How to kickstart a successful GDPR program.

Download the brochure

A new privacy and data protection regime is going to be applied, starting from May 25 2018, imposing strict fines up to € 20 million and the 4% of the global group turnover. Getting ready for GDPR (General Data Protection Regulation) is not an one-off project, but it requires an advanced analysis of the company assets and needs. The number and complexity of the requirements force most medium-large European businesses to develop a real Program of initiatives immediately, aimed at identifying and implementing the many organizational and technical controls in time, balancing time and budget.

Reply can leverage its long-date experience in GRC (Governance, Risk and Compliance) and Data Protection initiatives to help customers build a complete GDPR Program, based on three key components: people, policies and processes.

Reply GDPR Program

Supported by appropriate data protection controls and technical solutions, the program aims to remediate any compliance gap which after May 2018 could expose the company to unbearable administrative sanctions.

Reply designs and implements GDPR Programs and supports its customers during the compliance journey: first, supported by assessment tools and questionnaires, assists its customers to identify the maturity level of the current privacy management system and to highlight areas that need the most urgent activities, which will likely lead to the remediation plans; in the second step, it helps its customers to implement a governance system based on defined roles and responsibilities and on technical, organizational and legal security measures; finally, putting into the shoes of a Data Protection Authority, it double-checks that the governance framework is coherent and consistent.

How to set up the right priorities of the GDPR Program?

Discover the key points for setting the right priorities.

Analyze company processes in order to identify the personal data processing activities and their purposes and the ICT assets supporting the processing of data. These enable the updating of the Registry of processing activities and of the ICT asset inventory, as necessary.

Identify the risk level tied with the current business activities through the execution of DPIA Activities (Data Protection Impact Assessment) and Security Assessment on ICT assets in GDPR scope supporting the processing of critical data. These activities help identify the remediation priorities and mitigate the risk of data breach.

Assess data governance processes in order to verify the effective modality to record the consents, and the capability to retrieve personal data (structured and non-structured data) of a customer on all ICT assets. Failure to meet these requirements would expose organizations to real risks of illegal processing, lost revenues, due to likely temporary halt of processing activities imposed by Authority, in addition to the risk of strict fines.