Data Compliance Services
“Compliance” doesn’t need to be a dirty word…
The GDPR is based on a set of general principles, not specific rules, so it’s open to interpretation. As we work with our clients on Compliance, we help by limiting them spending time and money “getting round” good data and information governance. Our aim isn’t to stop you using personal data, and instead we want to help you capitilise on it, whilst treating other’s personal data as if it were your own. Through greater transparency comes greater trust.
What is Information Governance?
Information Governance enables organisations to manage their data and information effectively in order to:
-
Improve Compliance
Record Retention, GDPR/ePR, Legal Holds
-
Reduce Risk
Over-retention, Litigation exposure, Fines/investigation, Reputation
-
Reduce Cost
Dispose of ROT, Document review, Legacy Systems, Migrate to cloud
-
Drive Efficiency
Easy to find and use information, Simpler processes, MI and business insight
GDPR Opportunities
GDPR Opportunities:
-
Data
Better understanding of data flows and purposes help establish a baseline for data strategy implementation.
Staff access data on need-to-know basis providing better protection
-
Customers
Enhanced transparency requirements leads to an opportunity to build relationships and trust
-
Supply Chain
Stricter contractual requirements give better protection
Greater oversight gives more control
-
Applications
Enhancement made to applications to deliver GDPR obligations ensure applications are fit for the future and address past issues
-
Confidence of Key Stakeholders
Belief and greater backing for your privacy programme
Accountability to give Exec and Board comfort
Increased awareness to drive culture of privacy by design
Increased confidence from regulations
Opportunities to win business if you can demonstrate you are a responsible data controller
GDPR Challenges
-
Data Subject Rights
Increase volume of rights requests across all industries
UK, rather than an EU phenomenon
Increased demands on resources
Can be exploited as part of legal or claims management tactics
Verbal requests are valid
-
Compliants
Greater awareness of GDPR = greater complaints about GDPR
Legitimate Interests for Marketing can confuse customers so needs clarity of explanation
-
Incidents
GDPR breach notification requirements mean greater attention on reviewing and understanding incidents to meet 72 hour deadline
Decisions must be documented
Need to ensure prompt notification, including from supply chain
-
Accountability
How can your organisation continuously evidence adherence to GDPR standards?
How can you ensure your legally required records of processing are up to date?
How can you ensure DPIAs are completed?
How can you maintain governance to ensure appropriate oversight?
How Can Lumilinks Help?
• By creating an implementation programme or plan for GDPR compliance or auditing your existing plan to make sure it’s fit for purpose
• By conducting a data audit so you know how the information you hold is held and used
• By producing a Record of Processing Activity (ROPA) if you are a large organisation or are processing high risk data
• By ensuring your processing activities have compliant technical and organisational controls in place
• By carrying out Data Protection Impact Assessments (DPIAs)
• By acting as your Data Protection Officer (DPO) if you need one
• By reviewing your contracts with third-party suppliers to ensure that you and they understand your liabilities, and assist you with advice about international data transfers
• By identifying and documenting a legal basis for each processing activity, and carrying out Legitimate Interest Assessments (LIAs) where necessary
• By updating your communication materials and internal processes to support the obtaining of verifiable consent
• By rewriting your public-facing Privacy Notice so that it complies with the more stringent transparency requirements
• By designing your subject access request process to provide people have access to their personal information
• By updating your internal processes around data breaches to ensure they comply with your regulatory requirements