GDPR Consultancy & PrivacyEngine
LONDON | DUBLIN | STOCKHOLM | FRANKFURT
Privacy and Data Management Landscape Correctly managing personal data has always been important. With the UK Data Protection Act 2018 (GDPR) now in place, there are significant changes in the way companies across Europe and beyond may collect, process and hold personal data. The GDPR represents a big leap towards greater accountability and enforcement of privacy rights. The GDPR (and its localised country legislation) fortifies the rights of data subjects (individuals) and harmonises data protection law across all member states. The standards are tough to interpret and adhere to, and many organisations still struggle to understand not only what data they hold, but also how to manage it. This is the case for most organisations that collect, process or hold personal data, therefore bringing significant changes to the way they now do business.
Sytorus is one of Europe’s leading data and privacy protection organisations with a simple mission statement: “To help organisations identify pragmatic solutions to compliance, across all rules of data protection legislation, whilst maintaining its business objectives� We currently have active clients all over the world, and partner with leading internationally recognised legal firms and consultancy houses in helping deploy practical solutions for data protection compliance to their clients.
2
Our approach is based on many years of commercial expertise, coupled with technical insight and a deep understanding of legislative obligations. Our pragmatic consultancy advice and compliance & governance solution, PrivacyEngine, assists organisations with putting compliant and practical data management structures in place. Our broad range of expertise in the areas of, IT and data management, client engagement and training, make us one of the foremost providers of data protection support services globally.
Sytorus Data Protection Executive Assessment Identifying how compliant your organisation is with the General Data Protection Regulation (GDPR).
What is the Data Protection Executive Assessment (DPEA)? The DPEA reviews the data management practices already in place within your organisation and is based upon the 7 Data Management Principles in the GDPR legislation. The DPEA helps organisations detect any short-falls in their data management practices, with a key output being the identification and classification of detected risks or gaps with subsequent recommendations to address or mitigate each of them. The recommendations presented by Sytorus will be practical and commercially viable, implementable in a timely manner with minimal disruption to the organisation’s day-to-day business operations.
Why you need it and why it’s important Do you know how compliant your organisation is with this new legislation and the 7 Data Management Principles? Can you demonstrate compliance in each of them - all of which carry equal weighting and importance? Are you still struggling with where to start on your GDPR compliance activities? Have you identified all data management practices in your organisation and do you understand the level of risk associated with the processing of personal data that you are acquiring from data subjects? Do you know what to do in the event of a data breach or a request from a data subject who wants to understand what you are doing with their personal data? Can you present to your current and prospective clients how you are managing your compliance and in turn, their compliance? 3
Assessment Approach The Sytorus DPEA will assess compliance with reference to the 7 Data Management Principles of GDPR.
1
4
Fair, Transparent & Lawful Processing
Data Accuracy & Quality
Are you acquiring personal data in a fair and transparent way and do you have a legal basis to have it in the first place?
How accurate and up-to-date is the personal data that you hold on data subjects?
5
2
Retention/Storage
3
Security & Confidentiality
Purpose Limitation Do you only use the personal data for the purpose that you specified to the data subject?
Minimisation of Processing Are you collecting too much personal data from data subjects?
Limitation
Are you keeping personal data for too long?
6
What physical and IT security measures do you have in place?
7
Accountability & Liability Can you demonstrate pro-active compliance in all data management principles?
Engagement The Sytorus team will work with you to identify the most suitable interview candidates for the assessment, ensuring a cross section of your organisation is selected to ensure your risk profile is fully identified through our interview-based approach.
4
Sytorus Data Protection Impact Assessment
Ensuring all new projects are compliant with the UK Data Protection Act 2018
What is the Data Protection Impact Assessment (DPIA)? A DPIA supports the identification of and mitigation against data protection related risks arising from a new project or process, which may affect your organisation or individuals it engages with. A DPIA helps organisations make informed decisions about the acceptability of data protection risks, a mandatory requirement under Article 35 of the GDPR, for any high-risk data processing project. Following a facilitated interactive workshop, Sytorus will offer practical and commercially appropriate recommendations as to how identified possible risks and gaps can be addressed and resolved in a timely manner, with minimal disruption to the organisation’s day-to-day business operations.
Why you need it and why it’s important Do you know how compliant your organisation is with your DPIA requirements? Do you know which new projects and key processes in your organisation require a DPIA to be completed? Do you know the risks associated with the introduction of new IT systems and applications where large scale personal data processing is occurring? Are you still struggling with where to start with your UK Data Protection Act 2018 compliance activities?
5
The 6-Step Process The Sytorus DPIA is a 6-step process specifically designed to identify and address all Data Protection risks within a new or existing project.
1
4
2
5
3
6
Stakeholders, Systems and Entities A complete list of stakeholders, entities and systems. Anyone or anything that processes personal data should be considered in this category. This could be a job role, a person, a third party or a computer system.
Identify Processes A complete list of data management processes. A process is any event that is required to complete a business function. The focus is on processes that involve personal and special categories of data.
