you can’t identify all the data you capture, why you have it and where you hold it, then you must be missing opportunities for using that data.
Secondly, up to now, personal data has been an asset for businesses to accumulate and exploit. The GDPR turns that on its head: it recognises that personal data belongs to the individual to whom it relates, and they have rights to know how it will be used and to stop it being used if they are not happy.
Those enterprises that recognise and enact this culture change will build brand loyalty with valued customers who return for repeat business. So it makes sense to embrace the opportunity that the GDPR offers to build data privacy into the heart of how you do business and how you architect your data management solutions.
Thirdly, if you strap new controls around the outside of your existing processes you will bear the cost of that additional compliance layer indefinitely. By contrast, if you maximise the value of your data by building, managing and evolving your data supply chains and data management culture, you will most likely gain a lasting advantage over your peers.
We can help you analyse your IT infrastructure, in particular your data repositories, including databases, CRM systems, web analytics, backups, EDI files, on-premises, hosted off-premises or in the cloud, at rest, in motion and in use, and classify all your data from personal and sensitive to internal and out-of-scope of the GDPR.
We can analyse your overall security architecture and procedures to identify enhancements to meet IT security best practice, and hence achieve compliance with the GDPR requirement for adequate security, for example firewall rules, certificates, fine-grained security, separation of environments and duties, development lifecycle, group policies and so on. Along the way you would also achieve compliance with PCI-DSS, SOC2 and other industry-specific data handling standards.
We can then propose solutions that achieve cost-effective data management and maintenance, provide more user-friendly and productive reporting and analytics, rationalise repositories, hardware and suppliers, embed upgraded data security features, and implement GDPR-required change management features such as Data Privacy By Default and By Design, and Data Privacy Impact Assessments. We can also recommend opportunities for data masking, pseudonymisation, anonymisation and encryption to improve data protection and reduce the impact if a breach were to occur.
We can then work with your development team, production team and data governance team to implement the changes you choose to make and transfer the relevant knowledge so you are able to support the upgraded systems for the longer term.
Whether you have one person managing your data in-house, a supplier team providing your data service or multiple teams located across several continents, we can scale our solution to meet your needs.
Call us to discuss data management solutions and value-added strategies for embedding GDPR-compliance into your organisation.
Do you know what data privacy risks you are taking with your suppliers?
The GDPR requires agreements between data controllers (typically the customer-facing organisation) and data processors (who receive personal data from data controllers and process it on the controller’s behalf) to set out responsibilities in relation to data privacy, including IT security, processing by sub-processors, and mandatory controls where data is transferred to certain countries overseas. It also requires similar agreements to be drawn up between companies within the same group.
Your legal agreements may be spread across a number of documents: contracts, Terms & Conditions, Privacy Notices, annexes, rolling contract extensions etc, some of which may have been unilaterally changed by the supplier since you first signed. Often organisations don’t hold a full set of signed documentation, so this is a good opportunity to get your house in order and understand your liabilities.
Indemnities are a high-risk area for any company. The GDPR vastly expands the scope of regulatory fines from a maximum of £½million to €20m/4% of global turnover and also allows individuals and public interest groups to sue for breach of their new and enhanced rights.
Unfortunately, you can’t just rely on suppliers to update their contracts. In our experience, many suppliers are completely unprepared for the GDPR. Those that have taken steps typically severely limit the grounds to claim and the value of any indemnities, and may exclude the right to sue for damages caused by the supplier breaching data privacy regulations. You may even find that you have agreed to a one-way, uncapped indemnity that now exposes you to a huge potential liability.
If you are a supplier to other businesses and process their personal data, you need your contract to be updated – this time in your favour – and any amendments proposed by larger customers to be scrutinised.
We offer a comprehensive supplier contract review service to cover all the above risks. We will review any documentation you provide and return a report highlighting the risks of any deficient area. If you wish, we can work with the supplier to source copies of current agreements and negotiate improved terms. We can also work with any in-house counsel to provide specialist expertise to supplement your existing processes.
For suppliers, we can develop a bespoke contract for your business that complies with the GDPR requirements whilst limiting your liability to a commercially realistic amount. We can also work with you to negotiate with your most valued customers and tailor the contracts if required.
We can carry out this service on a one-off contract basis, across your entire existing portfolio and on a retained basis for new contracts as they arise.
This service is provided by one of our associates who is regulated by the Law Society and authorised to provide legal advice.
The Data Protection Officer (DPO) is a mandatory role for many organisations under the GDPR. See our FAQ for the criteria.
Many organisations also appoint DPOs on a voluntary basis because they want to ensure they remain compliant with data privacy regulations on an ongoing basis. Data Privacy Risk is becoming a key area of focus for Venture Capital due diligence, so growing firms with aspirations to raise funds are getting their house in order now and appointing a DPO to guide them in the right direction.
We appreciate that not every firm can afford the cost of a full-time DPO. At the present time, the IAPP conservatively estimates there is a shortage of 28,000 DPOs across the EU and US, so costs are rising.
We offer a contracted out DPO service to address your needs at a sensible price.
The GDPR requires an appropriate technical and organisational measures to ensure a level of security appropriate to the risk, but what does this mean for you?
Your Intellectual Property is often your most valuable asset. Governments and private companies are engaging in industrial espionage on an epic scale, posing an existential threat to every organisation in the world. We have found that even the most innocuous companies have been penetrated and their secrets and know-how stolen. Are you at risk?
Many businesses have grown organically and don’t actually know where all their servers, routers, laptops and desktops are, let alone what connections they have to the outside world, what operating system versions they are running, or whether their firewalls and anti-virus protection are sufficiently comprehensive to meet current and emerging threats.
Disgruntled employees often download or send business-critical information out of the organisation, eg customer lists, computer code and designs. Do you have the capability to prevent data leaks from happening or detect and mitigate them if they do?
The first step is to carry out an IT security audit, to establish what risks you are running, then to decide which risks are critical to your business and take action.
We partner with a specialist IT security company which can carry out a comprehensive audit and provide you with an independent risk assessment with recommendations for next steps on each action area. They have the capability to support the necessary changes directly or to programme-manage and skill-up your own staff to deliver the enhancements you require.
Data Privacy Compliance is about far more than getting your policies and procedures right. It’s about changing the mindset of everyone in your organization. Companies that embed data privacy awareness throughout their marketing, change management, IT and operations teams can better protect themselves by identifying emerging risks and taking action before a data breach or unlawful use of data occurs.
We believe training is about more than awareness: it’s about changing the culture of your people to understand that the world has changed from allowing the amassing and exploitation of personal data to recognising that all personal data belongs to the individual to whom it relates and that they have the right to know how it is being used and to object if they aren’t comfortable with those purposes.
Our training courses can be tailored to the specific needs and philosophy of your organization, to be as relevant as possible and to maximise the long-term impact. We also understand that small and medium-sized companies with limited resources may require more standardised training.
We offer a range of training packages to help you achieve compliance and drive through the required culture changes.