Compliance with GDPR requires a combination of legal, business and technical skills from GDPR experts:

Legal skills are needed to assess the legal basis on which the processing of personal data takes places as per the Regulation, to amend existing or draft new contracts for collection of personal data or its transfer to another processor, a joint controller or another entity and to prepare unambiguous and explicit statements of consent.

Business skills are required to unfold the complexities of the business processes of an organization and to prepare the data flow mapping, to design new or to amend exiting processes and to define the data privacy policy. Compliance shall be achieved in a way that it does not impact the main business of the enterprise and it does not impose high overheads. Thus, deep business understanding and skills are needed.

Personal Data usually resides in and is processed by software tools such as ERPs, CRMs, Directories, Payroll Systems, Databases, Online tools, etc. and is stored/archived/backed up in local storages or on the cloud. Therefore, information Security is of vital importance for the protection of personal data and a whole project on its own. Thus, technical skills are an absolute must.

DataKnights GDPR compliance program consists of three stages: Discovery, Design and Implementation. However, the participation of legal, business and technical GDPR experts is required in every stage.

At the Discovery Stage, we identify the main type of data processed and the scope of processing at your organization, and we determine the exact application of the GDPR for your own company. The goal is to identify the main provisions of the Regulation that apply to your Organization. More specifically, the first stage consists of the following:

• Awareness Session
• Assessment on Applicability of the Regulation
• Scope and Plan of Work for Next Stages

The Design Stage is about defining and planning the actions that need to be taken in order to achieve compliance. It includes:

• Preparation of Data Flow Mapping
• An Assessment of the Legal Basis of Each Processing
• Preparation of Gap Analysis
• Definition of an Actions Plan
• Definition of the DPO’s Roles and Responsibilities

The third and last stage of the Program is the Implementation Stage. During this phase, all the organizational, procedural, legal and other actions, that have already been planned in the previous stage, shall be implemented. In particular, during this stage the following actions will be taken:

• Data Privacy Impact Analysis (DPIA) Preparation
• Data Privacy Policy Definition
• Data Leakage Notification Process Preparation
• Contracts Legal Review
• Statements of Consent Drafting
• Key Personnel Training
• DPO Training

Although the implementation of an initial GDPR compliance program covers all the necessary operations in order to meet strict criteria of the new GDPR, it requires constant updating and needs to harmonize with future changes to the provisions of the GDPR. Moreover, it should be constantly adjusted and updated on any changes of the processing that the Organization is performing.

As such, DataKnights offers an annual management consulting service that will cater for all the above and will in essence update the Compliance Program according to the Regulation or business environment changes:

• Annual Review of the Compliance Program Including the Review of the Data Privacy Policy, the Data Privacy Impact Assessment and the Data Flow Mapping
• Support to the DPO for the Management of the Data Leakage Notification Process
• Consulting Services and Support the Assigned DPO for Any Matters That May Arise in Regards to Data Privacy

One of the major challenges of the new GDPR is the appointment of a Data Protection Officer (DPO) to monitor, execute and report data processing in accordance to the legislation. The DPO will be responsible for both your organization’s GDPR compliance as well as liaise with the relative authorities.

Our firm offers to undertake the role of a DPO on behalf of your organization. The assigned DPO will:

• Be the Only Contact Point with the National Data Protection Authorities
• Review and Supervise the Compliance with the Regulation and the Adherence to the Defined Policies and Procedures
• Deliver Additional Hands-on Support for Employees Where and When Needed
• Maintain and Update the Data Flow Mapping Records
• Maintain and Update the Data Privacy Impact Analysis (DPIA)
• Manage the Data Leakage Notification Process