Workflow Analysis For processes identified in Step 2, we assess via our collaborative workshops what data is processed, what systems have visibility of this data, where the data is processed and who has access to it.
Data Protection Assessment For each process identified in Step 3, we categorise the processing according to UK Data Protection Act 2018 compliance requirements, areas of consideration and evaluation of potential risk.
Risk Analysis A Risk Register is created in parallel with Step 4 to measure risk against likelihood and severity. A point in time heat map is generated for executive attention as to the current risk status.
Implementation An agreed implementation plan is formalised into actionable items and after implementation a new point in time heat map is generated to reflect progress and identify next steps.
Engagement A DPIA workshop typically involves several key stakeholders within an organisation and is overseen by an internal sponsor who is either the current Data Protection Officer/Lead or is intended to take up this role in the medium term. A DPIA engagement can vary depending on the customer and the complexity of the proposed processing change. The Sytorus team will work with you to identify the most suitable candidates for the assessment workshop.
6
Major Benefits A DPEA/DPIA will deliver real benefits and a real return on your investment (ROI). The ROI can be realised through delivering:
Demonstrate Compliance Internally & Externally Brand Protection Remove Possible Reputational Damage Enhanced Customer Satisfaction & Engagement Higher Customer Retention Levels​​
7
PrivacyEngine GD Softw
The one-stop-shop for GDPR compli smarter, easier a
Smarter, easier data protection PrivacyEngine has been developed by practicing Data Privacy experts; it makes compliance with the GDPR easier, providing a fully auditable trail of all your data protection compliance activities. Being able to demonstrate compliance with data protection law is essential and a key requirement of the new legislation. PrivacyEngine is a powerful, user-friendly data protection platform that gives you everything you need to demonstrate compliance and good governance. PrivacyEngine includes mandatory GDPR Logs, a built-in learning management system, document management functionality, and expert support from an international team of experienced data protection consultants whenever you need it, directly through PrivacyEngine. PrivacyEngine provides a one-stop central view of all organisational data protection compliance activities across your organisation, demonstrating your previous and current risk profile.
8
DPR Compliance ware
iance. Start making your compliance and sustainable
Why you need it and why it’s important PrivacyEngine is the leading Software as a Service (SaaS) solution in Privacy Management Software, which can provide you with an auditable, GDPR compliant program. PrivacyEngine is specifically designed from the Data Protection Officer’s perspective, whether it is documentation, risks, training, or mandatory logs. Leverage the Learning Management System to drive a culture of compliance across your organisation. As a dynamic system, built on a smart risk engine, the more you engage with PrivacyEngine the more you get back, driving you towards a deeper level of compliance and data protection capability.
9
Major Benefits
Brand and Reputational Protection Education and greater awareness for all staff on the GDPR and Cyber Security will help mitigate any breach or incident, while complying with the GDPR. This is achievable through the inclusive built-in learning management system, which you can centrally assign across your organisation to track all of your teams’ progress.
Mandatory GDPR Logs PrivacyEngine supports the development and maintenance of all mandatory GDPR Logs in one platform, demonstrating to the Regulator and your Customers that you are compliant, delivering a significant competitive advantage for your organisation.
Roll-out of Policies and Procedures You can mitigate your risks by developing and managing all GDPR policies and procedures via the Document Management functionality within PrivacyEngine, taking advantage of already created key templates as you see fit and validating that each employee understands them.
Knowledge Development and Awareness Creation Through the built-in Learning Management System (LMS) you will be able to demonstrate the development of all employee’s knowledge around both the GDPR and Cyber security, plus continually increasing the awareness of this legislation, reducing your organisations risk and compliance with the GDPR.
Real-time GDPR Support Using our team of specialists situated throughout Europe, we provide qualified and rapid support for any data protection queries. Moreover, our staff can assist organisations to create tailored, accurate and up-to-date data protection policies, removing the need for long term consultancy engagements, or an outsourced DPO service.
10
“82% due
PwC - In Survey 2
Significant ROI PrivacyEngine will deliver a significant ROI through a number of ways, including helping your organisation to gain greater customer trust, thus retaining and securing business.
Implementation
of data breaches to staff errors
nformation Security Breaches 2017
PrivacyEngine offers several user roles which means you can decide how much or how little information you want your team members to have visibility of and the ability to create a team driving compliance. The Global Data Protection (DP) Lead role provides a full governance view of the organisation’s GDPR compliance. The DP Lead role is typically the organisational lead for your GDPR program; they could also be at a country or subsidiary level providing the relevant DP Lead with a central view of their relevant GDPR activities and team engagement. The Data Champion is usually a department or business unit head responsible for key data processing activities. Employees can view all relevant documentation, learning modules assigned, support and risks assigned to them.
11
CONTACT US TODAY www.sytorus.com +44 (0) 203 965 1881 info@sytorus.com The Cursitor Building, 35-38 Chancery Lane, London, WC2A 1EN