PROJECT DETAIL | US-based surgical device company The project delivered the strategy, development and implementation of the client’s GDPR (General Data Protection Regulation) compliance.Team of 3 for 3 months |
DESCRIPTION | The Client operates across Europe through a network of 8 main subsidiaries, a further 13 offices and several independent distributors, with all manufacturing located in-house in the US. Personal data of medical practitioners, patients, and client employees is collected, transferred, processed and stored both within and beyond the EU. Our client required Ownet to provide hands-on consulting to ensure full GDPR compliance by the EU deadline date with ongoing processes and procedures to maintain this state after this deadline. |
APPROACH | This industry leading company has grown both sales and profits very successfully over half a century through a combination of industry-leading innovative product development and tactical acquisition of key distribution networks. In recent years this growth had accelerated, and consequentlythere were no standard documented operating procedures for the handling and storage of Personal Data, but a number of local interpretations. Our team started by reviewing in detail all the types of Personal Data that were collected by each European subsidiary, and how this data was processed, stored and transferred. Process maps were created to identify any process variations and any control gaps. From these a set of standard procedures were agreed with the client and fully documented. The next step was to ensure full GDPR compliance. This included identifying the main establishment in Europe for GDPR regulatory purposes, appointing a Data Protection Officer, and ensuring that all data processors used by our client were also fully GDPR compliant. A major deliverable from this activity was the publication of an updated Privacy Policy. Our client was also able to successfully certify with the US Dept of Commerce Privacy Shield for the safe transfer of Personal Data between the EU/Switzerland and the US. Finally, training was developed and delivered to all client staff handling any EU Personal Data and controls were put in place to ensure ongoing GDPR compliance. Following full handover to the client it was agreed that Ownet will provide the client with ongoing consulting support to ensure the newly established controls over Personal Data are maintained, updated and tested regularly. |
BENEFIT AND OUTCOME | Any company handling EU Personal Data that is not GDPR compliant can be fined 4% of worldwide sales or Euro 20 million (whichever is higher). There is also huge risk of reputational damage if Personal Data is lost, stolen or mis-used. Our client is no longer at risk of these due to a fully documented and implemented GDPR strategy. In addition, standard procedures are now in place and fully documented across the business. |