GDPR & CCPA Services

GDPR has arrived and enforcement actions are numerous. Has your executive committee asked "are we in compliance"? In 2018, companies completed GDPR assessments, documented the scale or scope of actions necessary for compliance and are working plans to close the gaps. Soon California's regulation, CCPA will be here, with enforcement in 2020. Has your privacy program prepared to be ready in less than a year? Remember CCPA allows for a one year look back (2019).

In 2019 companies still have to complete data inventories, define the legal basis for processing, develop capabilities for managing individual rights, test incident management plans, and measure the level of compliance. These actions will improve compliance, reduce risks and build customer and regulators' trust.

Do your business leaders understand the time to take action is now, as the risk of non compliance increases with each passing day.

Our Services

Evaluation of Personal Data Collected

  • Review of the consent language, validate the purposes of use are consistent with the language;
  • Identify the types of data, sources, and storage locations;
  • Identification of data that may be exempt from the GDPR obligations (i.e. HR data).

Analysis of Data Flows, Access and Security

  • Creation of data flow maps: source systems (on-line, retail, product/service promotions), data transfers, storage and backup locations;
  • Validation of user access, role and functionality (view only, extract, modify, etc.); Identification of security measures in place (encryption, intrusion detection, audit logs, etc.).

Assessment of Administrative Procedures

  • Evaluation of the operations capabilities to handle choice, access, correction and erasure requests;
  • Define key measurements (handling time, percentage completed, number of escalations, etc.);
  • Determine frequency of reporting metrics and recipients’ to executive management;
  • Define and document data breach response procedures.

Evaluation of Personal Data Collected

  • Identification of all entities (internal and external) that collect, use or transfer personal data;
  • Identify which category the entity falls within; controller or processor;
  • Update or execute cross border agreements as necessary.

Define Data Management Practices

  • Based on the data flow assessment, regulatory and legal obligations; define a retention schedule;
  • Document the systems, databases or physical storage that maintain the personal data;
  • Validate any technology and resources necessary to implement data destruction processes.
Privacy International, LLP