Data Protection

Background
All companies, associations and organizations that process personal data must comply with the data protection regulation, GDPR, in a manner adapted by the business. GDPR places great demands on each organization regarding documentation and routines. It can at the same time generate uncertainty regarding what is allowed to do with the internal information that consist of personal data. The broad scope of GDPR and the ambition from authorities to regulate all processing of personal data can lead to uncertainty among organizations regarding what applies and how to act. Since a few years has passed since GDPR came into force, this might be time to review the implementation to see that all went as planned and all parts of the regulation is adapted. Through the expanding digitalization the usage of personal data is changing, making it even more important for organizations to assess privacy risks as soon as possible in the internal processes.

How we can help
We help our clients build trust in the market by protecting personal data. With a large network of experienced privacy specialist from a wide range of markets we focus on each customer’s needs, making privacy a natural part of our customers core business.  

• • Get control over your personal data
  • Improve data management effectiveness
  • Enable regulatory compliance
  • Protect personal data to enable your business strategic objectives
  • Use GDPR as a tool in your business development

Services provided

• Data Protection Officer – interim, outsourced or as a service depending on your needs and the size of your organization.
• Inventory and mapping of data flows
• Maturity Assessment regarding data protection – we analyze your current compliance with the GDPR, deliver a documentation of the current status with recommendations of measures to increase your degree of maturity against set goals.
• Support in implementation of identified measures to comply with GDPR.
• Support in Data Privacy Impact Assessments (DPIAs) and legal assessment of processing to make sure sufficient measures are taken for  protecting personal data.
• Training regarding data protection regulation – customized training through e-learning, on-site or digital by using Teams or similar solution
• Analyze of third-party risks to assess the risks connected to personal data.
• Schrems II – analyze and assessment of transfers of personal data to organizations within or connected to countries outside of EU and EES. 
• Incident management – support in managing incidents, establishing internal incident reporting routines and support in testing said routines
• Development of policies, instructions, or guidelines – with support from Regulatory Framework Application to make the process more effective when it comes to the internal regulatory framework.
• Assess and develop tour business ROPA (Register of processing activities).

Track record
International industrial group – Interim assignment – Privacy Support
While the Group’s Chief Compliance Officer/ Data Protection Coordinator was on parental leave, a Transcendent Group consultant supported the organization by continuously assisting internal customers with advice and deliveries linked to the company’s data protection program. In close cooperation with the Information Security and Legal departments and direct communication with the business organization in various countries, the assignment included support in connection with data protection agreements, register of processing activities, risk analysis and transfer impact assessments of new systems and processes including organizational and technical protection measures. Our consultant helped bridging the absence of the internal DPO by monitoring and documenting compliance with the internal processes and GDPR requirements as well as improving processes and steering documents, adapting the established framework to ensure continued compliance with changing requirements and best practice.

Maturity Assessment
An organization struggling to implement GDPR in their line of business reached out to Transcendent Group for help establishing a data protection program compliant with external regulations. After performing a maturity assessment presented to the Board of Directors, they could easily decide the desired level of maturity to reach. With a clear activity plan, in line with the decided goal of maturity, the organization was given an approval from internal audit that they were compliant with GDPR. Transcendent Group could then help the organization with an outsourced DPO to secure the ongoing work with data protection.

Incident management
A popular e-commerce and lifestyle company was in the late 2020 subjected to a malicious cyber-attack resulting in a large-scale incident involving its customer data. The Company turned to Transcendent Group to help them manage the entire incident together with internal resources. Our experienced privacy red team, which include expert privacy lawyers, IT-forensics and information security consultants took the lead to investigate, communicate and to provide a mitigation plan to prevent future similar attacks. The client then returned and once again reached out to Transcendent Group for help to reduce the impact of another critical personal data breach and help with firm guidance on handling the incident. Transcendent Group assisted the client with notification to the supervising authority, communication with data subjects and media and IT-forensics and post-incident information security measures. At every turn Transcendent group and its expert knew what to do and, provided much needed direct guidance to top management at the client, which helped them navigate and lessen the overall impact of the incident.

Data Protection Officer (DPO)

Holding the role as a Data Protection Officer (DPO) is complex and can sometimes be seen by the organization as a function that holds back the internal work. But the more organizations increase their maturity, one can also be reached by the realization that the DPO can be seen as an asset that enables effective development work. By appointing a DPO the organization can be transparent to the fact that privacy and the protection of integrity of the data subject is an important part of doing business.

Data Protection Impact Assessment (DPIA)

When processing personal data that may entail a high risk for the individual organizations must implement routines and processes to mitigate those risk. With a well performed Data Protection Impact Assessment (DPIA), the organization can describe the processing, assess whether it is necessary and proportionate and get support in ensuring that the risks of the processing of the personal data are identified, resulting in measures to minimize these risks before they occur.

General Data Protection Regulation (GDPR)

All organizations that are handling personal data have the obligation to apply the General Data Protection Regulation, GDPR, to make sure that the fundamental rights and freedoms of individuals and their personal data are protected. Supported by the GDPR, personal data can flow freely within the EU while human rights are secured. Sharing personal data makes it easier for individuals and organizations to meet their needs and perform their obligations. But most important is that it provides data subjects with tools and measures to use against to exercise their rights stated in GDPR.