Privacy (GDPR)

Initial Privacy Assessment: Everything You Need to Know

Initial Privacy Assessment: Everything You Need to Know

What is a privacy assessment?

A privacy assessment is a methodic review of your state of compliance with personal data protection laws. An initial privacy assessment is often your first step on the road to the GDPR compliance. Compliance under the GDPR is to be seen as a continuum where perfection can be pursued but not achieved. Organisations with the lowest compliance grade have very little control over data flows. They show little accountability and never carried out due diligence with their software or cloud suppliers. 

High compliance results from (this list is not exhaustive):

  1. documented processes and flows of data processing;
  2. accessible records of processing activities and policies;
  3. assignment of data owners and privacy champions within teams;
  4. a high degree of awareness and training within the organisation;
  5. security controls and management reviews;
  6. a high level of traceability and documented decision making within the company;
  7. acute ability to respond in time to data subject requests;
  8. little-to-no risk of creating a data breach when helping data subject exercise their rights;
  9. first and second party audits, openness to carry out third-party audits.

The main goal of the privacy assessment is to determine the company’s current compliance grade. To achieve this, it is vital to create a roadmap for the activities to pursue the GDPR/privacy compliance.

Why would you need a privacy assessment?

The 1st reason to run a privacy assessment is to ensure that you have a starting point for that dreaded inspection or data subject request. Small young companies start with an assessment as well, since early partners and investors expect them to be “GDPR compliant”.

Unless you are a data protection officer or a lawyer that understands technology, it is challenging to have a full compliance picture. If a regulatory body comes knocking tomorrow, where will you start searching for your documentation?

A compliance report delivers a structured and independent analysis of what to do to raise your level of privacy protection. If you put in place the recommendations from the report, you will less likely get a complaint from a data subject. Then, the complaint turns into an inspection done by a competent authority. The audit done by the authority may lead to the discovery of unlawful processing of data and a fine. The average fine for SMEs in the EU amounts to 5000-30000 euros.

What does it look like?

The compliance assessment happens in 3 steps.

  1. Discovery phase. At this point, we meet the team and guide them to investigate within their own practices. The discovery phase is a workshop around the GDPR and analysis of business processes using the GDPR Canvas. This is the perfect chance to uncover data sets, tools, and practices for your company. The discovery allows you to shed some misconceptions and paint a clearer picture of the road ahead on your compliance journey.
  2.  Data Mapping. Our consultants review the findings collected and proceed to establishing a data map. We paint the picture of data collected, how you use it, what purposes it serves, who and why accesses this data, and how long the data is kept. The outcome provides the organisation with a baseline compliance document in the form of GDPR’s Art. 30 Records of processing activities.
  3. Report Drafting. With a solid data map, our consultants proceed to the assessment reports which comprises 5 parts:

                      – background information of the organisation provide a context for the data processing;
                      – a summary of relevant legal requirements to set a benchmark against which to assess compliance;
                      – a detailed description of the current state of compliance;
                      – a list of compliance risks resulting from the gap between the requirements and the practices;
                      – a prioritised list of action items to raise the level of compliance.

The price, complexity, and level of details depend on the size and stage of the company. For early-stage projects, the assessment is usually quick and lasts from 3 to 6 weeks. More complex projects involving complex data sets and innovative technology take up to 12 weeks.

So what outcomes can I expect?

  1. A clearer understanding of GDPR rule, my accountability, and liability;
  2. The mapping of my data flows. It takes the form of records of processing activities (ROPA). Among others, ROPA provides roles and responsibilities, risks, and a list of third parties processing data on your behalf;
  3. A review of my exposure to privacy risks related to my use of technology and suppliers;
  4. Deep insight into my current state of compliance;
  5. Prioritised recommendations and an action plan for further efforts.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Legal Nodes Team

Legal Nodes Blog

Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills
Privacy (GDPR)
Privacy Policy: Everything you need to know

Privacy Policy (or Privacy Notice) is a public legal statement of the company. It explains how the organisation uses information about its users, customers, or employees....

Legal Nodes Team