Have any questions?  +380 44 390 7457 (UA)

Case Study: Making a company GDPR compliant

Making a company GDPR compliant: how does it look like from inside

Having a considerable pool of companies, we are helping with GDPR compliance, we have gathered a decisive amount of experience that we want to share with you in this case study.

As an example, we will take one of our old partners (will be referred to in this case study as the Company), who we already worked with on other projects and thus can make more precise judging about the whole compliance process and the impact of introducing GDPR standards into their workflow.

Analysis (GAP Analysis)

First step in getting prepared to meet GDPR requirements is analyzing each and every company process from the perspective of its involvement into working with personal client data (emails, passwords, Credit Card data) and other GDPR related aspects. Judging from our experience, this stage lasts from one to three months, depending on the company size.

We started to analyze the Company’s workflow, assets and processes in late December 2017.

We worked with every department and person in the Company, who has access to clients personal data – security, legal, IT, marketing and other departments potentially involved in working with users’ data. Among the number of GAPs we have found, there were GDPR violations in site Privacy Policy, Cookie usage and user data management procedures, being one of the primary points to be addressed for GDPR.

Due to company size, it took us approximately 2 months to point out all the violations of GDPR data regulation.

Planning

In this phase the list of all weak points (gaps), found during GAP Analysis, are prioritized and scheduled for implementation. The scheduling process requires careful and thorough coordination with the company management, since it is very important to have the required company resources available on the scheduled time of implementation of any given point.

The planning process ranges from two to five weeks, depending on the company size and the level of involvement and availability of the company management.

In case with the Company, it took us almost a month to have the implementation schedule settled, due to very versatile Company structure and slow coordination between Company departments. While planning, we were having meetings with security team, business analysts, developers, legals, data protection officer and other personnel, who will be affected by GDPR compliance process.

Implementation

This is the very stage where all the GDPR magic happens. During the implementation process, much depends on coordination between our GDPR consultants and company employees, who are involved into implementing changes into company assets, processes and procedures. Lack of coordination or resources availability from any party in this phase will imminently result in deviation of the implementation schedule. Our experience says that implementation is the most time-consuming phase and it varies from seven-nine months for companies who have information security management system (ISMS) to ten-fifteen months for companies who do not have one. This difference in implementation terms comes from the fact that GDPR requirements are build on the basis of ISO 27001, NIST, and having ISMS ready will tangibly speed up the compliance process. Here, we need to say that a company does not have to be 100% GDPR compliant by May 2018, it only needs to have all primary controls implemented by that date to continue working in the EU business space.

We are still working with the Company on implementing all the changes, required for GDPR, with primary controls already in place. During the implementation stage, we faced with difficulties allocating Company employees to work on a given GDPR requirement. This happened because of lack of human resources on the Company side and this has deviated the implementation schedule by one month already.

Internal compliance audit

This stage is complex and is divided into two parts: partial audit and general audit.

Partial audit is done after implementing some logical part of GDPR and ISMS requirements to check if everything implemented is GDPR compliant. For instance, after making all the necessary changes to the web site or after signing all the missing contracts with GDPR data controllers and processors, partial audit will show if these changes are GDPR compliant or there is something else to be done while moving towards the compliance in these departments. So partial audit is done several times during the implementation process and generally does not take longer than one day.

General audit is done after all planned changes were complete according to the implementation plan and shows the overall company readiness to be fully GDPR compliant.

General audit is comparatively fast and takes up to 10 working days.

We have already done several successful partial audits for the Company in the implementation phase and are steadily moving towards the final general audit.

Summary

Getting ready for GDPR compliance is not an easy or fast process, but this is a must for companies, working in the EU business space. You should be ready that your company assets, processes and procedures need to be changed and that you will need to allocate company resources to make this done, otherwise this will be even a longer process. With that, it is very important to find an experienced GDPR oriented team to bring you through all the difficulties you may face.