GDPR

Winterhawk is uniquely positioned to help organisations preparing to meet the requirements of the GDPR. As a global provider of Governance, Risk, and Compliance (GRC) services, we are able to offer a full range of services to assist with your compliance. Please contact us at info@winterhawk.com to find out more or to arrange a callback.

Overview

Digital and technological advancements have long-since outgrown the legislation in place for data protection; furthermore, the requirements have varied from one country to another. The need to synchronise data privacy laws and bring them into the 21st century was clear, and plans to do so under the General Data Protection Regulation (GDPR) began.

This reform is the most significant change to data privacy in over 20 years. It replaces the Data Protection Directive and is designed to harmonise data privacy regulations across Europe, to protect and empower all EU citizens’ data privacy and to reshape the approach to data privacy in organisations across the region.

 

GDPR Services

Winterhawk offers a range of services to assist with your compliance. We recommend following this step-by-step process to prepare for GDPR:

  • Data Privacy and Protection Education & Training
  • GDPR Audit Assessment 
  • GDPR and Data Privacy Compliance Service
  • Outsourced / Third-Party Data Protection Officer Service

 

 


 

Data Privacy and Protection Education & Training

Winterhawk offers Education & Training workshops delivered by GDPR and CIPP/E certified Data Privacy Consultants, tailored to your organisation and geographic location, including organisations outside of the EU.

  • Hear how the GDPR affects your company
  • Explore common pitfalls and hidden complexities of the GDPR
  • Timelines and realistic compliance roadmap framework shared
  • Engaging and interactive workshop-based training sessions

 

GDPR Audit Assessment

Assessment report of your organisation’s GDPR and data privacy processes, controls and culture, carried out by CIPP/E certified Data Privacy Consultants.

  • Assessment workshops with key departmental areas
  • Prepare and Present an Executive Management Report identifying key areas of weakness requiring remediation and recommended actions to be undertaken
  • The following activities will be throughout the Audit Assessment:
    • Regulation mapping of your organisation’s current preparedness and maturity
    • Understand where improvements towards compliance could be made
    • Clarify your organisation’s high, medium and low risks
    • Provided with recommendations on how to address weaknesses and remediate issues
    • Aggregate all current policies, processes, controls and procedural documentation relating to Data Privacy and Protection

 

GDPR and Data Privacy Compliance Service

While the Audit Assessments identify and classify different risk areas on a detailed level, organisations still need a full compliance plan to address those items. Our service will provide organisations with a project-style plan to address weaknesses, establish business as usual processes, and ensure long-term, sustainable compliance.

Winterhawk provides a Compliance Service with the aim of minimising impact on established business operations, helping to define clear, simplified goals to achieve compliance. This ensures the changes to processes and controls are scalable within your organisation, assisting employees to understand the implications of non-compliance and their roles in the compliance process.

You can expect Winterhawk to deliver:

  • Focussed departmental workshops to address areas of responsibility for achieving compliance
  • A project plan of areas, processes and controls to address
  • Guidance on how to address project deliverables in your organisation’s language
  • Defined, achievable goals and landmarks for achieving compliance
  • An Executive Report on overall project compliance, persons/departments responsible, implementation plan, deliverables status and required actions

 

Outsourced / Third-Party Data Protection Officer

Appointment of a dedicated, independent Data Protection Officer is a requirement for certain organisations. This not only applies to EU-based organisations but also non-EU organisations who control or process EU citizens’ data.

Winterhawk can provide a third-party Data Protection Officer service tailored to your organisation’s needs and length of engagement. Under our flexible engagement terms (from 1 day per month to full-time), we will:

  • Support the guidance of the organisation on an ad-hoc basis.
  • Review compliance status and status of on-going actions/projects relating to data privacy.
  • Support on-going review of processes, controls and maintaining compliance.
  • Offer continuous process improvement in evidencing compliance and engagements with data subjects.
  • Guide the organisation’s definition of policies and processes.
  • Provide on-going education to the organisation and uphold a positive data protection culture.
  • Review your organisation’s new and changing technology platforms in upholding the data rights of individuals affected.

Winterhawk can also support you in completing questions relating to how your organisation manages data privacy when submitting RFPs, Tenders, RFI and bidding for new contracts.

SAP GDPR Software / Solutions

No single solution in the market can address all of GDPR’s requirements, however we can recommend the following SAP solutions.

Access Controls: Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted processors, archives, as part of employee enrolment, or contract management.

SAP Process Control (PC): Providing ongoing digital evidence to the supervising authority of for example compliant policies & privacy notices and procedures, legal exclusions, controls (with automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence and action management. See our GDPR content here.

SAP Risk Management: Enterprise industry standard solution to conduct privacy impact assessments, integrated with Process Control.

SAP Information Lifecycle Management: A powerful tool for tagging personal data across multiple environments and managing the procedures for deleting and archiving with defensible legal retention requirements. See more on these SAP solutions here.

