GDPR

Winterhawk is uniquely positioned to help organisations meet the requirements of the GDPR. As a global provider of Governance, Risk, and Compliance (GRC) services, we are able to offer a full range of services to assist with your compliance. Please contact us at info@winterhawk.com to find out more or to arrange a callback.

Overview

Prior to 25 May 2018, digital and technological advancements had outgrown the legislation in place for data protection; furthermore, the requirements varied from one country to another. The need to synchronise data privacy laws and bring them into the 21st century was clear, and plans to do so under the General Data Protection Regulation (GDPR) began.

This reform is the most significant change to data privacy in over 20 years. It replaces the Data Protection Directive and is designed to harmonise data privacy regulations across Europe, to protect and empower all EU citizens’ data privacy and to reshape the approach to data privacy in organisations across the region.

GDPR Services

Winterhawk offers a range of services to assist with your compliance. We recommend following this step-by-step process:

  • Data Privacy and Protection Education & Training
  • GDPR Audit Assessment 
  • GDPR and Data Privacy Compliance Service

 

Data Privacy and Protection Education & Training

Winterhawk offers Education & Training workshops delivered by GDPR and CIPP/E certified Data Privacy Consultants, tailored to your organisation and geographic location, including organisations outside of the EU.

  • Hear how the GDPR affects your company
  • Explore common pitfalls and hidden complexities of the GDPR
  • Timelines and realistic compliance roadmap framework shared
  • Engaging and interactive workshop-based training sessions

 

GDPR Audit Assessment

Assessment report of your organisation’s GDPR and data privacy processes, controls and culture, carried out by CIPP/E certified Data Privacy Consultants.

  • Assessment workshops with key departmental areas
  • Prepare and Present an Executive Management Report identifying key areas of weakness requiring remediation and recommended actions to be undertaken
  • The following activities will be throughout the Audit Assessment:
    • Regulation mapping of your organisation’s current preparedness and maturity
    • Understand where improvements towards compliance could be made
    • Clarify your organisation’s high, medium and low risks
    • Provided with recommendations on how to address weaknesses and remediate issues
    • Aggregate all current policies, processes, controls and procedural documentation relating to Data Privacy and Protection

 

GDPR and Data Privacy Compliance Service

While the Audit Assessments identify and classify different risk areas on a detailed level, organisations still need a full compliance plan to address those items. Our service will provide organisations with a project-style plan to address weaknesses, establish business as usual processes, and ensure long-term, sustainable compliance.

Winterhawk provides a Compliance Service with the aim of minimising impact on established business operations, helping to define clear, simplified goals to achieve compliance. This ensures the changes to processes and controls are scalable within your organisation, assisting employees to understand the implications of non-compliance and their roles in the compliance process.

You can expect Winterhawk to deliver:

  • Focussed departmental workshops to address areas of responsibility for achieving compliance
  • A project plan of areas, processes and controls to address
  • Guidance on how to address project deliverables in your organisation’s language
  • Defined, achievable goals and landmarks for achieving compliance
  • An Executive Report on overall project compliance, persons/departments responsible, implementation plan, deliverables status and required actions

SAP GDPR Software / Solutions

No single solution in the market can address all of the GDPR’s requirements, however we can recommend the following SAP solutions.

Access Controls (AC): Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted processors, archives, as part of employee enrolment, or contract management.

SAP Process Control (PC): Providing ongoing digital evidence to the supervising authority of, for example, compliant policies, privacy notices and procedures, legal exclusions, controls (with automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence and action management.

SAP Risk Management (RM): Enterprise industry standard solution to conduct privacy impact assessments, which can be integrated with Process Control.

SAP UI Logging: Provides a way to automatically record and analyse data displayed in SAP.

SAP UI Masking: Is an active form of masking the display of sensitive data in SAP which allows for easy configuration of who (role/user) is authorised to see unmasked data.

