Winterhawk is uniquely positioned to help organisations meet the requirements of the GDPR. As a global provider of Governance, Risk, and Compliance (GRC) services, we are able to offer a full range of services to assist with your compliance. Please contact us at firstname.lastname@example.org to find out more or to arrange a callback.
Prior to 25 May 2018, digital and technological advancements had outgrown the legislation in place for data protection; furthermore, the requirements varied from one country to another. The need to synchronise data privacy laws and bring them into the 21st century was clear, and plans to do so under the General Data Protection Regulation (GDPR) began.
This reform is the most significant change to data privacy in over 20 years. It replaces the Data Protection Directive and is designed to harmonise data privacy regulations across Europe, to protect and empower all EU citizens’ data privacy and to reshape the approach to data privacy in organisations across the region.
Winterhawk offers a range of services to assist with your compliance. We recommend following this step-by-step process:
- Data Privacy and Protection Education & Training
- GDPR Audit Assessment
- GDPR and Data Privacy Compliance Service
- Outsourced / Third-Party Data Protection Officer Service
Data Privacy and Protection Education & Training
Winterhawk offers Education & Training workshops delivered by GDPR and CIPP/E certified Data Privacy Consultants, tailored to your organisation and geographic location, including organisations outside of the EU.
- Hear how the GDPR affects your company
- Explore common pitfalls and hidden complexities of the GDPR
- Timelines and realistic compliance roadmap framework shared
- Engaging and interactive workshop-based training sessions
GDPR Audit Assessment
Assessment report of your organisation’s GDPR and data privacy processes, controls and culture, carried out by CIPP/E certified Data Privacy Consultants.
- Assessment workshops with key departmental areas
- Prepare and Present an Executive Management Report identifying key areas of weakness requiring remediation and recommended actions to be undertaken
- The following activities will be throughout the Audit Assessment:
- Regulation mapping of your organisation’s current preparedness and maturity
- Understand where improvements towards compliance could be made
- Clarify your organisation’s high, medium and low risks
- Provided with recommendations on how to address weaknesses and remediate issues
- Aggregate all current policies, processes, controls and procedural documentation relating to Data Privacy and Protection
GDPR and Data Privacy Compliance Service
While the Audit Assessments identify and classify different risk areas on a detailed level, organisations still need a full compliance plan to address those items. Our service will provide organisations with a project-style plan to address weaknesses, establish business as usual processes, and ensure long-term, sustainable compliance.
Winterhawk provides a Compliance Service with the aim of minimising impact on established business operations, helping to define clear, simplified goals to achieve compliance. This ensures the changes to processes and controls are scalable within your organisation, assisting employees to understand the implications of non-compliance and their roles in the compliance process.
You can expect Winterhawk to deliver:
- Focussed departmental workshops to address areas of responsibility for achieving compliance
- A project plan of areas, processes and controls to address
- Guidance on how to address project deliverables in your organisation’s language
- Defined, achievable goals and landmarks for achieving compliance
- An Executive Report on overall project compliance, persons/departments responsible, implementation plan, deliverables status and required actions
Outsourced / Third-Party Data Protection Officer
Appointment of a dedicated, independent Data Protection Officer is a requirement for certain organisations. This not only applies to EU-based organisations but also non-EU organisations who control or process EU citizens’ data.
Winterhawk can provide a third-party Data Protection Officer service tailored to your organisation’s needs and length of engagement. Under our flexible engagement terms (from 1 day per month to full-time), we will:
- Support the guidance of the organisation on an ad-hoc basis.
- Review compliance status and status of on-going actions/projects relating to data privacy.
- Support on-going review of processes, controls and maintaining compliance.
- Offer continuous process improvement in evidencing compliance and engagements with data subjects.
- Guide the organisation’s definition of policies and processes.
- Provide on-going education to the organisation and uphold a positive data protection culture.
- Review your organisation’s new and changing technology platforms in upholding the data rights of individuals affected.
Winterhawk can also support you in completing questions relating to how your organisation manages data privacy when submitting RFPs, Tenders, RFI and bidding for new contracts.
SAP GDPR Software / Solutions
No single solution in the market can address all of the GDPR’s requirements, however we can recommend the following SAP solutions.