See more on these SAP solutions here.

GDPR Whitepapers

Browse our library of useful articles and GDPR whitepapers to learn more about Winterhawk and how we can support your organisation.

View Articles

Useful links & resources

European Commission: Data Protection Reform

The GDPR: Full Text

Article 29 Working Party

National Data Protection Authorities

GDPR FAQs

How are the requirements under the GDPR different to what we do today?

Much of the GDPR is lifted directly from current EU legislation. It has been updated to cover automated and manual data, and to better suit a technological environment where change is rapid, however the spirit of the regulations remains largely unchanged. Some of the other noteworthy additions include:

  • Clear rules and definitions for terms such as “Processing” and “Consent”;
  • The requirement for certain entities to appoint a Data Protection Officer; and
  • The introduction of (potentially) vastly increased penalties, with an increased likelihood of penalties being enforced.
What are the timelines?

The regulations are now formally adopted, becoming enforceable as of May 25, 2018.

What is an SAR?

A Subject Access Request (or SAR) is quite simply a request from a Data Subject – whether a customer, private individual or employee – to see what data you have stored about them and are processing on their behalf. The request must be place in writing to the Data Controller, and a nominal processing fee can be charged. The Data Controller then has 40 days to provide the requested information back to the subject.

Data Portability requires that an SAR be presented to the subject in a comprehensive, machine-readable format so that the Data Subject can physically take ownership of the data and transfer it to another Data Controller. Although it is not a new concept, SARs are expected to be widely-invoked, meaning that organisations must be aware of the data they store, where it resides, and be able to provide it when requested. Further decisions may be required about removing or masking the data, depending on the nature of the Data Subject’s request, if permitted by document retention requirements.

My company hasn’t made any preparations – what should we do first?

There is no need to panic. Here’s what we suggest.

  • Don’t focus on closing every issue or every gap in your compliance; start with a top-down view of your risk and get a program up & running as soon as possible. Demonstrating that you’ve taken a reasonable approach to addressing compliance is one of the most important steps you can take.
  • Make sure your security and data protection standards are operationally effective. Following a standard like ISO 27001/2 is generally good practice.
  • Understand the new and/or emphasised requirements coming with GDPR and ensure you have a working compliance program. This is likely to include:
    • Doing a top-down risk assessment, followed-by in-depth data privacy assessments on your systems, processes and data.
    • Spend time reviewing your approach to archiving and deletion of data, and document retention in all areas of your business.
    • Develop appropriate awareness and training programs.
    • Develop a process for dealing with SARs and Data Portability requirements.
    • Ensuring that a Breach Notification process is in place and working effectively.
    • Develop a culture of “privacy by design and by default” in all aspects of your data processing.
    • Identify any contractors and sub-contractors who act as Data Processers. Ensure that their processing standards are adequate and that appropriate GDPR clauses exist in all your vendor contracts.
    • Identify and appoint responsible “data champions” throughout your organisation, and appoint a Data Protection Officer as appropriate.
There is a lot of talk about huge penalties associated with GDPR non-compliance - is this really the case?

Potentially, yes, this is the case. There are two categories of administrative fines which the headlines have been quoting. Category A fines are capped at the greater of either €10 million or 2% of your worldwide annual turnover, while Category B fines can be up to €20 million Euro or 4% of worldwide annual turnover –  again, the greater figure will apply. Each category lists the specific Articles whose violation they include, but generally-speaking, Category A addresses preparedness and administrative failures whereas actual breaches and major failures in compliance fall under Category B.

More importantly, if your company is showing a reasonable compliance effort and has an otherwise well-functioning GDPR program, you could be granted leniency in the event of a violation. No company will have perfect compliance, but all companies are expected to make a demonstrable effort; conversely, wilful ignorance or disregard could just as easily lead to a stiffer penalty.

Bear in mind, not all punishments will be financial. Your supervisory authority could require you to immediately cease processing of the data in question which, for some organisations, could be more crippling than any monetary fine. You can read more about the Penalties for Non-Compliance here.

My company is ISO 27001 certified compliant. Surely that means we are ready for the GDPR?

Compliance to different standards such as ISO, Sarbanes Oxley, COBIT, COSO, etc. will probably go a long way towards ensuring that your foundation for data privacy is secure and will likely be leveraged for GDPR compliance. But remember that GDPR clearly introduces new requirements not covered by those frameworks or standards such as the processes around Breach Notifications, Subject Access Requests and the right to be forgotten. We recommend using the various standards as building blocks for a GDPR compliance program, but they are not a replacement.

Do I need to hire a DPO?

While there a lack of clarity about the circumstances under which an organisation needs to hire a Data Protection Officer, it is clear that any public entity MUST appoint one, this is non-negotiable. Beyond that, the advice is as follows: if large-scale processing of personal data is part of your core business, then appoint a DPO.

