GDPR is neither purely an IT project, nor is it purely a legal one. GDPR is a multi-disciplinary project, requiring the implementation of organisational, IT-technical and legal measures. That’s why it’s best to set up a multi-disciplinary working group, with representatives of all of these disciplines, as well as those departments managing the most, and the most critical, personal data.
Many companies do not have all of the resources internally that are necessary to manage GDPR compliance. Legal expertise and information security expertise, is of course key to ensure compliance.
If you are not already blessed with data protection experts in-house, you should find appropriate advisors as soon as possible.
In addition to determining expertise and project management resources, you should evaluate and decide early on what software solutions to use to manage your work. The sooner you decide, the easier your work will be.
Many things related to GDPR will therefore need to be documented. Important among others are the following:
- The data register, an inventory of the personal data in your organisation, how and why it’s collected, how and where it’s stored, with whom it’s shared, etc.
- The Data Privacy Impact Assessments (DPIAs), which assess whether this personal data is sufficiently secure, as compared to the sensitivity.
- The action plans to become GDPR-compliant, their assignment and follow-up.
- The incident register, which records and analyses all “data leaks”. This is also used to notify the Privacy Committee in case of serious data leaks.
Documenting all this using Excel sheets will rapidly become untenable, certainly for large organisations that handle a lot of personal data in different locations.
There are already plenty of tools available on the market to perform a GDPR compliance assessment, some to be installed on premise and other running in the cloud. However, it is important for the tool to support the operational management of the above-mentioned GDPR elements, and not all tools are capable of this.
ITaaSC can help you in several ways to deliver your GDPR project. We can coach you, review deliverables or play a more active role taking the responsibilities to perform some of the activities (IT, legal, process, change management).
Examples of activities that we can perform on your behalf:
- Compile a comprehensive awareness campaign
- Set up a « data register » based on a tool selected to meet your specific requirements (on premise or in the cloud)
- Conduct detailed assessment and produce mapping of all data flows
- Making sure the necessary « consent » statements are included on all printed and electronic media where you collect guest data
- Design new processes on how to obtain consent from guests
- Ensure compliance with IT security framework (ISO27001, NIST,…)
- Design and implement a Data Privacy Impact Assessment (DPIA) Analysis
- Coach your DPO
- Offer you a DPO-as-a service in case you do not have somebody to perform that role
- Review contractual amendments, privacy clauses and consent notices
Our data protection team includes experts in GDPR and Data privacy, senior project managers, lawyers, consultants, cybersecurity specialists, auditors, risk management specialists …
The ITaaSC consultants have the following skills:
- Broad technical competence in all ICT subjects
- Risk Management and Information Security including knowledge of ISO27001
- Project management
- Contract management
- Quality management
- Coaching and training
As part of a collaboration, all these skills will be available to meet the needs.