GDPR Consultancy Services

Conducting a Gap Analysis

One of VERITAS’s most popular services is its 2 or 3-day high-level GDPR gap analysis, which will assist you in understanding your current levels of GDPR compliance, identify gaps and vulnerabilities, and enable you to establish and implement a prioritized action plan. The gap analysis can be conducted remotely or on-site and typically involves interviews with pre-agreed personnel and a high-level documentation review. VERITAS will be looking to understand how you process personal data in each area of your business, the measures you have in place, and the relationship with third parties and contractual data protection requirements.

Remediation Support

Having completed a gap analysis on your organization’s levels of GDPR compliance, VERITAS can provide pragmatic and tailored support in addressing these gaps. It may be in helping you develop an overarching data protection policy or in one or more of the supporting policies or processes surrounding data retention, data subject rights, third-party (data processor) supplier management, and data breach management. Or it may be helping you develop or refine your data retention schedules, privacy notices, or your record of processing activities(ROPA). Whatever your requirement, VERITAS can help with all areas of your remediation plan.

Prioritization of Suppliers

Veritas can support you in auditing your suppliers and other third parties (confusingly referred to as second-party audits!). The first step is helping you understand how much you rely on each third party and the importance of its services to your organization. Understanding the risks that individual third parties present to your business from an information security, business continuity, and quality perspective will help you prioritize your second-party audits.

Data Protection Impact Assessments (DPIAs)

A data protection impact assessment (DPIA) is a process to help you identify and minimize risks associated with processing personal data. For many years, conducting DPIAs has long been considered a best practice activity but has taken on greater significance with the GDPR where they are mandatory for any processing that is likely to result in a high risk to individuals. Conducting DPIAs will also reduce the probability of data loss or breaching data subject rights and freedoms. An effective DPIA can also bring broader compliance and financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals, and should become standard practice in every organization. VERITAS’s consultants are able to advise you on where you should be conducting DPIAs but, more importantly, how to conduct them and what the outputs should be, e.g., identifying and assessing risks to individuals, taking into account both the likelihood and severity of any risk, as well as identifying any additional measures to mitigate those risks. VERITAS’s team can also provide a review service to ensure you take the right actions.

Producing records of processing activities (ROPAs)

As seen with the mandatory requirement to conduct DPIAs, the GDPR is a heavily risk-based law. However, many organizations are missing one of the best tools for identifying data risk in their processing, i.e., a record of processing activities (or ROPA), despite it being a statutory requirement for most organizations under Article 30. VERITAS believes a ROPA should be front and center of any controller’s DP compliance effort. VERITAS has helped a number of organizations develop their ROPAs and, once developed, can help you identify not just the risky processing but also the mitigating steps that can be taken to control those risks. It’s worth remembering that the ROPA will be one of the first compliance documents requested by the regulator in case of a data breach.