A comprehensive approach to delivering a GDPR roadmap towards compliance

A comprehensive approach to delivering a GDPR roadmap towards compliance

GDPR – the most significant change to data protection in a generation

Without access to accurate and reliable personal data which can be readily referenced, processed and transformed, an organisation may limit their business performance, ultimately impacting customer satisfaction.  Additionally, with increased public awareness of even relatively minor breaches of personal data, it is not just the substantial fines being imposed that CEOs will be accountable for, it will be the recovery of reputational damage which, undoubtedly, will have the greatest impact on company profits.

Data protection is an increasingly complex subject, and there is a lot to consider when complying with the GDPR to maintain data subject rights, and picking through the 173 recitals and 99 articles isn’t for the faint hearted.  However, the regulation need not change the way an organisation operates, providing the management of personal data is considered carefully by answering the following questions to establish a fully auditable, justifiable and reasoned body of evidence to demonstrate compliance, should a breach of data occur.

  • Where is personal data held and is it suitably catalogued?
  • Why (and how) is personal data processed?
  • Can I justify the processing of personal data held?
  • Is access to personal data adequately controlled and protected?

Personal data – how is it processed, controlled and protected

The AiM methodology is simple, yet effective.  Our four-phased approach, outlined below, begins with an appropriate analysis of your business practices and data flow to understand how personal data is processed and controlled, how your data inventory is classified and catalogued and then mapped against your IT infrastructure.  Equipped with this understanding, a gap analysis can be undertaken to identify areas of potential risk between your current status and the GDPR regulation, to create a manageable plan and investment strategy to implement and sustain a compliant Personal Information Management System (PIMS).  The AiM cost effective phased approach is as follows:

  • Phase 1 “Discover” – This involves a CIPP(E) business analyst led GDPR Readiness Review to discover the current maturity of your personal data (PD) model (PIMS) and data flow lifecycle with particular attention to process, control and protection of data.
  • Phase 2 “Execute” – The execution of the remedial actions agreed in Phase 1 and deploying suitable compliance of the data lifecycle through “privacy by design and default” principles.
  • Phase 3 “Comply” – The deployment of all aspects of data protection through Governance underpinned by privacy by design principles including responding to Subject Access Requests (SARs) or the efficient response to data incidents to preserve the full extent of the agreed compliance model.
  • Phase 4 “Act” – Routine organisational monitoring and scheduled assessments (audits) to ensure personal information management and corresponding breach protection systems are working effectively and, where it is not, to take action.  A fully documented and populated compliance record with risk impact assessments is essential to satisfy the regulators and support forward planning where revisions to GDPR, new technology and market lead trends may impact continued compliance practice of the process and control of personal data.

AiM Service Benefits – optimising PIMS data processing whilst suitably controlling data subject rights in an increasingly complex world

AiM offers a comprehensive range of services and expert support to an organisation at any and all stages of the GDPR compliance lifecycle.  In particular we offer:

  • Discovery dB (dataBelt®) – a plugin to a range of commercially available discovery tools or standalone applications which can be used to deliver incredible granularity and classification of data with added features of data cleansing; resulting in more reliable and accurate information.  Discovery dB has been specifically developed to meet the demands of the Data Controller’s responsibilities.  Key features include:
    • Locate and identify all your data sources to create data mapping (flow) information;
    • Interrogate, catalogue and classify personal data with dashboard reporting;
    • Analyse, update and comply with GDPR plus provide a fully auditable record; and
    • Ensure sustained management and support continuous improvement.
  • Discovery Reviews undertaken by CIPP(E) qualified business analysts to understand compliance risk, recommend remedial actions, inform system transformation and promote continuous improvements.
    • An initial workshop assessment to analyse core business process and data flow, work practices and governance to provide an organisational Readiness Report.
    • A more detailed and in-depth assessment for more complex work and data process environments.  This might require automated discovery and data interrogation tools.
  • Qualified compliance lawyers with expert knowledge of the GDPR regulations and wider corporate governance demands to meet legal obligations through contract, policy and procedural change.
  • IT solution deployment – configurable deployment of suitable PIMS support software tools (with auto detection/alert features) to maintain continuous privacy compliance and reduce security threats.
  • Interim DPOs – CIPP(E) business consultants with expert GDPR knowledge who can provide a cost-effective solution for organisations not wishing or unable to appoint qualified or full-time DPOs.

A typical IT system architecture below illustrates a simplified GDPR compliance model which our CIPP(E) business analysts will use to direct our initial GDPR Discovery and Readiness Reviews.  The outcome of the reviews will inform your GDPR roadmap to compliance with a series of clear, documented reports including control and process accountability by highlighting where personal data is stored and information is managed.

 

Contact us to find out more about how we can help.

Read more about our GDPR services.

Find out more about our data compliance, cleansing and integration software, dataBelt®.

Request our free GDPR checklist to help you understand and address the key areas of GDPR.