Initial GDPR compliance assessment

The first step of most of our engagements is about doing an in-depth GDPR compliance assessment. This starts with the careful analysis of who your data subjects are, what data you store on them, where you store this, what your business processes and workflow are, and more generally how you deal with any data protection related matter.

Involving the stakeholders

This requires involvement from the key business stakeholder, the key technical stakeholder and some of those involved in the actual processing of data. This is meant to be an in-depth process that gives a full insight in your data collection and processing activities.

Kick-off meeting

We typically organise a kick-off meeting and one-on-one meetings with the key people involved to understand the flows in-depth. Once we have collected and summarized this we present a report with our findings and the level of compliance of your processes and systems. This comprehensive report will include a gap analysis, the key points to address, and suggestions on how to address them. We may suggest internally resolvable matters, external services that could help you with the compliance process, and where possible also our compliance process guidance or more specific technical/organisational services we can help you with directly.

As soon as an improvement process has been executed, we can review the improvements and attest to its meaningful implementation in an updated report which will help you demonstrate your GDPR compliance efforts at a later point in time.

Implementation and Involvement

The duration and cost of the GDPR compliance project will depend heavily on your current compliance needs, how much you are looking to outsource, and how man resources you have allocated to achieve a certain standard of compliance. We are happy to advise you on our different levels of involvement and their associated costs.

The next steps…

After going through a GDPR compliance process, you will want to ensure that you keep up with regulatory requirements and continue documenting your data processing. You will also want to be able to properly handle breaches and subject access requests, if and when they occur. We can support you in this by providing a qualified Data Protection Officer to assist with ongoing compliance needs and to mitigate various data processing risks.

Who needs to be involved in the GDPR compliance process
The most important people to involve are your key business and technical stakeholders. This typically includes product managers or owners, the chief technical officer, trusted employees who work with subject data on a daily basis, and in many cases your CEO as well. Lastly, you should involve a potential DPO would then need to be able to report the possible impact of fines on the business to the CEO, along with other leaders in the company.

How much time does a GDPR compliance assessment take?

It typically requires a few (half) days of involvement of your key stakeholders to provide us insight in your compliance situation, which will be the main burden on your team. We will then work on your case from our office with possible follow up calls or meetings to clarify specific points, we normally require similar engagement time and report writing time, which can however vary greatly depending on complexity of your product and situation. Once we start involvement you can normally expect a compliance report in 3 to 4 weeks.

Does this process allow be to become fully GDPR compliant?

We help you discover what is required to build great evidence to demonstrate GDPR compliance, and can guide you through the processes, documentation and technical changes required to be more compliant. With our background in technology, innovation and digital strategies we understand how a change in processing may impact on your business model, and we always focus on finding solutions that have the least operational impact. Having said that, demonstrating full GDPR compliance is something that is still very hard, as there are still too many parts of the Regulation open to interpretation and case law. We follow the latest trends and use our knowledge to your advantage.

We can help you assess your GDPR readiness. Contact us to find out how.