The problem lies in defining “large-scale”, and unfortunately, we are unlikely to get a clear definition. The Article 29 Working Party attempted to clarify their position on this topic (click here to visit their page) but in the end, we are no better off. Our recommendation (and that of the Article 29 WP) is to appoint a DPO to be on the safe side; considering the increasing emphasis on the importance of data privacy, it just makes sense. If you do determine that your organisation is exempt from the DPO requirement, remember that you are still obligated to comply with all other aspects of the GDPR.

Can my DPO have another role within the organisation?

Yes, so long as there is no conflict of interest and the DPO cannot be influenced or otherwise directed in his/her responsibilities. Under the GDPR, a DPO must be independent and autonomous – appointing your CIO or an existing HR Manager, for example, would likely be a mistake. Due to the nature and scale of a DPO’s responsibilities, in an ideal scenario it would be preferable for your DPO to not have other roles within the organisation.

We simply don’t have the resources for a full time DPO - what other options do we have?

Under the GDPR legislation, some organisations (such as smaller public entities who do not have the overhead or cannot justify a full-time role) may choose to pool their resources into a single, shared Data Protection Officer position. Smaller private organisations, for example a chain of restaurants or an association of hotels, may do the same for similar reasons.

Can we outsource the DPO position to a third party?

Absolutely, and there can be major benefits to doing so. The DPO position requires a high level of expertise with GDPR and data privacy in general, and relatively few individuals possess the necessary qualifications. A third-party provider has the advantage of specialising in the subject matter. Outsourcing to a third-party could also mean that you have a single individual acting as your official DPO, with a host of certified auditors, lawyers and GDPR experts at their disposal – a team which would not otherwise be available to you.

Where should we anchor the responsibility for our GDPR compliance effort in our organisation?

Obviously, the scale of your enterprise will determine your options. Smaller entities are likely to assign responsibility to whomever has the time and ability to put a compliance program in place. In larger, more classically structured entities, some considerations need to be taken.

It will be tempting for a lot of organisations to look to the Legal and/or HR departments, leaping to the conclusion that these are the people likely to have the necessary expertise. But GDPR is ultimately about Information Security and Compliance, as applied to personal data; individuals working in security, audit and controls are therefore likely to have the framework and mindset which is inherently suitable for this area. Ultimately, however, compliance is likely to require a high degree of collaboration – even if you anchor responsibility in one department, we recommend identifying responsible “data champions” from different parts of the organisation and making them equal partners in your compliance efforts.

What about Brexit – surely GDPR is irrelevant to the UK now that Article 50 has been triggered?

Brexit cannot and will not happen before the GDPR becomes enforceable on May 25, 2018. From that alone, we know that the UK will be subject to GDPR compliance, at least in the short term. In the future, if the UK were to leverage Brexit as a means to avoid GDPR, businesses across Europe would likely terminate any relations involving data processing or transfers into or out of the UK, which would have a substantial financial impact on the nation.

One of the key components of GDPR is for companies within the EU to ensure that their international partners are equally compliant with the regulations. Assuming they want to maintain any of their EU relationships, UK based businesses have only one choice – to become GDPR compliant. Bear in mind even if your business doesn’t operate outside of the UK you will still need to comply with data protection regulations.

What about the EU-U.S. Privacy Shield Framework?

The Privacy Shield is an agreement to safeguard transatlantic exchanges of data between the US and EU. The first annual review of the EU-U.S. Privacy Shield is scheduled for September 2017, conducted by the European Commission and the U.S. Department of Commerce alongside EU data protection authorities, the American Federal Trade Commission, representatives of the Article 29 Working Party, and other key stakeholders. This is not, strictly speaking, about US law, but a framework put in place (as a replacement for Safe Harbor) to strengthen processing standards for US-based entities in regards to EU citizens. Whether the Trump Administration will be as committed to the Privacy Shield as the Obama Administration who negotiated the framework, remains to be seen.

What about US-based companies which operate globally?

Consider a company like Google, used by millions of EU residents every day. It is legally required to be GDPR compliant, because it operates in the EU and processes the personal data of EU citizens. The potential weakening of American privacy laws may impact the compliance/risk appetite for some of these US-based companies, but ultimately they can still be held legally responsible in the same manner as an EU-based entity, regardless of changes the Trump Administration may or may not make nationally. These global organisations are unlikely to take unnecessary risks.

Our data processor is based in [location X], with a data centre in [location Y] and a server operating out of [location Z] – does GDPR still apply?

This question could apply to countless scenarios. Whatever your scenario is, ask yourself this question: does the information on that server relate to the personal data of EU citizens or residents? If the answer is YES, then GDPR laws apply fully, regardless of location, and you and your Data Processor are responsible for it.

Get in touch

Winterhawk has been promoting GDPR awareness since early 2016 (when few people believed it would ever happen). Drop us a line to see how we can help your organisation.