Our client provides a software-as-a-service platform to manufacturers in the fashion industry. They asked us to help them with GDPR compliance.
Context and Challenge
Our client was a business owned and run by two individuals. It had been trading for 15 years and had become very successful. The directors knew that they needed to be GDPR compliant but they were dreading embarking upon all the work (and incurring the cost) that they thought it would entail. While they wanted to do things properly they also didn’t want to be overly distracted with what they envisaged would be a lot of compliance work.
Process and Insight
In fact the client’s data processing activities were quite straightforward which is the case with the majority of businesses. We ended up having 4 face-to-face meetings with the client – most of that time being spent creating a schedule (a data map) that set out what personal data our client collected, where it was held, who had access to that data, the security measures in place around that data etc. Essentially, we listened to our client explaining their processes and then went away and came up with all the policies they needed along with some recommendations which we implemented.
We also reviewed the client’s standard SaaS contract and the contracts that they had with their suppliers to understand how these needed to be updated.
There was very little that the client ended up needing to do – we did the heavy lifting and got on with things.
Having created the data map we were able to draft the policies and notices that the client needed, for example, their data protection policy, data retention policy, fair processing notice to staff, data standard, data breach reporting policy etc. We also updated their standard SaaS agreement to include appropriate data processing clauses and we arranged for some of their suppliers to enter into appropriate data processor contracts.
Our client ended up with appropriate data policies and notices in place. They were already behaving in a responsible manner with the data that they collected so very little change was needed in the way that they were operating. The whole exercise was pretty painless – much to our client’s relief!