Planning and conducting data inventories
You need to comply with GDPR.
But are you? You know GDPR is critical for any organization that stores customer data but that doesn’t mean it’s easy to achieve.
Maybe you’re running into issues maintaining compliance. Or maybe trying to reach it in the first place. Maybe your business is brand new to the whole GDPR thing.
Are your customers wondering if your GDPR strategy is in place or asking for a GDPR Data Processing Addendum (DPA)?
No matter what the problem is, you have good reason to find a solution.
Your customers trust you to provide transparency and security
Noncompliance can result in hefty fines, legal entanglements, and loss of certifications. But crucially for any company building a relationship with their customers through data, noncompliance can damage your reputation and erode trust.
But compliance requires resources and expertise. It requires time and effort, all things that can be in short supply. Yet there’s no short supply of issues to deal with GDPR:
Wherever you’re at on your compliance quest, we’ll meet you there.
Red Clover Advisors has been making data privacy practices simple and straightforward for clients since Day 1. We assess, develop, implement, and maintain data privacy strategies for clients that bring results without the substantial expense of hiring in-house.
Looking for a roadmap? We can draft one for you and then let you take the wheel. Prefer to have a guided tour – i.e., full implementation and ongoing support – to get you there? We’ve got you covered.
Proficiency, meet process
Policy insight is invaluable, but you need practical solutions. (Preferably quickly.) We bring a business approach to privacy compliance, taking years of industry experience, and distilling it into operational changes that make sense for you.
Whether you’re looking for a DIY assist or for a partner in the process, we customize our approach to each client. But there are a few key pieces to bringing your company into compliance no matter what.
Data Inventory
Data inventory – it’s mission-critical. Data inventories are required for GDPR and other compliance efforts to have an exhaustive data inventory.
Through our data inventory process, we track down all the information you’ve collected and figured out how it’s stored and what it’s being used to establish your data flow. Our findings play a big role in developing your privacy notice and individual rights process and policy. After all, there’s no way to create these documents without knowing everything about the data you’ve already got.
You’ll also end up with a better understanding of what data you need to be collecting in the first place – collecting and storing data that isn’t being used poses a risk to all companies.
Our data inventories incorporate Article 30 reports when needed, including all of your third-party vendors and their systems.
Next Steps
Once the Gap & Maturity Analysis has been run and once the data inventory is complete, you have options for what comes next.
Privacy Policies and Cookie Consent Tools
Crafting your policies and informing individuals about them can be tricky. We help you read between the lines to create and/or update your privacy notices, information governance, and security policies.
Cookie consent tools are a GDPR requirement. We evaluate your vendors so you can assess and establish risk. Once we’ve found your perfect cookie consent tool, we’ll help you pick the best route to implementation.
Looking for a DIY approach? We provide customizable templates for privacy notices and cookie banners.
Vendor Management and Privacy Technology
Who are you working with? Are your management processes appropriate for your relationship? We help you analyze and update your strategies for new and existing vendors, including vendor assessments, Data Protection Addendums, or vendor agreements.
Are third-party privacy technology vendors part of your plan? We’ll assess your vendors and walk you through building a roster of data management and consent tools and establish plans for reporting processing activities, data security, and more.
Starting out with a vendor assessment? This project makes a useful point of entry for later data inventories.
Privacy Impact Assessments
Create and perform privacy impact assessments for new products or marketing campaigns.
FAQ
What you need to know about GDPR
What’s GDPR?
The General Data Protection Regulation (GDPR) was described by everyone as the European Union's “game-changing data privacy law.” It went into effect in March of 2018 and businesses have been chasing compliance ever since.
They aren’t wrong. GDPR is the biggest data protection law to come about in the last 20 years since the internet, mobile devices, e-commerce, social media, and big data took off. It affects businesses of all sizes around the world.
But what does that really mean?:
In plain English, the GDPR set guidelines that businesses, organizations, non-profits, essentially anyone who touches someone’s personal information in connection with goods and/or services to EU residents. Money doesn’t even need to change hands – the rules can apply if you’re asking for people’s personal information in exchange for information, subscription to an email list, etc.
