Overview
We were engaged by a due diligence services provider to help then with GDPR compliance. Our client provided services to major law firms, banks and other organisations.
Context and Challenge
Our client was a high growth start-up with a significant client base from the get-go so they had to catch up quickly to put appropriate GDPR compliance measures in place. Not only did we have to work quickly, we also had to undertake complex analysis of their true position as a controller/processor under data protection laws and advise on the best way to structure things for them. Their work was international and involved working with large organisations.
Process and Insight
We spent time at the outset listening to our client about how they conducted their business and what they wanted to achieve. We created a data map containing information about the personal data that our client collected, where it was stored, how it was collected, who had access to it, the security measures in place etc. We looked at what other service providers in the industry were doing and saw that at the time (summer of 2018) different providers were taking different approaches. There was also a lot of discussion in the industry around how compliance with GDPR potentially clashed with compliance with Anti-Money Laundering Regulations and the Bribery Act. The Data Protection Act, when it came into effect, cleared some of these issues up.
As part of the process we reviewed the operations of our client’s group companies and identified a structuring issue on the set up of an entity in the UAE which our client was then able to resolve.
Solution
Although, at that time, many due diligence service providers saw themselves as processors, from the analysis we did and talking to our contacts in this area, we felt that these businesses were more likely to fall under the category of joint controllers of personal data. This is now the more accepted position.
Having compiled the data map and agreed on structures with our client we then drafted all the policies and notices that our client needed, for example, website privacy notice, staff fair processing notice, data retention policy, privacy policy for staff to comply with. We also drafted data transfer agreements to deal with flows of data between the client’s group companies and we also updated our client’s standard contracts for services.
Result
From the work that we did our client was able to get GDPR compliant quickly and establish a place in the market as being forward thinking, professional and meeting the needs of its own clients. As a result our client was able to bring large organisations on board and grow its business.