Winterhawk is uniquely positioned to help organisations meet the requirements of the GDPR. As a global provider of Governance, Risk, and Compliance (GRC) services, we are able to offer a full range of services to assist with your compliance. Please contact us at email@example.com to find out more or to arrange a callback.
Prior to 25 May 2018, digital and technological advancements had outgrown the legislation in place for data protection; furthermore, the requirements varied from one country to another. The need to synchronise data privacy laws and bring them into the 21st century was clear, and plans to do so under the General Data Protection Regulation (GDPR) began.
This reform is the most significant change to data privacy in over 20 years. It replaces the Data Protection Directive and is designed to harmonise data privacy regulations across Europe, to protect and empower all EU citizens’ data privacy and to reshape the approach to data privacy in organisations across the region.
Winterhawk offers a range of services to assist with your compliance. We recommend following this step-by-step process:
- Data Privacy and Protection Education & Training
- GDPR Audit Assessment
- GDPR and Data Privacy Compliance Service
Data Privacy and Protection Education & Training
Winterhawk offers Education & Training workshops delivered by GDPR and CIPP/E certified Data Privacy Consultants, tailored to your organisation and geographic location, including organisations outside of the EU.
- Hear how the GDPR affects your company
- Explore common pitfalls and hidden complexities of the GDPR
- Timelines and realistic compliance roadmap framework shared
- Engaging and interactive workshop-based training sessions
GDPR Audit Assessment
Assessment report of your organisation’s GDPR and data privacy processes, controls and culture, carried out by CIPP/E certified Data Privacy Consultants.
- Assessment workshops with key departmental areas
- Prepare and Present an Executive Management Report identifying key areas of weakness requiring remediation and recommended actions to be undertaken
- The following activities will be throughout the Audit Assessment:
- Regulation mapping of your organisation’s current preparedness and maturity
- Understand where improvements towards compliance could be made
- Clarify your organisation’s high, medium and low risks
- Provided with recommendations on how to address weaknesses and remediate issues
- Aggregate all current policies, processes, controls and procedural documentation relating to Data Privacy and Protection
GDPR and Data Privacy Compliance Service
While the Audit Assessments identify and classify different risk areas on a detailed level, organisations still need a full compliance plan to address those items. Our service will provide organisations with a project-style plan to address weaknesses, establish business as usual processes, and ensure long-term, sustainable compliance.
Winterhawk provides a Compliance Service with the aim of minimising impact on established business operations, helping to define clear, simplified goals to achieve compliance. This ensures the changes to processes and controls are scalable within your organisation, assisting employees to understand the implications of non-compliance and their roles in the compliance process.
You can expect Winterhawk to deliver:
- Focussed departmental workshops to address areas of responsibility for achieving compliance
- A project plan of areas, processes and controls to address
- Guidance on how to address project deliverables in your organisation’s language
- Defined, achievable goals and landmarks for achieving compliance
- An Executive Report on overall project compliance, persons/departments responsible, implementation plan, deliverables status and required actions
SAP GDPR Software / Solutions
No single solution in the market can address all of the GDPR’s requirements, however we can recommend the following SAP solutions.
Access Controls (AC): Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted processors, archives, as part of employee enrolment, or contract management.
SAP Process Control (PC): Providing ongoing digital evidence to the supervising authority of, for example, compliant policies, privacy notices and procedures, legal exclusions, controls (with automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence and action management.
SAP Risk Management (RM): Enterprise industry standard solution to conduct privacy impact assessments, which can be integrated with Process Control.
SAP UI Logging: Provides a way to automatically record and analyse data displayed in SAP.
SAP UI Masking: Is an active form of masking the display of sensitive data in SAP which allows for easy configuration of who (role/user) is authorised to see unmasked data.
See Winterhawk’s bespoke regulatory content built for SAP here.
Browse our library of useful articles and GDPR whitepapers to learn more about Winterhawk and how we can support your organisation.
Useful links & resources
Much of the GDPR is lifted directly from current EU legislation. It has been updated to cover automated and manual data, and to better suit a technological environment where change is rapid, however the spirit of the regulations remains largely unchanged. Some of the other noteworthy additions include:
- Clear rules and definitions for terms such as “Processing” and “Consent”;
- The requirement for certain entities to appoint a Data Protection Officer; and
- The introduction of (potentially) vastly increased penalties, with an increased likelihood of penalties being enforced.
The regulations became enforceable as of May 25, 2018.
Compliance to different standards such as ISO, Sarbanes Oxley, COBIT, COSO, etc. will probably go a long way towards ensuring that your foundation for data privacy is secure and will likely be leveraged for GDPR compliance. But remember that GDPR clearly introduces new requirements not covered by those frameworks or standards such as the processes around Breach Notifications, Subject Access Requests and the right to be forgotten. We recommend using the various standards as building blocks for a GDPR compliance program, but they are not a replacement.
Yes, so long as there is no conflict of interest and the DPO cannot be influenced or otherwise directed in his/her responsibilities. Under the GDPR, a DPO must be independent and autonomous – appointing your CIO or an existing HR Manager, for example, would likely be a mistake. Due to the nature and scale of a DPO’s responsibilities, in an ideal scenario it would be preferable for your DPO to not have other roles within the organisation.
Under the GDPR legislation, some organisations (such as smaller public entities who do not have the overhead or cannot justify a full-time role) may choose to pool their resources into a single, shared Data Protection Officer position. Smaller private organisations, for example a chain of restaurants or an association of hotels, may do the same for similar reasons.
Absolutely, and there can be major benefits to doing so. The DPO position requires a high level of expertise with GDPR and data privacy in general, and relatively few individuals possess the necessary qualifications. A third-party provider has the advantage of specialising in the subject matter. Outsourcing to a third-party could also mean that you have a single individual acting as your official DPO, with a host of certified auditors, lawyers and GDPR experts at their disposal – a team which would not otherwise be available to you.
The Privacy Shield is an agreement to safeguard transatlantic exchanges of data between the US and EU. This is not, strictly speaking, about US law, but a framework put in place (as a replacement for Safe Harbor) to strengthen processing standards for US-based entities in regards to EU citizens, requiring the US to monitor and enforce more robustly, and cooperate with European Data Protection Authorities.
Consider a company like Google, used by millions of EU residents every day. It is legally required to be GDPR compliant, because it operates in the EU and processes the personal data of EU citizens. The potential weakening of American privacy laws may impact the compliance/risk appetite for some of these US-based companies, but ultimately they can still be held legally responsible in the same manner as an EU-based entity. These global organisations are unlikely to take unnecessary risks.
This question could apply to countless scenarios. Whatever your scenario is, ask yourself this question: does the information on that server relate to the personal data of EU citizens or residents? If the answer is YES, then GDPR laws apply fully, regardless of location, and you and your Data Processor are responsible for it.
Get in touch
Winterhawk has been promoting GDPR awareness since early 2016 (when few people believed it would ever happen). Drop us a line to see how we can help your organisation.