—-
GDPR instructs businesses and organizations, but at its core, it’s about giving individuals control over their data. GDPR includes a number of pieces in place designed to provide that control, including:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure/to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Combined, all of these rights give EU residents the right to be informed and understand how their personal data is being collected, stored, and used by companies. Companies have to get people’s content before using their data and they have to delete it if you ask them to. Learn more about the full scope of GDPR rights and how they differ from the new data protection law, CCPRA.
What’s Article 30 and why is it important?
Article 30 requires organizations to develop and maintain an internal Record of Processing Activities (ROPA). Without this record, it’s impossible to know what kind of personal data a company is gathering, how they’re storing it, and how it’s being used both internally and externally. Without this record, ultimately, it’s impossible to be fully compliant with GDPR.
Why is it important to businesses?
On a financial level, non-compliance can be a killer. If you’re found out of compliance with GDPR, you risk a fine of up to 20,000,000 euros or up to 4% of your company’s profits from the previous year. (Whichever is higher.)
Compliance also creates transparency for your clients. Without it, your business risks serious reputational damage, loss of consumer confidence, and loss of business.
GDPR compliance extends past your own office doors, too. If your company has partners, they also need to be in compliance. That’s why vendor relationships are important to address when building your compliance – the trust factor is critical to doing business in a compliance-driven landscape.
Looking at the bigger picture, GDPR compliance can save your company time and money by prioritizing a streamlined data policy.
What’s considered personal data?
One of the major changes to privacy came with the way that GDPR defined “personal data.” GDPR took a more expansive view of the concept. Most companies view personal data as being names, emails, addresses, ID numbers. And it is!
But GDPR has expanded what personal data means in some big ways by including new categories of health, genetic, and biometric data. According to the regulations, these categories are “particularly sensitive in relation to fundamental rights and freedoms.”
GDPR protects the following types of information:
- Identity information. May include name, birthdate, address, and ID numbers
- Web data such as location, IP address, cookie data
- Health and genetic data
- Sexual orientation
- Biometric data
- Racial or ethnic data
- Political opinions
Interested in the whole list? Learn more about how GDPR classifies personal data here.
Does GDPR apply to my US-based company?
This is one of the most common questions posed by companies in the US. While GDPR deals with the rights of EU residents, it potentially applies to any company in the world. If your company processes personal data belonging to an EU resident, then GDPR applies to you.
What if no financial transaction happens?
Yes, potentially your company would need to be compliant with GDPR. If you’re an internet-based company that sells or markets products online to EU customers, you need to comply. If your company has a domain suffix for an EU country, ships to an EU country, provides translation of your site into a language of an EU country, or markets in that language, then GDPR applies to you. Are you B2B? If your customers serve an EU audience, GDPR compliance likely also applies to you.
Tracking information also counts. For example, if your company does market research on EU residents by tracking and collecting information to predict online behaviors, that qualifies.
What if we’re considered a public authority?
Public authorities or agencies make heavy use of personal data to deliver their services. That means they have the same responsibilities as private companies.
What does “data processor” and “data controller” mean?
Data processor and data controller are big concepts in the implementation of GDPR. Companies need to determine if they are either a “data processor” or a “data controller.”
Under GDPR, a data controller is who’s responsible for getting consent for data and managing access to it. If something goes wrong – i.e., a data breach or mishandling of data – they’re on the hook.
A data processor, on the other hand, is simply that: the party that processes the data. This could be the data controller themself, but it’s often a third-party vendor. For example, if a company tracked its website data and ran it through Google Analytics, Google Analytics would be the processor. However, data controllers still have compliance requirements that need to be implemented.
Go beyond compliance
Privacy compliance can’t be ignored, but it doesn’t have to be a challenge. Working with experienced privacy professionals can help you focus on the job you’re passionate about.
Take your company beyond compliance. Reach out to our team at Red Clover Advisory today to start with your free consultation.