GDPR service providers: whom should you choose?

Captivea LLC, Sébastien RISS

GDPR is the hot topic for the early part of this year. The new General Data Protection Regulation aims to harmonize the governance applied to personal data at a European level. Effective May 28, 2018, all businesses that process the personal data of any European citizen must comply with GDPR. Nevertheless, many chief executives find themselves at an impasse. They are wondering what they can do to comply. Indeed, at the moment, there is very little concrete information in any of the literature that you can find on the topic. The first question to ask, therefore, is: who can I contact to start the process?


Your best ally in a GDPR project: an IT service provider

Complying with the GDPR can seem like a daunting task: some people will even wonder whether it would ultimately be better to do nothing at all. Indeed, setting out on this kind of venture can be very challenging if you attempt to do so alone, but with the right support, this compliance process should no longer be anything to worry about. 

To ensure you get off on the right foot, we recommend that you engage the services of an IT consultancy in the first instance. It is preferable to approach this kind of business first, as opposed to a law firm. The IT consultancy can carry out an in-depth audit of your IT, identify the current governance process that applies to personal data in your environment, and complete the famous data mapping that the Regulation demands. A law firm, whose services you can address as part of a second project phase, will, therefore, be in a position to work with a tangible basis to provide more specific advice.

In choosing this IT service provider, you have several options: an IT and audit consultancy, a system integrator with a pure consulting focus, or the solution that we recommend: a business that blends both skill sets. Technological and operational skills, as well as the ability to provide strategic advice on the best course of action are essential elements of your GDPR project

Of course, service providers who "cover all the bases" are plentiful, so there is nothing quite as effective in differentiating them as an in-depth verification of their skills in respect of GDPR. Browse their website, ask questions about the methodology that they follow (and if there isn't one, you can stop right there and move on), ask for references, etc. An IT service provider that has only published one or two updates on the approach of the big day cannot be the best partner to address the issue.

An essential partner: your legal adviser

As we started to discuss in the previous section, contacting a law firm is an essential step in your preparation for GDPR. The IT service provider whom you have chosen may, in fact, not be in a position to guide you in relation to the purely legal aspects, such as reviewing your contracts or managing your relationships with suppliers from a regulatory perspective.

If you already use the services of a lawyer or legal adviser, or if you have an in-house legal service, you can, of course, decide to use their services. Nevertheless, this approach is not riskfree: your existing advisers may not be fully up to speed with the challenges of GDPR or may not be sufficiently objective in studying your case or its implications for your business.

The ideal approach, therefore, is to use an external firm that can be absolutely neutral, familiar with the issues posed by GDPR, and the complexity of your IT. Indeed, this regulation relates to the governance of personal data and affects the entire technological landscape of your business: a basic knowledge of ERP, CRM, etc., is, therefore, a minimum requirement. Your IT service provider should be able to advise you on locating a legal adviser who has these skills. This will ensure that your appointed firm has already worked on this kind of matter and, above all, ensure that there is an effective working relationship between both parties.

Then, because your IT service provider will already have completed its audit and data mapping work, you will be able to provide your legal adviser with a full background file. From that point onward, your adviser will be able to start assessing the impact of the new regulation on your data and how it is processing, as well as revising your contracts, etc. 

As you will appreciate, compliance with the GDPR is not a task to handle alone. Experts are here to help you. The indispensable and indivisible skills of an IT service provider and a law firm are both crucial to meeting the fateful day of May 25, 2018, with a calm and measured approach.

Discover our white paper GDPR