We've assigned our corporate legal department to take care of the GDPR
You can't argue that, for sure. The GDPR is a regulation, with 99 articles, together with 173 recitals. So there is no discussion : this is the domain for lawyers and legal counsels.
So it is understandable that companies think of their legal department first to assess the impact of the GDPR on their activities.
And if all goes well, your lawyer will translate the regulation into readable and understandable instructions, and provide you with a prioritised list of topics for your business. He will also interpret certain articles that the European regulator left open for discussion, and, based on his own experience, advise you how to tackle them.
But unfortunately, from that moment on, you will have to take care of things yourself. Indeed, the instructions of your lawyer will need to be implemented into your organisation.
Your staff needs to be trained and the necessary awareness created. Policies and procedures need to be put in place and all processing of personal data must be registered.
You will probably need a number of processing agreements with suppliers with whom you share personal data, you will need templates for consent forms ...
You will need an adequate procedure to respond in case of a data breach and when an individual wants to execute his rights as a data subject, you will have to make sure he gets a proper answer in due time.
And, although your lawyer is certainly a key person in this project, he generally is not the most appropriate party to take care of this practical approach.
On top of that, a very important aspect is the integrity, confidentiality and security aspect of personal data, requested in article 5 of the GDPR. And by extension of all your data.
Indeed, what's the use of having a clear privacy statement on your website, of allowing your contacts their right of erasure, right of rectification, right to object etc...., if you cannot guarantee the security of those data. And also for these aspects of the GDPR, your lawyer or legal counsel will rely on the information security specialists to take care of things.
Precisely in these domains, our proven approach will help you to plan, budget and implement the GDPR in your organisation.
Based on the ISO27001 framework, we have developed a system that gives you a clear view on your current situation. You get an overview of all domains of information security, off course with clear references to the GDPR. It all starts with a number of interviews of key people in your organisation. A list of specific questions gives us a detailed insight on your way of working and potential issues for your information security. The results of those interviews are summarised in a practical dashboard that will be the guideline for future actions and improvements.
Together with your management team, your legal counsel and your IT-staff, we budget, prioritise and plan the necessary actions. We start with the low hanging fruit, so you can immediately show some results and assist you all the way in becoming GDPR compliant.
And if, in a later stage, you want that official ISO27K certification, you are already on the right path…
Contact us via firstname.lastname@example.org for more information.