Aligning your company to GDPR involves the following approach:
- Phase 1, which includes: analysis of the existing situation and mapping of personal tiles and existing processes.
Basically, after completing this phase, you have all the information in order to be able to continue on its own the implementation of the GDPR accession measures.
- Phase 2, which includes support for the implementation of the proposed measures in internal processes and documents, the adaptation of documents / procedures / contracts, including support for implementing solutions to ease work after May 25, 2018.
Thus, the assessment of the current situation as well as the understanding of the specifics of the business, of the processed personal data categories and of the main processes will be made by:
- Analyze public data
- Discussions with management
- Completing an assessment questionnaire by those responsible
- Studying the provided documents (on request)
- Agreeing results with management
It will then be used to identify the personal data used (both from the subjects and from other sources or products of the company) – on business areas – as well as to identify the means of processing and storing information:
- Analysis of questionnaire responses,
- Delivering on-demand information (process documents, contracts, or sample data)
- For high generalized domains (HR, accounting, video security, GPS …), starting with a standard set of existing data, only the differences are analyzed) – for a minimum effort
The next step will be to identify and map the processing goals (by data types), the length of the processing, the roles involved, and the third parties that have access to the data.
Analysis of risks and gaps is done by identifying gaps and proposing alternatives. For each non-compliance with GDPR requirements, we will analyze:
- the risk (in terms of impact on the subjects, but also on the business),
- alternatives will be presented,
- an estimate of deployment costs will be made
Finally, a proposal for missing procedures / procedures will be made, and for areas not previously addressed, a set of new processes and procedures will be proposed.
**** The proposed processes and procedures will require some further customization, depending on the implementation possibilities, or will contain a set of new requirements that will need to be included in internal documents or contracts with third parties.