Our proven experience and competence in the field of data protection and information security in Forensic and Litigation Services, led by an accredited Data Protection Officer, will turn your GDPR compliance program into an opportunity to differentiate from competitors. By building relationships based on trust with key stakeholders, and ensuring effective change management within the scope of digital transformation will bring value for your organization and business.
The new European General Data Protection Regulation entered into force on 24 May 2016 and will apply from 25 May 2018 to the processing of personal data. The legislations will apply to controllers or a processors of data in the European Union, regardless of whether the processing takes place in the Union or not. The GDPR strengthens and expands the rights of data subjects and imposes significant new direct compliance obligations on controllers and data processors.
The GDPR ensures enforcement through supervisory authorities, and organizations breaching the requirements of GDPR can potentially face administrative fines up to 2% to 4% of annual worldwide turnover or € 10 to € 20 million euros depending on the nature of the infringement.
Our tailored approach to successfully implement GDPR compliance seeks to asses your organisational processes in place while simultaneously identifying areas for data process optimization:
Step 1 – Awareness Session
During a 1,5 to 2 hour session with key users, the GDPR jargon and key principles are explained and the practical impact on the organization and its employees illustrated.
Step 2 – Data Register
To obtain a clear understanding of the “as is situation” and to fully appreciate the scope of GDPR on the organization, it is essential – and imposed through art. 30 – to have a comprehensive understanding of the data lifecycle and thus get an insight in the personal data your organisation is currently processing.
- How is the personal data collected?
- Who is accountable for the personal data?
- Where is the personal data stored?
- Who has access to the personal data?
- Is the personal data disclosed or shared with anyone or other systems?
Step 3 – Assessment Processor Agreements
Organizations shall only use processors providing sufficient guarantees that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject. Processor’ agreements are to be assessed for vulnerabilities and for completeness to the principles of Article 28.
Step 4 – Assessment Information Security
Organizations must assess the current security level and ability to protect the personal data stored, processed and transferred in the organisation against unauthorized processing and data loss. Mazars’ vulnerability assessments are designed to proactively identify exposures to known security vulnerabilities (e.g. OWASP top-10), insecure default settings and misconfigurations.
Step 5 – GDPR Readiness Assessment
On the basis of the description of information flows and IT security assessment, the GDPR compliance gap analysis by the external legal counsel will be appraised in light of the six principles as described in the GDPR:
- Lawfulness, fairness and transparency
- Accuracy / Quality / Integrity
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Step 6 – Prioritized GDPR Compliance Roadmap
The gaps identified in the assessment phase will lead Mazars to present a list of prioritized recommendations in order to reach compliance.
Step 7 – Develop New Operational Policies
Subsequent to the assessment phase, the organisation will need to ensure to put new procedures in place to remediate the gaps identified and to demonstrate its compliance to the Regulations’ requirements. The project should result in a set of pragmatic and executable principles within:
- Collection and use of personal data
- Restricting access to personal data
- Obtaining valid consent
- Responding to data subjects’ requests
- Maintaining a data breach response plan
Step 8 – Embed Policies into Operations & Maintain Training Programmes
The human factor is the challenge in an effective implementation of new policies and procedures. Integrating data protection into your operational training and maintaining GDPR awareness sessions will be key to realize a sustainable compliance to GDPR.
Step 9 - Monitor for new Operational Practices
The GDPR compliance project should not be a ‘one-off’ focus area but ultimately result in a continuous compliance monitoring through regular assessments (e.g. phishing campaigns, data subject request simulation, data breach simulation, etc.)