Get in touch

Reaching GDPR and LGPD compliance for a UK tech company

Learn how TechGDPR supported a UK based technology company creating a safer and secure environment for users of its global app by addressing international data protection policies.

Request a free initial consultation

Navigating GDPR and LGPD compliance for UK tech companies can be complex, especially when handling sensitive data across international borders. This case explores how a UK-based worship and mindfulness app. TechGDPR helped them to achieve regulatory alignment while protecting user privacy and ensuring global trust.

Background

The client is a UK-based technology company that develops and operates a daily worship and mindfulness app. The app allows users to engage in daily worship, access Bible passages, read devotional texts, listen to podcasts and music, and participate in guided meditation, which collects personal data in the process. As the client became available worldwide, the company aimed to enhance transparency and confidentiality to comply with data regulations across different countries, acknowledging the sensitive nature of the data processed by the app.

Causes

The client processes sensitive personal data related to religious beliefs and mental health, raising significant privacy concerns. The company has subsidiaries in the U.S. and Brazil, and a Romanian app development partner. This allows for multiple avenues of international data transfers of such sensitive data. As a result, this requires strict safeguards and strict adherence to both GDPR and LGPD regulations. Since the client provides services to both EU countries and Brazil, it must comply with the General Data Protection Regulation (GDPR) for the EU and the LGPD, its equivalent for Brazil. Ambiguities between the U.K and U.S. subsidiaries regarding the US-based engineering team’s role in processing decisions-making further complicated GDPR compliance. Subsequently, the company recognized the need for a more comprehensive understanding of different jurisdictions, data protection duties, and responsibilities.

Objectives

  1. Clarify and align GDPR and LGPD responsibilities: Define clear roles and
    responsibilities within U.K and U.S. entities in the company in managing the app’s data processing.
  2. Enhance Data Protection Measures: Strengthen data protection measures that address privacy concerns such as user consent for special categories of data, data modification, and retention policies.
  3. Set ongoing compliance goals and priorities: Establish and prioritize GDPR and LGPD compliance through assessments, updated policies, and regular monitoring.

Solution

The following three-step approach was employed by TechGDPR:

  1. GDPR Discovery Workshop
    • Workshops were organized with the client to understand the company’s internal operations, client relationships, and departmental data processing activities. The goal was to gather collective knowledge of the organization and workflows to effectively support and analyze data protection needs.
  2. Data mapping
    • A detailed data map was developed to identify all activities involving personal data processing within the app, including international data transfers, and to
      establish the legal bases for these activities. Software providers involved were identified and listed.
    • This document serves as a reference point for any ongoing compliance work, including policies, procedures, technical and organizational measures. Additionally, it is prepared for submission as compliance documentation should supervisory authorities request it during an investigation.
  3. Data Protection Assessment Report
    • A data protection assessment report was created to evaluate the applicability of GDPR and LGPD, define data protection roles and responsibilities, and assess compliance measures for the client. The report provides valuable insight into the data protection implications of marketing the app and overall organization-wide compliance.
  4. Compliance Roadmap
    • The client’s data protection framework was thoroughly reviewed to identify compliance gaps. Based on the assessment report, a list of prioritized recommendations was organized to guide the company in aligning its products and services with regulatory standards. These tailored recommendations aimed to optimize the client’s internal data processing activities.
  5. Data Protection Officer (DPO)
    • The appointment of a DPO ensures ongoing transparency, confidentiality, and data security within the company by arranging regular reviews of the company’s compliance status. As the client’s DPO, TechGDPR will be readily available to address data breaches and support effective risk management and mitigation, provide day-to-day support, and answer questions staff may have on issues related to data protection.

Outcomes

Clarity with Data Protection Roles: The client successfully defined responsibilities and decision-making authority for data processing activities between its headquarters and its subsidiaries, improving compliance on both an organizational and technical level.

Stronger Policies and Procedures: By taking part in GDPR training, the client developed stronger procedures for managing data breaches and Data Subject Request (DSR). By mitigating risks associated with data breaches and enhancing the company’s ability to respond effectively to individuals exercising their GDPR rights, the company was able to reinforce trust, safeguard personal data, and ensure a safer user environment.

Ongoing Compliance Efforts: The client’s commitment to continuous adherence to data protection standards is supported by regular compliance audits, annual training sessions, and the presence of TechGDPR as a Data Protection Officer (DPO). Together, the client and TechGDPR collaborate to uphold the highest standard of privacy and security within the app.

GDPR and LGPD compliance for UK tech companies

The client has actively worked to address the challenges of its operations. The client has safeguarded user privacy and reinforced data protection within the app. Then, as a result, the company was able to put stronger security measures in place. This was done through initiatives such as GDPR Discovery Workshops and comprehensive data mapping. The client remains committed to staying compliant. Moreover, TechGDPR continues to support with constantly changing privacy regulations to maintain a secure environment for its app users.

Find out how TechGDPR can help you achieve compliance with GDPR or the LGPD.

Request a free initial consultation.