Case Studies

Case Studies

Trust Fort Privacy to take care of all of your GDPR Compliance and Data Protection needs.

We understand that compliance with Data Protection legislation is difficult to navigate and we know that noncompliance can seriously affect the growth and success of your business.

Fort Privacy have years of hands-on, Data Protection expertise with companies just like yours.

Governance

The organisation defines a clear Data Protection strategy that is reflected in policies and procedures and in the roles and responsibilities assigned to the organisation’s processing activities.

Governance Overview
An organisation should ensure that roles and responsibilities are assigned to the organisations processing activities. Many organisations will be required to appoint a Data Protection Officer and will need Data Protection Champions/Teams in place to ensure that compliance requirements are met. It is necessary to ensure that the registration requirements with the applicable Supervisory Authorities are completed.

Fort Privacy provides the following services under the governance category:

  • Outsourced Data Protection Officer
  • Selection and management of Data Protection Teams.
  • Advice on the right governance structure for organisations
  • Support services for in-house DPOs
  • Supervisory Authority Registrations

Governance related Articles of the GPDR

Article 5, Article 24, Articles 37-39, Article 40;

Accountability

The ability to demonstrate compliance and account for all data processing activities

Accountability Overview

Demonstration of compliance with Ddata Pprotection legislation is a key compliance requirement. Organisations should be able to account for all data processing activities.


Appropriate measures such as records of processing activities, activity logs, training logs, audits and risk registers should be in place to demonstrate compliance.

Accountability related Articles of the GPDR

Article 5, Article 24-25, Article 28, Article 30, Article 32, Article 35, Articles 40-43; Recitals: 69, 74, 78, 81, 82, 84, 85, ; Oversight of Remedies, liability and penalties. Articles 77-84.

Transparency

The organisation provides clear statements to data subjects and communicates all required information about its’ processing activities

Transparency Overview

It should be clear and transparent to individuals that personal data concerning them is collected, used, transferred or otherwise processed and to what extent the personal data will be processed. Communications relating to the processing of personal data should be concise, transparent, easily accessible and easy to understand. 

Compliance is achieved in this category through Data Protection Statements, Cookie management activity and other notices. 

Transparency related Articles of the GPDR

Article 5 (a), Article 12, Article 13, Article 14, Article 24, Article 26; Recitals 39, 58, 60, 71, 78, 97, 100;

Data Transfer Management

The organisation discloses personal data outside the organisation only for the purposes identified and has all required transfer mechanisms in place.

Data Transfer Management Overview

Where an organisation transfers personal data to another organisation the transfer should be consistent with the purpose of processing and an appropriate transfer mechanisms should be in place.   These come in the form of Data Processing Agreements, Standard Contractual Clauses and Binding Corporate Rules.

To meet compliance requirements due diligence should be completed on suppliers to ensure that adequate safeguards are in place for the transfer and processing of the personal data.

Data Transfer Management related Articles of the GDPR

Articles 13-15, Articles 28-30, Article 32, Articles 44-50;

Legal Basis Management

The organisation ensures it can identify a reliable lawful basis for each processing activity

Legal Basis Overview

An organisation must ensure that it identifies a reliable lawful basis for each of its processing activities. Data protection legislation sets out a number of legal grounds for processing personal data. Each processing activity must have a sound legal basis. 

Special Category Data requires an additional legal ground to be identified for that processing activity.

Legal Basis related Articles of the GPDR

Article 5 (1) (a), Article 6, Article 7, Article 8, Article 9, Article 10

Data Breach Management

The organisation documents and implements policies and procedures for reporting and managing personal data breaches.

Data Breach Management Overview

An organisation should document robust policies and procedures for identifying, reporting and managing personal data breaches. Failure to do this can come at a huge cost to an organisation. 

Data Breach Management related Articles of the GPDR

Article 33 and Article34.

Security

The organisation manages the security of personal data and of systems that it uses to process the personal data

Security Overview

Organisations must manage the security of personal data and the systems that it uses to process the personal data. The technical and organisational measures deployed should be appropriate to the processing activities being undertaken by an organisation.


