Any company that collects or processes information that can, directly or indirectly, identify an individual in the EU is required to meet regulatory standards to ensure that information is protected, and to give rights to the individuals to whom it came from. Unlike most privacy standards in the United States that balance privacy rights between individuals and businesses, the European Union considers the privacy, including personal data, of its citizens to be a human right. Under the 2016 General Data Protection Regulation (GDPR) and ePrivacy Directive, organizations must comply with collection, security, and management requirements of this data regardless of where the organization is established.
CBIZ has an understanding of how these data privacy regulations extend beyond standard U.S. information privacy and security requirements. We back each of our national cybersecurity experts with international professionals through Kreston International to create the right mix of people and resources to meet your compliance needs.
CBIZ provides a number of services to help our clients minimize their global cyber risk exposure and sustain compliance, including:
- Discovery of Data — Working with your organization to understand and document the lifecycle of your organization's data capture, processing, archiving, and removal procedures resulting in an inventory of your data in a centralized, easy to manage, and maintainable format. This will also include the mapping of cross border data sharing activities which will need to be evaluated per the adequacy rules of GDPR. We also perform an initial assessment of GDPR-applicability based on the data existing in your environment, including assessing whether processing of that data seems necessary to business based on its current purpose.
- Navigate and Remediate Legal Compliance — Working with our law firm network or identified legal resources from within your organization, we will assist in guiding you through the legal hurdle of confirming whether GDPR-applicable data was, or is, being captured based on an appropriate legal basis in accordance with Article 5 of GDPR. We will work with your teams to remediate identified areas, including, but not limited to, the erasure of existing data determined to be unlawfully collected/processed, updating data capture methods, and updating privacy notice language and format.
Further, CBIZ will work with your organization to address the documentation compliance requirements including maintaining records of data processing activities, evidencing "Privacy by Design" integration, performing Data Protection Impact Assessments (DPIAs), and evidencing the six principles of processing per Article 5:
- Lawfulness, fairness and transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Integrity and Confidentiality
- Assess and Remediate Security Compliance — Our IT Risk and Security professionals will perform an analysis of existing security controls against the Center for Information Security's recommended suite of 20 critical controls. We have adopted this framework as it has been effectively mapped to industry accepted security frameworks including, but not limited to, ISO 27000 and 27001, NIST 800-20 and 53, and BR 100:12 2017, and allows us to assess security risk and control coverage as it relates to each organization individually. Using this framework will address the requirement of having a risk-based security strategy per GDPR Articles 25-35.
We can perform an assessment of your organization's existing processes and procedures, mapping them to the CIS framework, to assess the current level of risk mitigation leading to a coverage gap summary. The resulting report of this assessment provides language which can be formalized into your organization's controls and policies, as well as providing your organization with a benchmark for improved coverage and remediation. We then will aid your organization in developing a prioritized remediation road map to meet the compliance goals.
- Develop and Implement Measures to Address Rights of Individuals — We will aid your organization in developing programs and procedural documentation to effectively address when a covered person(s) initiates a request to your organization based on their rights under Articles 12-22, and 34, under GDPR. These rights include:
- Article 12-14: Right of transparent communication and information
- Article 15: Right of access
- Article 16: Right of rectification
- Article 17: Right of erasure ('right to be forgotten')
- Article 18: Right to restriction of processing
- Article 19: Obligation to notify recipients
- Article 20: Right to data portability
- Article 21: Right to object
- Article 22: Right to not be subject to automated decision-making (to profiling)
- Article 34: Right to notification in the event of a breach which may cause harm
- Provide a Service of Data Protection Officer — We will aid your organization in identifying the applicability of a DPO as a requirement based on your GDPR scope. Our network of professionals can then be leveraged to outsource this role based on the following principals:
- Accessibility in language, location, and response time. Through our service, we guarantee providing the right individual fit for your organization to meet each of these needs will be met – this includes providing a network of professionals in such a situation as needing multiple language expertise.
- Independent which means they cannot be fired for doing their job and cannot be influenced by Management. They also must be provided with a direct line to upper management. Our professionals have experience working in roles of compliance both internally and externally, and communicating with upper management.
- Our professionals have qualified experience and competence, including credentials from qualified Privacy Professional organizations. We provide our own continued learning to meet the requirement of continually being the best informed on the latest in the GDPR.
- We will also get to know your organization, and with our combined industry expertise, can meet the requirement of providing relevant risk perspectives.