Our role at The Data Guardians is to demystify the GDPR and put this into practical terms for our clients. There are three distinct stages of our engagement:
- Assessment of current resources and activities to establish what your organisation has to do to be GDPR compliant, i.e. establishing a baseline and then an action plan to address deficiencies.
- Implementation project to address any deficiencies found in the above assessment, including systems’ penetration tests and other technical assessments where necessary.
- On-going professional services to ensure compliance is maintained.
We come into your organisation and through structured interviews with your team, review in detail what resources, activities, data collection methodologies, processes and procedures are currently in place; in essence a review of the ‘lifecycle’ of data as it travels through your organisation. We concentrate on the following broad areas:
- The legal basis you are using to gather personal data – Grounds for Lawful Processing.
- The types of personal data gathered and the processing being undertaken as well as a risk assessment on the collected data and processing activity.
- How you gather, manage, store and archive personal data. The locations of these devices and the digital and physical security in place.
- The personal data policies and procedures (processing by design and default, retention strategy, PDB process, DARR, DAR, record of processing etc.).
- Your data privacy statements,
- Your contracts with suppliers, data processors and other recipients of personal data.
- Review the levels of GDPR knowledge within the organisation as well as reviewing the data protection training and / or awareness campaigns given to employees.
- Review of previous Personal Data Breaches and / or Near Misses.
The output of this review will be a detailed report showing where your organisation is compliant and in those areas that are not compliant what remedial action needs to be taken.
We work with your management team to address any and all of the deficiencies highlighted in Stage 1. This is a stand-alone project to ensure that your organisation achieves compliance in the shortest possible timeframe. Any technical assessments and rectification projects, for example penetration tests, will be conducted separately.
Once we have established the baseline of compliance, or non-compliance, we will provide outsourced professional services to ensure that once compliance has been attained, your organisation continues to be compliant. Articles 37 – 39 of the GDPR are very specific on the designation, position and tasks of the Data Protection Officer (DPO). Although the GDPR is explicit about the DPO’s roles and responsibilities, it is a complex and very detailed role and there are many tasks that are implied in order to achieve the goal of ensuring organisational compliance. Our activities will include, but not be limited to, the following:
- Ensuring lawful processing at all times; protecting the rights of the Data Subjects.
- Recording proof of consent.
- Advising on Data Protection by Design and Default
- Advising on data retention / deletion policies and processes.
- Training on the GDPR. This is an annual requirement, indeed for some people it is a bi-annual one.
- Providing Data Processing Impact Assessments (DPIAS) and advising on risk mitigation. Any new data processing activities must have this risk assessment done.
- Maintaining the Data Processing Activity Log.
- Maintaining the Data Asset Risk Register.
- Maintaining the Data Asset Register (this includes paper copies of files, microfiches as well as electronic storage media).
- Communicating with Data Subjects when they send requests regarding their data.
- Advising on the GDPR implications, thereby ensuring compliance, for any new data processing activities.
- Advising on contractual obligations between the Data Controller and Data Processor as well as other supplier contracts.
- Planning for a Personal Data Breach, including training all senior managers and running practice exercises.
- Liaison with the Supervisory Authority (currently the Information Commissioner’s Office (ICO)) and other regulatory bodies. If there is a personal data breach the ICO must be informed within 72 hours.
- Managing the legal, reputational and procedural requirements following a personal data breach.