Completeness Assessment Tool (CAT)
Our Completeness Assessment Tool (CAT) is a gap analysis and benchmarking tool that helps organisations to understand their current state of maturity against the requirements of the GDPR, allowing you to make more informed choices when its comes to prioritisation, investment, and risk management.
The CAT consists of 65 questions. We work through these with you during a 2-3 hour session, collecting information from functional representatives within your organisation who have knowledge of business processes and data protection governance practices, as well as how personal data is gathered and used. Examples of functions ideally represented are: information security, legal, HR, marketing, risk and compliance.
How does it work?
The CAT assesses an organisation’s approach to the GDPR across a series of data protection domains. Each domain contains a number of questions that help determine an organisation’s level of GDPR maturity. It's been designed to help businesses assess where they sit in relation to ‘good’ standards of compliance. The findings from the assessment can be used to help prioritise remediation and change activity, inform risk decisions, measure maturity over time or in different areas of the business, and can also provide sectoral insights and benchmarking.
Data protection operating model
Our data protection operating model service helps ensure that DPOs and their teams have efficient and effective operating practices in place; practices which suit the needs and culture of their organisation and the data subjects whose data is controlled and processed. Our approach to delivering fit for purpose data protection operating models includes four main phases:
Phase 1 – Assessment: Review of your current operating model in light of your organisation’s data protection legislative landscape and your company’s culture and values.
Phase 2 – Design: Data protection operating model options will be produced which describe and depict the proposed operating practices and processes.
Phase 3 – Implementation: The agreed design will be operationalised within your business teams through a variety of means which, depending on your needs may include; technology systems change or implementation, process change, training for a range of business teams, amendments to ways of working with third parties, and supplementing/augmenting your data protection practitioners with PwC staff.
Phase 4 – Optimisation: Addressing the legacy deficiencies and improving the operating effectiveness of the operating model as a result of lessons learned, or remediating issues resulting from external influences.
Accountability is a key data protection principle - it makes you responsible for complying with the GDPR and it means that you must be able to demonstrate your compliance. It’s therefore important for controllers and processors alike to have good quality and representative accountability artefacts available. We refer to these artefacts as your ‘Accountability Bible’.
These could be required by a regulator - for instance, after the regulator receives a complaint, after the notification of a personal data breach, or following a news story. Failure to provide a comprehensive set of good quality records could trigger enforcement action, as could delivering a set of records that reveals gaps in the organisation’s data protection framework or a substandard approach.
We can help you get on the front foot - assessing the quality of your existing accountability artefacts, addressing content or quality gaps, and helping you compile a full and comprehensive ‘Accountability Bible’. We can also help you put in place appropriate procedures to ensure your bible is kept up to date and accurate.
Outcomes Effectiveness Assessments
It’s important that the outputs delivered through your data protection operating model and framework knit together to deliver the necessary outcomes, particularly in situations of adverse scrutiny.
Your activities and your approach will inevitably come under scrutiny from a wide range of actors, whether due to data subject rights being exercised, breach notification, vendor risk management, regulatory investigations or litigation.
Our Outcomes Effectiveness Assessments are designed to identify the likely ‘negative’ scenarios facing your organisation and whether you’re sufficiently prepared to deal with them effectively.
Data protection is about more than just box ticking
Organisations need to understand the circumstances which may give rise to their data protection framework and operating model coming under adverse scrutiny, the focus and motivations of adverse scrutineers, and whether all the work that’s been done in the data protection compliance programme will combine together to successfully answer the challenges that may arise.
Testing your data protection compliance programme
Organisations that understand the adverse scrutiny scenarios that they face should be able to trace back into their data protection compliance programmes and operations, to identify the outputs and dependencies that need to be addressed across the domains of people, process and technology. This allows organisations to successfully deliver outcomes for those scenarios and address any gaps or deficiencies in their programme.
The GDPR sets out more expansive rules on the content of written contracts between controllers and processors including a number of mandatory contract terms.
With many organisations having hundreds, if not thousands, of contracts in place which may need to be updated, our bulk contract and data processing agreement analysis and remediation service combines technology and subject matter expertise to deliver cost- and time-effective support and usable outputs for what might otherwise be a daunting exercise if tackled wholly in-house.
Privacy IQ is a tool designed to take the stress out of managing your GDPR requirements, delivering a single interface that combines a range of PwC offerings to enable a comprehensive overview and seamless automation of your compliance needs. It enables users to drive, monitor and evidence all data related activities.