GDPR in 5 steps

Thursday, March 8, 2018

GDPR (General Data Protection Regulation) is the latest EU data protection framework that has been implemented and takes the form of a regulation. It won’t be long until the beginning of its official operation, which is scheduled to start within the next few months, after a 2-year prosecution period. The GDPR framework has been published in the Official Journal of the European Union on 4 May 2016.

The GDPR will certainly bring substantial changes to the European privacy laws. The way organizations collect, handle and process personal information will change dramatically. Organizations from now on need to be more careful with the GDPR, as the implementation period passes by very fast.

Organizations should start planning their preparations instantly. There is no need to panic, just contact us and we will go together through the entire procedure, according to the following basic steps.


Step 1 of the GDPR: Personal Data Inventory / Mapping

Questionnaires and one-on-one meetings will help us create a Personal Data map and dashboard. You will be able to see the whole picture of the Personal Data you use to your organization, including the following information:

  • What Personal Data is gathered and administered, for what purpose(s) and on which legal basis.
  • The role of your organization in each processing activity (data controller versus data processor).
  • The period you are permitted to have access and use any Personal Data.
  • Which purpose Personal Data fulfils to your organization and who has or who should have access and permission to use it.
  • How Personal Data is being protected.
  • How Personal Data is transferred (including third parties and cross-border).


Step 2: IT & Legal Audit

Our IT professionals will perform an in-depth audit of the IT substructure. They will look for vulnerabilities and weaknesses, reevaluate the security construction, the technologies and the procedures that have been carried out, to confirm that the Personal Data reside on adequately controlled IT systems. Our Legal experts conduct workshops and arrange one-on-one meetings, to figure out your current compliance with the GDPR and help you improve. They will detect existing gaps to the GDPR compliance requirements and will evaluate these against the recommended best practices for organizations of similar function, size and target value.


Step 3: Gap Identification

Following to the previous steps, our specialists will deliver a precise valuation of your readiness to conform with every GDPR requirements needed. They will point your key gaps, possible risks and suggest a restoration path. If there is high risk and sensitive data (due to the volume of Personal Data, the nature of the data, the purpose of the processing and the technology used for the processing), a Data Protection Impact Assessment (or PIA - Privacy Impact Assessment) will take place.


Step 4: Design & Implementation of Compliance Program

Our experts can provide you with legal coverage and design a data protection grid for you to avoid any compliance gaps existing in the GDPR. In particular:


Data protection legal framework

• Data controller & Data processor contracts

• Binding Corporate Rules program compliance


Privacy governance

• Data Protection Risk Management, Policy, Procedures

• Training and awareness of the regulatory framework

• Data breaches incident management procedures


Data Protection enforcing technology

• Networks & Systems protection

• Users Identity & Access Management

• Data anonymization, Encryption, Loss Prevention

• Vulnerabilities Assessment, Security Monitoring


Furthermore, our professionals guarantee that the new GDPR concepts and conditions are met.


• Data Privacy is built into new Product or Service (“Privacy by design”)

• The “right to be forgotten” and the “right for data portability” are supported by your Business Services


Step 5: Monitoring and Ongoing Support

Subsequently, your organization will need to follow up with the new personal data norms regarding data processing and the flexibility to be ready to handle any possible occasion with success and swiftness. According to GDPR, you need to be able to prove to external auditors that your organization follows a constant data protection program and, moreover that you are in position to handle any possible incident within 72 hours (incident treatment, breach notifications etc.). We can support your organization to be ready under these new circumstances, by two ways: either by allocating a member of our team as an external partner offering Data Protection Officer services, with presence in your premises on a regular basis or by supporting your in-house Data Protection Officer if you choose to appoint one. Additionally, we can monitor the security of your IT substructure inside your organization on a 24/7 basis, by using high-end technology.


Do not hesitate to contact us and let us help you through the entire GDPR process!