Key to compliance with this category is the implementation of robust policies and procedures that are embedded in practice. Documented Technical and Organisational measures should be in place. This is an invaluable compliance activity that can help you demonstrate to your customers that you are operating in compliance with the GPDR

Security related Articles of the GPDR

Article 32, Article 28

Data Subject Rights Management

Policies and processes are in place to facilitate and respond to data subjects who invoke their rights

Data Subject Rights Management Overview

Data Protection legislation provides certain rights for individuals whose personal data is collected, used, transferred or otherwise processed. These include

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object to processing
  • the rights in relation to automated decision making and profiling

 

The most commonly used right is the right of access. Robust data subject access requests policies and procedures are crucial for most organisations to meet compliance requirements.

Data Subject Rights related Articles of the GPDR

Articles 12-23;

 

Data Management

The organisation manages personal data processing activities to ensure consistency with the principles of purpose limitation, data minimisation, accuracy and storage limitation.

Data Management Overview

Organisations should manage personal data processing activities to ensure consistency with the data protection principles of 

  • Purpose Limitation - personal data should only be used for the purpose with which it was collected
  • Data Minimisation- only personal data required for the purpose should be processed
  • Accuracy- all personal data should be accurate and up to date
  • Retention- personal data should only be kept for as long as necessary for the purpose

Many organisations struggle with managing the retention of personal data. The approach to this should be systemic starting with the legal basis for processing.   Compliance activities for Data Management include documenting a record retention schedule for all processing activities and ensuring this is implemented.

Data Management related Articles of the GPDR

Article 5 (1) (b) "Purpose Limitation", Article 5 (1) (c) "Data Minimisation", Article 5 (1) (d) "Accuracy", Article 5 (1) (f) "Storage Limitation"

 

Change Management

The organisation provides and implements a framework for data protection change management

Change Management Overview

Organisations should implement a framework for managing changes to  processing activities giving full consideration to data protection. This includes the implementation of Data Protection Impact Assessments (DPIA) to assess the impact a change in process could have. These assessments can serve to underpin the decision to implement the change. 

DPIAs are a legal requirement under the GDPR in many cases and even where they are not strictly necessary they are an invaluable exercise that assesses the processing activity to (i) assess it is a viable processing activity and (ii) to ensure all necessary compliance requirements are in place before the processing proceeds

Change Management Articles of the GPDR

Article 35, Article 25

Customer: Uniphar PLC

Customer: Uniphar PLC

Category: Governance / Accountability

Project:  Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies

Customer: Healthcare Distributor of products and services

Customer: Healthcare Distributor of products and services

Category: Accountability / Governance / Security Management

Project: Documenting a Record of Processing Activity

Customer:  Pharmacy Management System Supplier

Customer: Pharmacy Management System Supplier

Category: Data Transfer Management / Governance

Project:  Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies

Customer: ANSAC Credit Union

Customer: ANSAC Credit Union

Category: Legal Basis Management / Accountability / Governance

Project: Marketing Policy

Customer: The Honorable Society of King’s Inns

Customer: The Honorable Society of King’s Inns

Category: Change Management / Governance / Transparency / Data Transfer Management

Project: Move to Remote Examinations

Customer: Healthcare Distributor of products and services

Customer: Healthcare Distributor of products and services

Category: Accountability / Governance / Security Management

Project: Documenting a Record of Processing Activity

Customer: SaaS Provider

Customer: SaaS Provider

Category: Accountability /Data Transfer Management / Breach Management

Project: 6 month compliance programme

Customer: Retail wholesaler

Customer: Retail wholesaler

Category: Accountability / Data Transfer Management

Project: GDPR GAP Audit

Customer: Uniphar PLC

Customer: Uniphar PLC

Category: Governance / Accountability

Project:  Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies

Customer: Recruitment

Customer: Recruitment

Category: Transparency / Accountability / Legal Basis Management

Project:  Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies

Customer: ANSAC Credit Union

Customer: ANSAC Credit Union

Category: Legal Basis Management / Accountability / Governance   

Project: Marketing Policy

Customer: Credit Union Sector

Customer: Credit Union Sector

Category: Data Management / Accountability

Project: Building Record Retention Policy and Schedule

Customer: Public sector body

Customer: Public sector body

Category: DSAR Management / Accountability

Project: Supporting customer to respond to a Data Subject Access Request

Customer: Government Agency

Customer: Government Agency

Category: Security Management / Accountability

Project: Documenting the Technical and Organisational measures

Customer: Global Multinational company

Customer: Global Multinational company

Category: Breach Management / Accountability

Project: Building Breach Management Policies and Procedures

  Customer: Government Agency

Customer: Government Agency

Category: Data Transfer Management / Accountability

Project: Embedding data protection compliance into the supplier procurement process

