Would you like to have a privacy baseline measurement / quick scan carried out?
The European General Data Protection Regulation (GDPR) has implications for the governance and compliance of the organization. The height of the sanctions is also a reason to place data protection high on the agenda of directors. In order to meet the requirements of these laws and regulations, the organization will need to have insight into its own ‘organizational structure’, including the related parties with which contractual relationships exist.
The central question is: ‘Do I have a clear overview and insight into the risks and liabilities arising from the legislation for the protection of personal data and the degree of control of these risks?’
To obtain this insight, we offer to perform the privacy baseline measurement. The data protection baseline measurement is an exploratory study aimed at gaining insight into compliance with data protection laws and regulations. The investigation provides the responsible person, the Executive Board and the Supervisory Board, with insight into the extent to which the risks are covered by measures and the effective operation of these measures.
What is the added value?
An organization must ensure that technical and organizational measures have been taken to cover the risks and that these measures work effectively. After all, if a measure is missing or has proven to be ineffective and this has led to a data leak, the organization must usually report this data leak to the Dutch Data Protection Authority (AP) and in a number of cases also to the data subject. If the organization is unable to identify a data breach itself – and notification is not made – it can be held accountable by the AP or one or more parties involved. This can lead to fines and claims.
Your partners in the chain also want to know to what extent your organization complies with the legislation. If your organization is a processor, the controller is obliged to check whether your organization complies with the GDPR.
The data protection baseline measurement also produces a document that you can hand over to your accountant. This auditor may use this document to support his own audit work. This allows you to reduce your accountant costs.
Accountability Obligation
The GDPR has an accountability obligation for companies and institutions. This obligation means that organizations must be able to demonstrate at any time that the measures to protect personal data actually work and that the provisions of the GDPR are being complied with.
The accountability obligation entails, among other things, that there must be an overview and insight into the processing operations, that the data protection policy must be anchored in the organization and that it is complied with and that the effective functioning of information security must be demonstrated. In addition, the accountability obligation also relates to the processing of personal data for which the organization has engaged external parties (processors and sub-processors).
The summary from the data protection report baseline measurement can be included in the Directors’ Report, so that the organization complies with a governance obligation.
What is our approach?
The research has a practical approach: together with you, a first step is taken towards a healthy household for the protection of personal data. During the research, available policy documents are assessed and interviews are held with employees and/or stakeholders. The insights obtained are compared to the requirements for the processing of personal data, the assessment of the extent to which your organization meets the requirements with regard to data protection. This is done on the basis of a framework of standards, which is based on the relevant laws and regulations for the organization.
The investigation results in a report of findings and associated advice. This advice provides, among other things, a global approach for your organization on how to take next steps to take data protection and safeguarding privacy to a higher level and to become compliant. We use a maturity model with 5 levels.
Activities during the research:
- Establish a framework of standards aimed at the organization;
- Inventory of the most important processing operations;
- Testing against the standards framework: interviews, documentation and own research;
- Prepare report of findings, action plan and presentation; and
- Coordination and unforeseen work.
The depth of the data protection, baseline measurement and detail of the reporting are determined by the scope of the investigation and the time available.
Do you have any questions or would you like to make an appointment?
Do you have questions about organising, implementing or expanding the protection of personal data? Our service owner, André Biesheuvel or one of his colleagues, will be happy to discuss your specific case.