GDPR Compliance Services
We are here to help you and set you on the right course
We have been working closely with and preparing for the GDPR since we were founded in 2015, well before the GDPR was signed off and became Regulation (EU) 2016/679. While GDPR compliance is a core part of all of our Product, Solution, and Service offerings, we also put this expertise to work for others just beginning their GDPR journey, or those who simply need a helping hand in an on-going transformation.
GDPR Gap Analysis
If you are not sure whether the GDPR applies to you, or if it does, that you have met all your GDPR obligations – then consider taking this first step.
Contact us for a free, no obligation consultation where we can provide you with some quick answers (such as “Does the GDPR apply to my company, website or App”) and some helpful advice to get you started on your GDPR journey.
If you decide to continue your journey with us, we will help you to assess your unique situation and provide you with advice and step-by-step guidelines to close your gap to full GDPR compliance.
Data Protection Risk Assessment
Risk assessments are an important tool for any company wishing to limit their risk exposure and liability.
Adaptant can help you to carry out a Data Protection Risk Assessment for your App, Website or company operations, in accordance with ISO 31000.
The assessment can be carried out on-site or remotely and will be tailored to your specific needs. The DPRA is essentially a lightweight DPIA and will typically look at things such as your privacy and cookie policies, and carry out a basic assessment of your company’s operational risks.
Data Protection Impact Assessment
Impact assessments are mandatory for any organisation engaged in the processing of personal data where the rights and freedoms of the individual are at risk.
With Adaptant’s DPIA service, we help organisations identify the extent to which a more holistic impact assessment is needed, and to what extent their current data flows and usage puts them at risk for non-compliance.
The assessment can be carried out on-site or remotely and aims to create a snapshot of current data processing behaviours and risks within the organisation, as well as an action plan with targeted recommendations for treating the identified risks. We can also support the implementation and monitoring of the execution of the report’s recommendations, both on a technical basis, together with your engineers, and on an operational one, together with your management team.
EU Representative Service
Organizations that are regulated by the GDPR but that have no legal presence in the EU need to appoint an official representative located in the EU for the purpose of responding to the inquiries of European regulatory agencies and data subjects.
Adaptant provides a professional and effective way of complying with the requirements of Article 27 of the GDPR. By appointing us as your company’s official EU Representative, you can be sure that your organization has taken an essential step toward GDPR compliance and is prepared to respond in a reliable, professional way to any European privacy inquiries that may arise.
The EU Representative has the following tasks under the GDPR:
Data Protection Officer as a Service
All entities that reside in the EU and that represent public authorities or organizations that process large scale monitoring or sensitive personal data have to comply with the GDPR, but not every organization is required to appoint a DPO.
Adaptant can help you assess whether your company must appoint a DPO and walk you through the pros and cons of having this service inhouse or outsourced. In addition, we also offer DPO as one of our compliance services.
The DPO has the following tasks under the GDPR:
Assurance & Support
Uncertain about how your compliance obligations will change as your business develops?
Adaptant provides on-going support to clients in a number of ways:
Contact us for a free, no-obligation consultation
FAQs – GDPR
The GDPR (General Data Protection Regulation) is a Regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents. This legal framework replaces the former EU Data Protection Directive (95/46/EC) with additional requirements that companies need to be aware of. As a Regulation, the GDPR applies to all EU member states, and further applies to any company processing the data of EU residents, including those outside of the Union.
The GDPR applies to all organizations, regardless of their location, which make goods or services available within the EU, or which collect and process the data of EU data subjects.
There are 8 fundamental rights of individuals under the GDPR:
- The right to be informed – Organizations must be completely transparent in how they are using personal data.
- The right of access – Individuals have the right to know exactly what information is held about them and how it is processed.
- The right of rectification – Individuals are entitled to have personal data corrected if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing – Refers to an individual’s right to block or suppress processing of their personal data.
- The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
- The right to object – In certain circumstances, individuals are entitled to object to their personal data being used.
- Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them or is based on automated processing.
A maximum fine of 4% of annual global turnover or €20 Million (whichever is higher) can be imposed for the most serious violations, e.g. not having adequate or demonstrable customer consent to process data, failure to notify relevant parties of data breaches involving personal data, etc. For less serious violations, a maximum fine of 2% of the annual company’s global turnover or €10 Million (whichever is higher) may be imposed. This includes an organization not having its records in order (pursuant to obligations set forth in Article 28) or for not having carried out a Data Protection Impact Assessment when necessary.
In Article 4(1) the GDPR defines personal data as any information relating to a directly or indirectly identifiable natural person. An identifiable natural person is further defined as one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 5 of the GDPR states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
Organizations should, in general, adhere to principles of data austerity/economy and only collect the minimum amount of data required for a stated purpose of processing. By minimizing the amount of data held, organisations are also able to more effectively limit their liability in the case of a data breach.
While we would, in general, encourage our clients to use consent as the legal basis of processing, this is only one of the options for lawful data processing as put forth by Article 6(1). The full extent of processing options include:
- Explicit Purpose-Limited Consent
- Contractual Obligation (necessary for the execution of a contract between the Data Subject and the Service Provider)
- Compliance with legal obligations that the data controller is subject to
- Protecting the vital interests of the data subject or of another natural person
- Carrying out a task in the public interest (primarily for public authorities)
- Legitimate interests pursued by the controller/third-party
We would, furthermore, advise any organization wishing to pursue legitimate interests as the legal basis of processing to ensure that all due diligence has been carried out in advance, and that they fully understand and accept the risks in doing so.
Consent needs to be explicit, opt-in and freely given. Popular opt-out based consent is no longer sufficient. Furthermore, individuals must be informed about, and be reasonably expected to understand that which they are consenting to in order for the consent to have any legal standing. Organizations targeting minors, for example, must ensure that both the request and supporting information is presented in an age-appropriate fashion where the reading level is accounted for in order to demonstrate that the data subject has been reasonably informed.
Article 37(1) of the GDPR states that a DPO shall be designated where:
- the processing is carried out by a public authority or body (except for courts)
- the core activities of the organization involve regular and systematic monitoring of data subjects on a large scale
- the core activities of the organization involve the large scale processing of special category data (Article 9), or personal data relating to criminal convictions and offences (Article 10).
Special category data is further defined as:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- genetic and biometric data
- data concerning health, a natural person’s sex life, or sexual orientation
The approach we take with our clients is typically that:
- An EU Rep (pursuant to Article 27) is essential for organizations outside of the Union; and
- A DPO is appointed for organizations within the Union
While some have taken the view that an extra-territorial DPO can be designated pursuant to Article 37, we find that this runs counter to Article 27(3) and Article 27(4) which lay out territorial presence as a pre-requisite for meaningful engagement with EU supervisory authorities and data subjects.
While every organization does not need to carry out a comprehensive DPIA, it is important to have this level of understanding of the organiation’s data flows, processes, and associated risks as part of any compliance initiative – regardless of whether you are carrying this out yourself or through the use of a third-party EU Rep/DPO.
While many organizations are familiar with their own use of collected data, the increasing use of third-party cloud service and software providers often creates unique challenges in (often unintentional) cross-border and international data transfers not originally envisaged or accounted for – a scenario that often impacts smaller organizations with little on-premises infrastructure much more than bigger ones.
Organizations with pre-existing certification under ISO 27001 (Information Security Management System) or PCI DSS (Payment Card Industry Data Security Standard) comply with many of the requirements of the GDPR already but must still make some changes in order to come into full compliance. The good news is that much of the heavy lifting has already been taken care of.
No, Privacy Shield itself is not a GDPR compliance mechanism as such, but a mechanism that enables participating companies to meet the EU requirements for providing an appropriate safeguard for transferring personal data between the EU/CH and US. More information about data transfers subject to appropriate safeguards is provided in Article 46.