Privacy & Governance Services

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a data protection and privacy regulation for all residents of the European Union (EU) and the European Economic Area (EEA). Since becoming law in May 2018, many Data Protection Authorities are actively investigating or have taken enforcement action, as of March 2021 there have been 564 fines, totaling € 271,007,288.

In June 2018, the California Consumer Privacy Act (CCPA); in January 2020 the California Privacy Rights Act (CPRA); in March 2021, Virginia the Consumer Data Protection Act (CDPA) all have approved and many more privacy acts just in the US are pending approval. These regulations grant consumers individual rights, require greater transparency and data management controls and limitations of use.

In 2021, many companies continue to assessing their privacy programs for compliance, risk and operational functionality. Key activities include data inventories, updates to privacy notices, updating capabilities for managing individual rights, testing incident management procedures, and what to measure and report for compliance levels.

The risk of non-compliance continues to increase with each passing day; therefore the privacy office must work with their business leaders, to communicate the business risks (fines, loss of trust or use of personal data), the effort and cost to improve your compliance position.

Our Services

Evaluation of Personal Data Collected

  • Review of the consent language, validate the purposes of use are consistent with the language;
  • Identify the types of data, sources, and storage locations;
  • Identification of data that may be exempt from the GDPR obligations (i.e. HR data).

Analysis of Data Flows, Access and Security

  • Creation of data flow maps: source systems (on-line, retail, product/service promotions), data transfers, storage and backup locations;
  • Validation of user access, role and functionality (view only, extract, modify, etc.); Identification of security measures in place (encryption, intrusion detection, audit logs, etc.).

Assessment of Administrative Procedures

  • Evaluation of the operations capabilities to handle choice, access, correction and erasure requests;
  • Define key measurements (handling time, percentage completed, number of escalations, etc.);
  • Determine frequency of reporting metrics and recipients’ to executive management;
  • Define and document data breach response procedures.

Evaluation of Personal Data Collected

  • Identification of all entities (internal and external) that collect, use or transfer personal data;
  • Identify which category the entity falls within; controller or processor;
  • Update or execute cross border agreements as necessary.

Define Data Management Practices

  • Based on the data flow assessment, regulatory and legal obligations; define a retention schedule;
  • Document the systems, databases or physical storage that maintain the personal data;
  • Validate any technology and resources necessary to implement data destruction processes.
Privacy International, LLP

Resources