May 23, 2023

Evaluating Your Data Flows: A Guide to GDPR Compliance

Devon Lane
Founder and CEO
at Flowbase

On May 25, 2018, the set of European regulatory laws known as GDPR (General Data Protection Regulation) will go into effect, a change that will have a significant impact on businesses that operate within the European Union. Most elements of the law involve tighter and more careful controls placed over the handling and management of sensitive data, and even though the laws originate in the European Union, they apply to US companies that do business with European clients.

Operations managers and CEOs taking steps toward GDRP compliance now have about five months left on the timeline—plenty of time if actions are already underway. For those who have just started down the path and are still blocking out a step-by-step roadmap, there’s no need to panic. But it’s time to tackle step one: taking a close look at existing data flows and identifying loose links in the chain, accountability gaps, and points of potential exposure.

Under the GDPR’s new data protection model, the highest authority will be the European Data Protection Board, specifically the Information Commissioners Office, or ICO. This enforcing body will monitor all affected organizations (including US companies that conduct business within the EU) and will focus on the rights and responsibilities these companies grant to customers/users as well as their own internal data processors. The body will also monitor the rights, responsibilities, and access that companies provide to third parties and individuals who access privileged data in/from non-EU countries.

With that in mind, the first step toward compliance will involve mapping out these broad data flows. The moment sensitive data comes under a company’s purview, the rights, responsibilities, and requirements of the GDPR begin to take effect. From this point forward, GDPR compliance will require an examination of the integrity and availability of data AND the assets and processes that support its acquisition, storage, and disposal. A complete map will need to account for every corner of information flow, including but not limited to a company’s IT infrastructure. The map will need to show, for example, how the HR department structures and handles data flow, how the company is physically laid out (can the general public walk in through the lobby and look over the shoulders of those who handle sensitive data?) and even how accountability is traced from one person or role to the next.

Conducting a data mapping exercise

Most companies can start with a general assessment based on size and scope. For example, if the entire organization consists of five employees, and each customer is handled separately and presented with highly customized services, the process will be much easier than it would be for a company at the opposite end of the spectrum. Organizations with thousands of moving parts and areas of potential data exposure per customer will face a far more complex data mapping process.

No matter how companies structure their Data Process Impact Assessment (DPIA), they’ll need to document and record the process, and then integrate the results of the assessment back into the project plan.

A comprehensive mapping process will include:

  1. The completion, documentation, and integration of the DPIA.
  2. The identification of appropriate organizational safeguards (even those that don’t yet exist with the company).
  3. A complete review and understanding of legal and regulatory requirements.
  4. The establishment of a clear goal: gaining the trust and confidence of users both inside and outside of the EU.

If you’re an operations manager or CEO and you haven’t yet started the DPIA process, estimate the complexity of your task based on the size and information infrastructure of your organization. Feeling overwhelmed? Don’t worry! Just reach out to our team of expert consultants who can help you put the process in motion. We’ll help you gain perspective and take action.


We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog