poster
Privacy (GDPR)

Initial Privacy Assessment: Everything You Need to Know

Initial Privacy Assessment: Everything You Need to Know

What is a privacy assessment?

A privacy assessment is a methodic review of your state of compliance with personal data protection laws. An initial privacy assessment is often your first step on the road to the GDPR compliance. Compliance under the GDPR is to be seen as a continuum where perfection can be pursued but not achieved. Organisations with the lowest compliance grade have very little control over data flows. They show little accountability and never carried out due diligence with their software or cloud suppliers. 

High compliance results from (this list is not exhaustive):

  1. documented processes and flows of data processing;
  2. accessible records of processing activities and policies;
  3. assignment of data owners and privacy champions within teams;
  4. a high degree of awareness and training within the organisation;
  5. security controls and management reviews;
  6. a high level of traceability and documented decision making within the company;
  7. acute ability to respond in time to data subject requests;
  8. little-to-no risk of creating a data breach when helping data subject exercise their rights;
  9. first and second party audits, openness to carry out third-party audits.

The main goal of the privacy assessment is to determine the company’s current compliance grade. To achieve this, it is vital to create a roadmap for the activities to pursue the GDPR/privacy compliance.

Why would you need a privacy assessment?

The 1st reason to run a privacy assessment is to ensure that you have a starting point for that dreaded inspection or data subject request. Small young companies start with an assessment as well, since early partners and investors expect them to be “GDPR compliant”.

Unless you are a data protection officer or a lawyer that understands technology, it is challenging to have a full compliance picture. If a regulatory body comes knocking tomorrow, where will you start searching for your documentation?

A compliance report delivers a structured and independent analysis of what to do to raise your level of privacy protection. If you put in place the recommendations from the report, you will less likely get a complaint from a data subject. Then, the complaint turns into an inspection done by a competent authority. The audit done by the authority may lead to the discovery of unlawful processing of data and a fine. The average fine for SMEs in the EU amounts to 5000-30000 euros.

What does it look like?

The compliance assessment happens in 3 steps.

  1. Discovery phase. At this point, we meet the team and guide them to investigate within their own practices. The discovery phase is a workshop around the GDPR and analysis of business processes using the GDPR Canvas. This is the perfect chance to uncover data sets, tools, and practices for your company. The discovery allows you to shed some misconceptions and paint a clearer picture of the road ahead on your compliance journey.
  2.  Data Mapping. Our consultants review the findings collected and proceed to establishing a data map. We paint the picture of data collected, how you use it, what purposes it serves, who and why accesses this data, and how long the data is kept. The outcome provides the organisation with a baseline compliance document in the form of GDPR’s Art. 30 Records of processing activities.
  3. Report Drafting. With a solid data map, our consultants proceed to the assessment reports which comprises 5 parts:

                      – background information of the organisation provide a context for the data processing;
                      – a summary of relevant legal requirements to set a benchmark against which to assess compliance;
                      – a detailed description of the current state of compliance;
                      – a list of compliance risks resulting from the gap between the requirements and the practices;
                      – a prioritised list of action items to raise the level of compliance.

The price, complexity, and level of details depend on the size and stage of the company. For early-stage projects, the assessment is usually quick and lasts from 3 to 6 weeks. More complex projects involving complex data sets and innovative technology take up to 12 weeks.

So what outcomes can I expect?

  1. A clearer understanding of GDPR rule, my accountability, and liability;
  2. The mapping of my data flows. It takes the form of records of processing activities (ROPA). Among others, ROPA provides roles and responsibilities, risks, and a list of third parties processing data on your behalf;
  3. A review of my exposure to privacy risks related to my use of technology and suppliers;
  4. Deep insight into my current state of compliance;
  5. Prioritised recommendations and an action plan for further efforts.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Legal Nodes Team
&
TechGDPR

Legal Nodes Blog

Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills
Privacy (GDPR)
Privacy Policy: Everything you need to know

Privacy Policy (or Privacy Notice) is a public legal statement of the company. It explains how the organisation uses information about its users, customers, or employees....

Legal Nodes Team
Privacy (GDPR)
Initial Privacy Assessment: Everything You Need to Know

A privacy assessment is a methodic review of your state of compliance with personal data protection laws....

Legal Nodes Team
Legal Nodes Updates
Legal Nodes Secures the $50k Grant from the Ukrainian Startup Fund Pitching Competition

We are delighted to announce that Legal Nodes scored the highest during the fifth Ukrainian Startup Fund pitching competition and was awarded a $50k Grant. ...

Legal Nodes Team
Privacy (GDPR)
Privacy Kit: Website and Apps solution

Privacy Kit is a standardised set of documents for a website or an app....

Legal Nodes Team
Privacy (GDPR)
Ultimate Privacy Compliance Guide

Legal Nodes presents a guide to privacy compliance. Privacy laws deal with the protection of personal identifiers, such as a name, email or IP-address (personally identifiable information), as well as with any information about individuals that ...

Legal Nodes Team
FinTech
Not everyone can do everything: Things FinTech businesses should keep their eye on

5 practical recommendations for FinTech businesses from a regulatory and compliance expert....

Lamara von Albertini, PhD