When the General Data Protection Regulation (GDPR) takes effect on May 25, 2018, the effects will reverberate far beyond the continent itself. The GDPR goes further than harmonizing national data-protection laws across the European Union and simplifying compliance; it also expands the reach of EU data-protection regulation and introduces important new requirements. It seeks to ensure that personal data are protected against misuse and theft and to give European Union residents control over how data relating to them are being used. Any entity that is established in the European Union or that processes the personal data of EU residents to offer them goods or services or to monitor their behavior—whether as customers, employees, or business partners—will be affected. Any failure to comply with the regulation could incur severe reputational damage as well as financial penalties of up to 4 percent of annual worldwide revenues.
Elevate’s Data Privacy Experts can help you with the following offerings:
GDPR Gap Analysis
Like any other gap analysis, the first step is to understand what the scope of the engagement to then determine which regulation, standard and/or set of requirements apply and then effectively determine where you stand against the requirements. Elevate has the subject matter expertise to navigate with you through your specific needs.
Privacy Program Design and Implementation
We work with you to provide you the experience to design and implement privacy program functions, including:
- Data Protection Impact Assessments (DPIAs)
- Privacy by Design Implementation Guides
- Right to Erasure and Data Portability
- Data Subject Rights, Consent, and Opt-In Programs
Understanding how you collect, process, transmit and store data, as well as how you use it and who uses it in your organization, is the foundation of your Data Privacy Program and the key to complying with most privacy regulations. However, we find that in many cases the exact data flow of the sensitive data is unclear and not well documented enabling exposure and increasing the risk of data loss.
What we do:
- We seek to understand the information life cycle of sensitive information for key processes throughout the business.
- We evaluate the strength and effectiveness of controls and safeguards.
- Create a master repository of information life cycle details, including data element types, collection mechanisms, transfers, privacy and security practices and transfers to third parties.
- Establish a sensitivity index to focus control enhancements on areas of highest privacy and security risks.
- We identify the high-risk vendors, data flows, and IT systems surrounding GDPR requirements, focusing on areas of remediation and maintaining process activities in congruence with Article 30 of the GDPR.
This is done with both, manual and automated techniques, to gather and document the entire picture.