Evaluating GDPR readiness
How we helped an employee engagement platform provider evaluate data privacy for all their customers
At a Glance:
When the provider of a popular employee engagement platform learned about the EU’s General Data Protection Regulation (GDPR), they recognized an opportunity to provide a higher level of data privacy and protection to all their customers. That’s why they contacted us.
Customer Challenge
While the company works primarily with U.S.-based organizations, several of their customers employ residents of the European Union, which makes them subject to the GDPR. Since our client handles the personal data of these employees — including names, job titles, email addresses, and phone numbers — they are subject to the regulation as well.
In preparing for the GDPR, the company’s leadership saw an opportunity to elevate their value offering by enhancing data privacy and protection for all customers — not just those who employ EU residents. First they needed a partner with expertise in both the GDPR and master data management who could help them turn this vision into a reality.
Why They Chose Us
The company learned of us through a recommendation from their legal counsel, who was familiar with our GDPR work for other clients. In the initial meeting, we helped the leadership team to better understand the regulation and discussed how it could apply to their organization. They recognized that we offered not only deep expertise in how the GDPR works, but also hands-on experience in helping other firms improve their data privacy and protection to conform with the regulation’s high standards.
Our Approach
We worked with the leadership team to review several areas of the organization and conduct gap analyses with respect to the GDPR’s requirements.
Data Map and Process Flow: We developed a map of their system architecture and captured data process flows to gain a thorough understanding of how the company handles personal data.
Policies: We reviewed their policies, including their privacy policy and terms/conditions, to identify compliance gaps and provide recommendations for remediation.
Processes and Procedures: We also conducted an inventory of their data processing activities and reviewed them in light of the GDPR’s requirements. Among our recommendations were new procedures for responding to data subject requests (for erasure, for portability, etc.) and for deleting data that the company no longer has a legitimate reason to retain.
Contracts: In reviewing our client’s contracts with third-party providers, we made recommendations for updating clauses that concern the handling of personal data.
Reporting and Documentation: We helped our client develop a record of processing activities (ROPA), as the GDPR requires. We also showed them how to conduct a data protection impact assessment (DPIA). Although the company currently has no processes covered under this requirement, they may need to conduct DPIAs for future activities.
Education: Both the client and we feel that employees should understand the basics of the GDPR and their role in supporting the compliance effort. Everyone should know what changes may be impacted by the GDPR and whom to go for guidance as the business continues to evolve — new processes, new reports, new vendors, etc. With this goal in mind, we conducted a training session for the entire organization to give them an overview of GDPR requirements as well as best practices in data privacy.
Governance: We worked with our client to recommend governance programs that help them maintain compliance as their business evolves.
Value and Benefits: "The Wins"
When we completed the project, the leadership team had a firm grasp on how the GDPR affects their organization and a strategy for addressing their compliance gaps. They can now demonstrate to customers with EU employees how their data processing activities align with the GDPR’s requirements. As the company moves forward with plans for expansion, they can also assure future customers that they handle employees’ personal data in accordance with one of the world’s most stringent data protection regulations.