Clearing the data privacy hurdle to enter new markets

At a glance

When a healthcare SaaS provider sought to enter the European market, their potential customers would only sign a deal if the company complied with the GDPR. Since our client had worked solely with U.S.-based organizations, they had no prior need to concern themselves with the EU’s new privacy regulation, but to take advantage of this new opportunity, they needed to develop and implement a readiness plan—quickly.

Customer challenge

Given the time frame of the desired deals, our client had only a few weeks to learn how the GDPR applied to their organization, assess their current state of compliance, create a remediation plan, and satisfy the potential customer requests with documentation showing their progress. They quickly realized that doing all this on their own was not an option. They needed a partner not only with deep knowledge of the regulation, but also with a proven track record in identifying GDPR compliance gaps and developing effective remediation plans.

Approach and solution

When our client realized they needed outside help, they did extensive due diligence to find the right partner, attending webinars, reading blogs, and polling their networks for references. After they had researched numerous companies and checked references from their network, they narrowed their list and scheduled a meeting with us. By the end of our first meeting, they understood the GDPR and how it applied specifically to their company—and they knew that we were the right partner to help them achieve their remediation goals.

We started the project by meeting with key members of our client’s leadership team—including the CEO, CFO, product owner, business owner, lead architect, and marketing owner—to educate them on the company’s specific situation concerning GDPR compliance. We helped them understand not only the actions they needed to take immediately, but also “triggers” that would require them to re-examine their compliance status as they continue to improve and enhance their product.

We then conducted a comprehensive gap analysis that entailed

• Reviewing all policies, contracts, and procedures related to personal data processing

• Creating an inventory of data processing activities

• Documenting and analyzing data flow processes

• Identifying data processes likely to result in a high risk to data subjects’ interests as defined by the GDPR

Our assessment revealed that most compliance gaps appeared in two areas: (1) policies and procedures and (2) contracts with third-party data processors. We also identified gaps that required organizational improvements in areas such as change management, which would enable our client to inform and educate their team on the GDPR as well as to promote a mind-shift in thinking about the regulation in all aspects of their business. We presented our client with a list of these gaps along with our recommendations for addressing each one.

We also documented all use cases and data flows involving our client’s product—identifying where data was coming from, how and why it was being processed, where it was going, and who had access to it—and used this information to create the record of data processing activities that the GDPR requires. Our client shared with us that this was the first time they had documented their data processes.

While documenting our client’s data flows, we identified several processes that require them to conduct a data protection impact assessment (DPIA). The GDPR requires DPIAs for all high-risk data processing activities as well as activities that process sensitive health data. In addition to explaining the steps involved in a DPIA, we walked them through an actual assessment using one of their own data processes as an example.

Finally, we detailed all of the steps our client went through and their progress in preparing for the GDPR, so that they can share this information with their prospective European customers.

Value and benefits: “The Wins”

Armed with a comprehensive assessment and remediation plan, our client could pursue their European market expansion with confidence that they are well on their way to GDPR readiness. As an added benefit, they had not only the process documentation the regulation requires, but also a tool to help them identify and address inefficiencies, model future enhancements, and show other customers how they work.

The company’s main goal was to pass a GDPR audit by their prospective customers. At the end of our project, they walked the customer through the work we did with them and passed the audit with flying colors. Our client then sent us the following message to thank us for our help: “Thank you very much for your GDPR assessment project. Our audit went very well with no critical findings … Look forward to working together again.”