Our consultants can effectively intervene and manage all sectors: corporate, banking, healthcare, associations and public administration. Likewise, they are able to understand and manage the bureaucracy of GDPR compliance for the SME the large enterprise and multinational corporations. All team members have completed the “Master of Certification and Specialization for Privacy Consultants and Privacy Officers.”
This is a list of all the services you will have available to you:
“GDPR Audit” and Declaration of Compliance with European Regulation 2016/679.
As a result of the activities carried out by our certified consultants, a document (GDPR Audit) will be issued in which the already existing, achieved or missing compliance with corrective and improvement actions will be indicated.
The RGPD Audit will be updated from year to year during the annual check session and will identify the corporate assessment.
Gap Analysys European Regulation 2016/679
For the purpose of allowing the client an initial and general assessment of its needs, the possibility of conducting a gap analysis by means of meetings of 1 or more days necessary to verify the status of the fulfillments to which the client is held:
- Disclosures to data subjects and management of processing consents
- Identification of internal figures (Persons in charge of specific duties and functions see internal coordinators/responsibilities, Designated Officers, System Administrators, Data Protection Officer) and external figures (External Managers)
- Instruction/training to be given to those assigned to specific duties and functions (coordinators/internal managers), designated employees, and system administrators
- adoption of security measures
- drafting of the treatment register
- data breach management
- management of data subjects’ rights
- Miscellaneous (e.g. Video surveillance, website, social, marketing, geolocation, etc…)
The ways in which the client has carried out these compliances are then examined, identifying any deficiencies or lack of compliance. Based on the information gathered, a report can be prepared that allows the client to check what the deviations are between the evidence gathered during the interviews and the applicable regulations.
Adaptation to the European Regulation 2016/679
Together with the client, a consulting plan is prepared and a strategy is studied with the aim of achieving full compliance with European Regulation 2016/679, Legislative Decree. 101/2018, the opinions, decisions and other documents on personal data protection issued by European Data Protection Board (EDPB), the data protection laws of the Member States where applicable to the Client, the policies, opinions, decisions and other documents issued by the local competent Supervisory Authority and the orders issued by the National Data Protection Authority.
The consulting plan enables the client to be able to process data correctly to better develop their business.
- Identification of processing (data mapping, source and purpose)
- Mapping of archives and verification of measures taken with indication of risk values
- Implementation of the principles of privacy by design and by default
- Drafting of agreements for External Managers (including Extra-EU), designation of persons in charge of specific duties and functions (internal coordinators/managers), designated officers, system administrators, and the Data Protection Officer (if any);
- Preparation of policies and disclosures addressed to various stakeholders (suppliers, customers, agents, consultants, etc.)
- Preparation of disclosures addressed to employees, resumes, temporary workers, interns and/or trainees and any other type of interested party and the policy necessary for proper management of disclosures, company tools in line with the provisions of the Workers’ Statute
- Preparation of policy and disclosures addressed to clients and potential clients for proper management/consent collection
- Preparation of the treatment register
- Preparation of the policy for the management of data subjects’ rights
- Preparation of policy for handling personal data breaches
- Staff training and continuing education, organization of events, seminars and conferences
- Checking and adapting the company website (if any)
- Verification and adjustment of hyideosurveillance, biometrics, geolocation (if any)
- Opinion on the issues of data retention time and measures to be taken
- Other types of documentation and/or insights that emerged from the consultation plan
Even with the entry into force of the European Regulation, the Supervisor’s Order of April 8, 2010 is still in force. The proper installation of cameras, recording equipment and drafting of documentation allows the Holder to be able to use the images without incurring penalties. If, on the contrary, the images were acquired without following the procedure, they are unusable for evidentiary or other uses. The consulting service includes the verification and/or preparation of the mandatory documentation for the management of compliance related to the current Guarantor’s Measure, through the drafting of the mandatory documents, such as:
- Preliminary analysis
- Preliminary authorization (if required)
- Appointments Managers and appointees
- Rules of Procedure
- Positioning of Cameras and Duration of Recordings
- Security measures
Training activities aimed at designated employees is one of the obligations under the European Regulation (Art. 32 – Art. 28 ) . In addition, any internal changes must be followed by updated staff training. The service is provided at the client’s premises, or at CAST‘s headquarters; refresher and training courses can, also, be organized specifically for type of designated employee (designated to specific duties and functions – internal coordinators/managers , marketing, staff, system administrators.). During the course, issues on the processing and security of personal data are covered and instructions on how to process them are given. Typical contents of a basic training intervention include:
- The principles and definitions of European Regulation 2016/679;
- the main figures: data subjects, Data Protection Officer, Data Processors, designated to specific duties and functions (internal coordinators/managers), designated employees, and System Administrators
- The obligation to provide information and collect consent;
- Instructions to employees (including use of client’s equipment, internet, e-mail, mobile, etc.).