Customer: Recruitment

Customer: Recruitment

Category: Transparency / Accountability / Legal Basis Management

Project: Data Protection Statement

Customer: Client with multiple websites

Customer: Client with multiple websites

Category: Transparency

Project: Cookie compliance

Customer: The Honorable Society of King’s Inns

Customer: The Honorable Society of King’s Inns

Category: Change Management / Governance / Transparency / Data Transfer Management

Project: Move to Remote Examinations

Customer: Industry user group for a software supplier

Customer: Industry user group for a software supplier

Category: Change Management / Transparency / Security Management

Project: Mobile app development

Customer: ANSAC Credit Union

Customer: ANSAC Credit Union

Category: Legal Basis Management / Accountability / Governance

Project: Marketing Policy

Customer: King’s Inns

Customer: King’s Inns

Category: Legal Basis Management

Project: Legal Basis Review

Customer: Health and Safety Training Organisation

Customer: Health and Safety Training Organisation

Category: Data Management / Legal Basis Management

Project: Purpose Limitation and ROPA

Customer: Public sector body

Customer: Public sector body

Category: DSAR Management / Accountability

Project: Supporting customer to respond to a Data Subject Access Request

Customer:  Pharmacy Management System Supplier

Customer: Pharmacy Management System Supplier

Category: Data Transfer Management / Governance

Project: Data Processing Agreements

  Customer: Government Agency

Customer: Government Agency

Category: Data Transfer Management / Accountability

Project: Embedding data protection compliance into the supplier procurement process

Customer: SaaS Provider

Customer: SaaS Provider

Category: Accountability /Data Transfer Management / Breach Management

Project: 6 month compliance programme

Customer: Retail wholesaler

Customer: Retail wholesaler

Category: Accountability / Data Transfer Management

Project: GDPR GAP Audit

Customer: The Honorable Society of King’s Inns

Customer: The Honorable Society of King’s Inns

Change Management / Governance / Transparency / Data Transfer Management

Project: Move to Remote Examinations

Customer: Credit Union Sector

Customer: Credit Union Sector

Category: Data Management / Accountability

Project: Building Record Retention Policy and Schedule

Customer: Health and Safety Training Organisation

Customer: Health and Safety Training Organisation

Category: Data Management / Legal Basis Management

Project: Purpose Limitation and ROPA

Customer: Global Multinational company

Customer: Global Multinational company

Category: Breach Management / Accountability

Project: Building Breach Management Policies and Procedures

Customer: Healthcare Distributor of Products and Services

Customer: Healthcare Distributor of Products and Services

Category: Breach Management

Project: Breach Management Team

Customer: SaaS Provider

Customer: SaaS Provider

Category: Accountability /Data Transfer Management / Breach Management

Project: 6 month compliance programme

Customer: Government Agency

Customer: Government Agency

Category: Security Management / Accountability

Project: Documenting the Technical and Organisational measures

Customer: Industry user group for a software supplier

Customer: Industry user group for a software supplier

Category: Change Management / Transparency / Security Management

Project: Mobile app development

Customer: The Honorable Society of King’s Inns

Customer: The Honorable Society of King’s Inns

Category: Change Management / Governance / Transparency / Data Transfer Management

Project: Move to Remote Examinations

Customer: Industry user group for a software supplier

Customer: Industry user group for a software supplier

Category: Change Management / Transparency / Security Management

Project: Mobile app development

Contact Us

We’re here to help. Whether you’re unsure where to start, or need some extra guidance in developing your data protection programme.

Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information.

Scroll to top