- We assessed the subsidiary’s personal data management against KPIs based on the parent Group policies.
- Scalable solutions
- We took the GDPR programme of the parent, a global company and scaled it to suit the business, compliance, and risk management needs of the smaller specialist business.
- Gap analysis and action plan Based on benchmark results we completed a gap analysis and an action plan.
- Data process flows
- We worked with the subsidiary to identify personal data holdings and data process flows.
- Record of Processing Activities (ROPA) and Retention Schedule
- We mapped personal data processes to the parent company ROPA and identified assets to be added to the Retention Schedule.
- Guidance and tools
- We created reusable and scalable assessment tools and provided guidance for the Group to use for measuring the compliance of future acquisitions.
Our work provided our client with assurance they needed that the subsidiary company they were in the process of acquiring did not carry unmanageable liabilities. Once acquired, we were able to find a way to enable the subsidiary to be brought into alignment with the large multinational company that was also compatible with the requirements of their business.
During the benchmarking phase we provided templates and spent time sharing our knowledge with practitioners from our client’s company. This allowed them to learn how manage bring future acquisitions in line with their GDPR programme, giving them the self-sufficiency to carry our methods forward independently. This was important to our client as they make acquisitions regularly and really appreciated how we integrated data protection into their overall approach to make this easier for them to do.