- The adoption of security measures and consequent behaviors
- The internal management of data subjects’ rights
- The internal management of personal data breach.
At the end of the training sessions, a questionnaire will be given to each participant to be duly filled out by him/her. In case of incorrect answers these will be reported by the counselor directly to the participant. At the request of the Holder, a training certificate valid for the purposes of European Regulation 2016/679 may also be issued to each participant.
Training can, moreover, be tailored to specific client requests and needs and is characterized by a highly concrete, problem-solving approach.
The collection of data for marketing purposes must necessarily follow the criteria outlined in current regulations. Compliance with regulations allows the client to avoid errors, inaccuracies, and omissions that directly expose them to heavy penalties and possible total or partial deletion of the database present in the company. The consultancy aims to ‘shed light on the correct ways to collect data, profiling, manage e-commerce, CRM and projects involving targeted advertising, targeting and online behavioral advertising.
Data Protection Officer
CAST offers the service of Data Protection Officer with an experienced team that will perform on behalf of the client the tasks required by Art. 39 of the GDPR.
The services offered, by way of example, are:
- Inform and advise on obligations under current regulations
- Oversee compliance with the European Regulations of other national regulations
- Supervise that the Data Controller complies with the requirements of the European Regulations and raise awareness among its employees
- Provide advice on the data protection impact assessment and oversee its conduct
- Cooperate with the supervisory authority and serve as its point of contact, including in cases of prior consultation and personal data breaches.
GDPR Post-Compliance Support Services
In order to enable continuous and proper management of regulatory compliance and developments CAST provides an annual support service that includes:
- consulting/assistance at the client’s site or at CAST headquarters for document verification, regulatory adjustments, and training of designated employees;
- Deadline management;
- annual telephone/ e-mail support and counseling;
- Free participation in our refresher seminars valid for mandatory training;
- Data protection newsletter: news, regulatory adjustments, solved practical cases, pronouncements on European Regulation, etc…
On-demand counseling (on documentation already in the client’s possession) at the client’s location or via computer
On-demand consulting involves the provision of all services necessary to achieve compliance with the requirements of the European Regulation : verification, correction of documentation already used by the client, possible generation of missing mandatory documentation. For more details on the activities, please refer to “Compliance with European Regulation 2016/679.”
Counseling through the use of Privacylab software (including via telematics)
Since 2004 CAST, in addition to offering ad hoc consulting services for every need and all the services necessary to be in compliance with the European Regulation and current regulations (see “compliance with the European Regulation 2016/679”), is able to support the client with the Privacylab product that solves and simplifies the generation of the documentation required by the European Regulation 2016/679. The choice of the product came about to keep consulting costs down and to enable clients to have up-to-date records management.
To cut down on travel costs, all consulting and/or support services can be delivered through the use of video conferencing tools, such as Skype, Meet, Teams, etc.
In an increasingly complex regulatory environment involving in cross-cutting responsibilities, there has been an increase in companies wanting to provide integrated services to their clients.
The Privacy Division is able to assist companies that wish to include quality privacy consulting as part of their integrated services.
The autonomy, ‘experience and skills demonstrated over the years allow us to propose various formulas of collaboration:
- Consulting on behalf of the requesting company, either on-site or at the client’s premises;
- Consulting directly and on behalf of the requesting company, either on-site or at the client’s premises.
In addition, we offer our cooperation to privacy consultants outside the Privacylab circuit to give them assistance in using the software and certified consultations.