See Winterhawk’s bespoke regulatory content built for SAP here.

GDPR Whitepapers

Browse our library of useful articles and GDPR whitepapers to learn more about Winterhawk and how we can support your organisation.

View Articles

Useful links & resources

European Commission: Data Protection Reform

The GDPR: Full Text

European Data Protection Board (EDPB) (formerly Article 29 Working Party)

National Data Protection Authorities

GDPR FAQs

How are the requirements under the GDPR different to before?

Much of the GDPR is lifted directly from current EU legislation. It has been updated to cover automated and manual data, and to better suit a technological environment where change is rapid, however the spirit of the regulations remains largely unchanged. Some of the other noteworthy additions include:

  • Clear rules and definitions for terms such as “Processing” and “Consent”;
  • The requirement for certain entities to appoint a Data Protection Officer; and
  • The introduction of (potentially) vastly increased penalties, with an increased likelihood of penalties being enforced.
What are the timelines?

The regulations became enforceable as of May 25, 2018.

What is an SAR?

A Subject Access Request (or SAR) is quite simply a request from a Data Subject – whether a customer, private individual or employee – to see what data you have stored about them and are processing on their behalf. The request must be place in writing to the Data Controller, and a nominal processing fee can be charged. The Data Controller then has 40 days to provide the requested information back to the subject.

Data Portability requires that an SAR be presented to the subject in a comprehensive, machine-readable format so that the Data Subject can physically take ownership of the data and transfer it to another Data Controller. Although it is not a new concept, SARs are expected to be widely-invoked, meaning that organisations must be aware of the data they store, where it resides, and be able to provide it when requested. Further decisions may be required about removing or masking the data, depending on the nature of the Data Subject’s request, if permitted by document retention requirements.

My company is behind the curve – what should we do first?

Here’s what we suggest:

  • Start with a top-down view of your risk and get a program up & running as soon as possible. Demonstrating that you’ve taken a reasonable approach to addressing compliance is one of the most important steps you can take.
  • Make sure your security and data protection standards are operationally effective. Following a standard like ISO 27001/2 is generally good practice.
  • Understand the new and/or emphasised requirements under the GDPR and ensure you have a working compliance program. This is likely to include:
    • Doing a top-down risk assessment, followed-by in-depth data privacy assessments on your systems, processes and data.
    • Spend time reviewing your approach to archiving and deletion of data, and document retention in all areas of your business.
    • Develop appropriate awareness and training programs.
    • Develop a process for dealing with SARs and Data Portability requirements.
    • Ensuring that a Breach Notification process is in place and working effectively.
    • Develop a culture of “privacy by design and by default” in all aspects of your data processing.
    • Identify any contractors and sub-contractors who act as Data Processers. Ensure that their processing standards are adequate and that appropriate GDPR clauses exist in all your vendor contracts.
    • Identify and appoint responsible “data champions” throughout your organisation, and appoint a Data Protection Officer as appropriate.
There is a lot of talk about huge penalties associated with GDPR non-compliance - is this really the case?

Potentially, yes, this is the case. There are two categories of administrative fines which the headlines have been quoting. Category A fines are capped at the greater of either €10 million or 2% of your worldwide annual turnover, while Category B fines can be up to €20 million Euro or 4% of worldwide annual turnover –  again, the greater figure will apply. Each category lists the specific Articles whose violation they include, but generally-speaking, Category A addresses preparedness and administrative failures whereas actual breaches and major failures in compliance fall under Category B.

More importantly, if your company is showing a reasonable compliance effort and has an otherwise well-functioning GDPR program, you could be granted leniency in the event of a violation. No company will have perfect compliance, but all companies are expected to make a demonstrable effort; conversely, wilful ignorance or disregard could just as easily lead to a stiffer penalty.

Bear in mind, not all punishments will be financial. Your supervisory authority could require you to immediately cease processing of the data in question which, for some organisations, could be more crippling than any monetary fine. You can read more about the Penalties for Non-Compliance here.