Access Controls: Managing lawful user access to personal data is a core requirement of GDPR either in active business systems, contracted processors, archives, as part of employee enrolment, or contract management.
SAP Process Control (PC): Providing ongoing digital evidence to the supervising authority of, for example, compliant policies, privacy notices and procedures, legal exclusions, controls (with automated monitoring across SAP and non-SAP systems), challenge responses, audit evidence and action management. See our content here.
SAP Risk Management: Enterprise industry standard solution to conduct privacy impact assessments, integrated with Process Control.
SAP Information Lifecycle Management: A powerful tool for tagging personal data across multiple environments and managing the procedures for deleting and archiving with defensible legal retention requirements.
See more on these SAP solutions here.
Browse our library of useful articles and GDPR whitepapers to learn more about Winterhawk and how we can support your organisation.
Useful links & resources
Much of the GDPR is lifted directly from current EU legislation. It has been updated to cover automated and manual data, and to better suit a technological environment where change is rapid, however the spirit of the regulations remains largely unchanged. Some of the other noteworthy additions include:
- Clear rules and definitions for terms such as “Processing” and “Consent”;
- The requirement for certain entities to appoint a Data Protection Officer; and
- The introduction of (potentially) vastly increased penalties, with an increased likelihood of penalties being enforced.
The regulations are now formally adopted, becoming enforceable as of May 25, 2018.
Compliance to different standards such as ISO, Sarbanes Oxley, COBIT, COSO, etc. will probably go a long way towards ensuring that your foundation for data privacy is secure and will likely be leveraged for GDPR compliance. But remember that GDPR clearly introduces new requirements not covered by those frameworks or standards such as the processes around Breach Notifications, Subject Access Requests and the right to be forgotten. We recommend using the various standards as building blocks for a GDPR compliance program, but they are not a replacement.
Yes, so long as there is no conflict of interest and the DPO cannot be influenced or otherwise directed in his/her responsibilities. Under the GDPR, a DPO must be independent and autonomous – appointing your CIO or an existing HR Manager, for example, would likely be a mistake. Due to the nature and scale of a DPO’s responsibilities, in an ideal scenario it would be preferable for your DPO to not have other roles within the organisation.
Under the GDPR legislation, some organisations (such as smaller public entities who do not have the overhead or cannot justify a full-time role) may choose to pool their resources into a single, shared Data Protection Officer position. Smaller private organisations, for example a chain of restaurants or an association of hotels, may do the same for similar reasons.
Absolutely, and there can be major benefits to doing so. The DPO position requires a high level of expertise with GDPR and data privacy in general, and relatively few individuals possess the necessary qualifications. A third-party provider has the advantage of specialising in the subject matter. Outsourcing to a third-party could also mean that you have a single individual acting as your official DPO, with a host of certified auditors, lawyers and GDPR experts at their disposal – a team which would not otherwise be available to you.
The Privacy Shield is an agreement to safeguard transatlantic exchanges of data between the US and EU. The first annual review of the EU-U.S. Privacy Shield is scheduled for September 2017, conducted by the European Commission and the U.S. Department of Commerce alongside EU data protection authorities, the American Federal Trade Commission, representatives of the Article 29 Working Party, and other key stakeholders. This is not, strictly speaking, about US law, but a framework put in place (as a replacement for Safe Harbor) to strengthen processing standards for US-based entities in regards to EU citizens. Whether the Trump Administration will be as committed to the Privacy Shield as the Obama Administration who negotiated the framework, remains to be seen.
Consider a company like Google, used by millions of EU residents every day. It is legally required to be GDPR compliant, because it operates in the EU and processes the personal data of EU citizens. The potential weakening of American privacy laws may impact the compliance/risk appetite for some of these US-based companies, but ultimately they can still be held legally responsible in the same manner as an EU-based entity, regardless of changes the Trump Administration may or may not make nationally. These global organisations are unlikely to take unnecessary risks.
This question could apply to countless scenarios. Whatever your scenario is, ask yourself this question: does the information on that server relate to the personal data of EU citizens or residents? If the answer is YES, then GDPR laws apply fully, regardless of location, and you and your Data Processor are responsible for it.
Get in touch
Winterhawk has been promoting GDPR awareness since early 2016 (when few people believed it would ever happen). Drop us a line to see how we can help your organisation.