NeoPR did not have a formal, overall understanding of the personal data they process. A number of their corporate and operational processes and policies were not in writing or were inexistent, including some with respect to IT security. The company did not have a clear understanding of their corporate and IT systems, including with respect to the services provided by third-party vendors.
What We Did
D2LT interviewed relevant stakeholders within NeoPR to better understand the company’s activities and the personal data processed in each context and related internal data flows. We inventoried all internal formal and informal processes and policies currently in place, internal standard contracts and forms, as well as all third-party contracts with various service providers used by NeoPR.
On the basis of the interviews conducted and documentation gathered, we produced a detailed personal data inventory cataloguing the personal data processed in each of NeoPR’s business activities (including HR, client service, marketing their own services, business development, as well as IT systems – across all company verticals). We furthermore produced a comprehensive report that:
- Set out the current state at NeoPR, including the company’s data inventory and flow map, internal organisational legal documentation in relation to the collection and processing of personal data (including template employee and client contracts, forms, etc.), internal policies and procedures relevant to the processing of personal data, as well as contractual documentation with third-party services providers that process personal data on behalf of NeoPR.
- Set out a detailed analysis of the gaps between the identified current state and the compliance requirements under the GDPR.
- Set out practical remediation recommendations in relation to all gaps identified, as well as a RoadMap to help NeoPR implement the recommendations.
We assisted NeoPR in implementing the immediately-executable recommendations set out in our Report, including updating various consent and other privacy notices and creating new relevant internal policies in relation to NeoPR’s personal data processing activities:
- Cookies Policy
- Data Retention Policy
- IT Security Policy