GDPR Consultancy Services
Following an external Data Protection audit, we were approached by this international retailer to provide GDPR consultancy services and SME advice, along with providing an onsite GDPR Project Manager and GDPR Business Analyst.
DPAS were able to provide the client with a fixed cost for the project which they preferred for completion of all deliverables highlighted within the external audit.
Once again, using the ICO’s 12 Steps to Compliance as a framework, we developed globalised, organisation specific policy packages and evidence requirements. We delivered tailored training, engaged stakeholders by providing briefings and practical materials (such as Data Subjects’ Fundamental Rights to… decision trees), giving key stakeholders updates on the project plan and information pertaining to ongoing risk-based analysis.
We delivered the following for the retailer over the course of the project:
- Monitor, review and prepare file notes on supplemental ICO guidance as issued
- Review and map existing processing activities and flows of personal data within the group (including internationally)
- Review and map existing processing activities and flows of personal data within the group (including internationally) and prepare a compliant data asset register detailing data the legal basis for processing personal data
- From the ROPA identify gaps and from a plan risk register for compliance pre-May 2018
- Review data sharing arrangements with third party suppliers and implement a process for the engagement of data processors and administer and record addendums to the agreements using the clauses provided by our lawyers.
- Review marketing strategy and marketing consents and legal basis for processing personal data and put processes in place for consent to be revoked
- Implement a training programme to ensure all head office staff within the organisation are fully trained and aware of GDPR and its implications and review existing Data Privacy & GDPR awareness across the organisation.
- Complete a ‘train the trainer’ approach for store managers. Provide a full training course which store managers can implement within stores.
- Provide an online forum / helpdesk for staff to ask questions relating to GDPR
- Review security measures and compile risk register identity current risk and mitigate future risk
- Implement a process, by which personal data breaches are reported to the regulator within 72 hours
- Define and provide assurances on a process to notify data subjects of a data breach, where this is likely to result in high risks to their rights or freedoms
- Review existing arrangements and assure that the right processes are in place to comply with GDPR moving forwards
- Implement formal records management programme
- Provide a set of ‘rights to’; decision trees, clearly explaining data subject rights which can be used to map against existing processes
- Review ‘to be’ model to deliver and assure compliance
After our successful GDPR compliance project delivery we worked with the retailer to SME skills transfer to their Data Guardian who would take over the tasks of the DPO for the group. We still provide ad hoc DPO advice to the group when required.