GDPR and DPO services
GDPR will remain a hot topic for a long time. Data protection will be more and more critical going forward into the digital age and with the new upcoming legislations that are getting stricter.
Since every company falling subject to GDPR should be compliant with this legislation and the aim of your company at this stage is more likely to improve your processes, make those more mature and try to ensure that nothing slips through management controls and are reported in a timely manner.
We give some hints for areas of attention based on our experience where companies get it wrong and also where the Data Protection Authorities focus their attention:
- Privacy notice
- Cookie notice
- Proper segregation of duties
- Incorporating data protection by design into daily operations across the organisation
- Duly executing data subject right requests in a timely manner
Services under this category are wide-spread covering topics like process design and revision, segregation of duties design and review (technical and business), defining job descriptions to support proper segregation of duties, management support in decision taking and assisting design of call for tenders with the necessary specifications, clauses in there and evaluating the offers.
All of them can contribute to more efficient and controlled operations of your business and put your mind at rest.
These types of audits cover procedures of IT to establish reasonable assurance in support of the financial statement close procedure in order to enable the financial audit team to place reliance on the IT systems. By doing so, the extent of financial audit procedures can be drastically reduced and so your company can save time, effort and money.
Compliance / Standard based Audits
This is a subtype of audits where audit procedures are performed to establish compliance with a framework be that ISO, SANS, CIS, COBIT.
While this topic seems to be a stand alone domain, it should be the basis for, and integrated into your company’s daily operation. Practically there is no framework where it should not be driven by a risk assessment of some kind that drives the controls to implement. It needs to be easy to execute, repeatable and regularly executed.
Similar to the risk management, project management is not a stand alone domain. When there is a major change in any organisation, normally it should be managed through project management with all the necessary elements (charter, scope, budget, resources, milestones, etc). Where things can go wrong is when the project manager is not knowledgeable about the scope of the project and can be misled. This is not to say that s/he needs to be an expert, but needs to have some basic knowledge of the scope of the domain.
The quality of the operations within your organistion will heavily depend on the frequency and the quality of training your employees get. Not just in case of changes, where employees need to learn what and how to do, and they also understand the purpose, but also recurring trainings are critical to remind people about the right way of working. A quality training is key to success for a controlled operation.