An engineering firm prepares to align with the EU's personal data privacy regulation
At a Glance:
A large global engineering firm with a strong presence in Europe was facing a massive undertaking to align its policies and applications with the European Union’s General Data Protection Regulation (GDPR). Fortunately, the firm was already working with us on a data security project, and they leveraged our master data management and compliance expertise to lay the foundation of a GDPR remediation plan.
GDPR compliance became a top priority for our client. The program lead recognized that the organization needed a readiness plan, as the regulation impacts the handling of personally identifiable information for their employees and partners across Europe.
The regulation encompasses 99 articles — many of which allow ample room for interpretation — leaving the company with the task of determining which of its existing policies and procedures must be updated and which new ones must be added. On the software side, the company had grown through acquisition and many acquired firms had maintained their existing applications. This situation created an extensive matrix of properties that had to be assessed for compliance with the GDPR’s data protection requirements.
Why They Chose Us
Our client had previously engaged us to gain better control over the handling of their secure data, and they were also familiar with our extensive expertise in enterprise data management. When the GDPR project was ready to start, our broad experience in regulatory compliance and our understanding of our client’s systems made us the obvious choice to get them on track for readiness.
We worked with our client to align with the GDPR on two fronts: policies/procedures and applications.
On the policies and procedures side, our team analyzed all 99 articles of the GDPR to identify the requirements that apply to our client. We performed a gap analysis on each requirement to determine their current state of compliance and worked with their compliance and legal teams to make the necessary policy adjustments. We also worked with their communications team to ensure that all employees are properly trained on the new and revised policies.
On the applications side, we reviewed all applications that touch the personal data of EU residents to assess their current security state with respect to the GDPR requirements. In cases where the application was unable to support the regulation’s security mandates, we worked with internal teams and external vendors to identify specific gaps, make recommendations for addressing them, and help them with remediation as well.
Throughout this process, our team documented in detail every measure taken. This documentation enables our client not only to meet the GDPR’s requirements for specific recordkeeping, but also to provide evidence to support our client’s claims should an official inquiry ever arise.
When the project finished, our client was not only prepared for GDPR, but they also expected to be better positioned than most of the firms in their industry.