Contact us today

Get in touch with one of our professional services experts to find out how we can help your firm address the challenges of GDPR compliance today. 

GDPR compliance for professional services

The GDPR – is your firm on track?

Now that the EU GDPR (General Data Protection Regulation) is in force, firms must be able to demonstrate compliance with its data processing principles and disclose any data breach that compromises data subjects’ rights. Compliance is not a choice. The Regulation gives supervisory authorities the power to fine non-compliant organisations up to €20 million (about £17.6 million) or 4% of their annual global turnover – whichever is greater. With the appropriate compliance framework in place, your firm will be able to avoid significant fines and reputational damage, show clients that you are trustworthy and responsible and derive added value from the data you hold.

IT Governance is at the forefront of helping organisations around the world address the challenges of GDPR compliance. Our GDPR experts can help your firm with a variety of best-practice solutions, from evaluating your GDPR compliance position and developing a remediation roadmap, to implementing a best-fit privacy compliance framework. We offer comprehensive solutions, services and expertise to help you meet your GDPR compliance objectives, including training courses, books, compliance toolkits and software, staff awareness training and consultancy services.

Our GDPR training courses will give you the knowledge and advice needed to help your firm comply with the Regulation. These consultant-led sessions are built on our extensive practical experience of implementing and advising on GDPR compliance.

The key steps to GDPR compliance

Discover the key steps to GDPR compliance and the solutions we can offer. 

Establish an accountability and governance framework

Suggested actions

  • Brief management on the GDPR risks and benefits.
  • Gain management support for a GDPR compliance project.
  • Assign a director with accountability for the GDPR.
  • Incorporate data protection risk into the corporate risk management and internal control framework.

Scope and plan your project

Suggested actions

  • Appoint and train a project manager, and appoint a DPO (data protection officer) if necessary.
  • Identify which entities will be in scope: business units, territories, jurisdictions.
  • Identify other standards or management systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates information security best practice.
  • Assess the principle of data protection by design and by default against current or new processes and systems.
  • Consider Brexit implications in your planning.

Conduct a data inventory and data flow audit

Suggested actions

  • Assess the categories of data held, where it comes from and the lawful basis for your processing.
  • Map data flows into, within and from your organisation.
  • Use the data map to identify the risks in your data processing activities and whether a DPIA (data protection impact assessment) is needed.

Conduct a detailed gap analysis

Suggested actions

  • Audit your current compliance position against the GDPR’s requirements.
  • Identify compliance gaps requiring remediation.

Develop operational policies, procedures and processes

Suggested actions

  • Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis.
  • Bring data protection policies and privacy notices in line with the GDPR.
  • Where relying on consent, ensure quality of consent meets new requirements.
  • Review and update employee, customer and supplier contracts.
  • Plan how to recognise and handle data access requests and provide responses within a month.
  • Have a process in place for determining whether a DPIA is required.
  • Review whether the mechanisms for data transfers outside the EU are compliant.

Secure personal data through procedural and technical measures

Suggested actions

  • Have an information security policy.
  • Put in place basic technical controls such as those specified by established frameworks, e.g. Cyber Essentials.
  • Use encryption and/or pseudonymisation where it is appropriate.
  • Ensure policies and procedures are in place to detect, report and investigate a personal data breach.

Communications

Suggested actions

  • GDPR compliance is a business change project – effective internal communication with stakeholders and staff is key.
  • Employees need to understand the importance of data protection and have training on the basic principles of the GDPR and the procedures being implemented for compliance.

Monitor and audit compliance

Suggested actions

  • Schedule regular audits of data processing activities and security controls.
  • Keep records of personal data processing up to date.
  • Undertake DPIAs where required.

Start your GDPR compliance journey today

Browse our range of comprehensive solutions, services and products to help you meet your GDPR compliance objectives.

PROTECT YOUR
BUSINESS
THIS WINTER