My company is ISO 27001 certified compliant. Surely that means we are ready for the GDPR?

Compliance to different standards such as ISO, Sarbanes Oxley, COBIT, COSO, etc. will probably go a long way towards ensuring that your foundation for data privacy is secure and will likely be leveraged for GDPR compliance. But remember that GDPR clearly introduces new requirements not covered by those frameworks or standards such as the processes around Breach Notifications, Subject Access Requests and the right to be forgotten. We recommend using the various standards as building blocks for a GDPR compliance program, but they are not a replacement.

Can my DPO have another role within the organisation?

Yes, so long as there is no conflict of interest and the DPO cannot be influenced or otherwise directed in his/her responsibilities. Under the GDPR, a DPO must be independent and autonomous – appointing your CIO or an existing HR Manager, for example, would likely be a mistake. Due to the nature and scale of a DPO’s responsibilities, in an ideal scenario it would be preferable for your DPO to not have other roles within the organisation.

We simply don’t have the resources for a full time DPO - what other options do we have?

Under the GDPR legislation, some organisations (such as smaller public entities who do not have the overhead or cannot justify a full-time role) may choose to pool their resources into a single, shared Data Protection Officer position. Smaller private organisations, for example a chain of restaurants or an association of hotels, may do the same for similar reasons.

Can we outsource the DPO position to a third party?

Absolutely, and there can be major benefits to doing so. The DPO position requires a high level of expertise with GDPR and data privacy in general, and relatively few individuals possess the necessary qualifications. A third-party provider has the advantage of specialising in the subject matter. Outsourcing to a third-party could also mean that you have a single individual acting as your official DPO, with a host of certified auditors, lawyers and GDPR experts at their disposal – a team which would not otherwise be available to you.

Where should we anchor the responsibility for our GDPR compliance effort in our organisation?

Obviously, the scale of your enterprise will determine your options. Smaller entities are likely to assign responsibility to whomever has the time and ability to put a compliance program in place. In larger, more classically structured entities, some considerations need to be taken.

It will be tempting for a lot of organisations to look to the Legal and/or HR departments, leaping to the conclusion that these are the people likely to have the necessary expertise. But GDPR is ultimately about Information Security and Compliance, as applied to personal data; individuals working in security, audit and controls are therefore likely to have the framework and mindset which is inherently suitable for this area. Ultimately, however, compliance is likely to require a high degree of collaboration – even if you anchor responsibility in one department, we recommend identifying responsible “data champions” from different parts of the organisation and making them equal partners in your compliance efforts.

What about the EU-U.S. Privacy Shield Framework?

The Privacy Shield is an agreement to safeguard transatlantic exchanges of data between the US and EU.  This is not, strictly speaking, about US law, but a framework put in place (as a replacement for Safe Harbor) to strengthen processing standards for US-based entities in regards to EU citizens, requiring the US to monitor and enforce more robustly, and cooperate with European Data Protection Authorities.

What about US-based companies which operate globally?

Consider a company like Google, used by millions of EU residents every day. It is legally required to be GDPR compliant, because it operates in the EU and processes the personal data of EU citizens. The potential weakening of American privacy laws may impact the compliance/risk appetite for some of these US-based companies, but ultimately they can still be held legally responsible in the same manner as an EU-based entity. These global organisations are unlikely to take unnecessary risks.

Our data processor is based in [location X], with a data centre in [location Y] and a server operating out of [location Z] – does GDPR still apply?

This question could apply to countless scenarios. Whatever your scenario is, ask yourself this question: does the information on that server relate to the personal data of EU citizens or residents? If the answer is YES, then GDPR laws apply fully, regardless of location, and you and your Data Processor are responsible for it.

Get in touch

Winterhawk has been promoting GDPR awareness since early 2016 (when few people believed it would ever happen). Drop us a line to see how we can help your organisation.