A North American Life Sciences company was processing special category private information. They were growing concerned about their ability to comply with multiple privacy laws, in multiple jurisdictions, some of which could be conflicting.
Without an all-encompassing privacy plan, they risked fines, losing business, and not being allowed to partner with other companies to complete projects, which could cost them millions of dollars in lost opportunity.
As such, the company sought guidance on building a privacy program that would meet Privacy Shield, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) requirements simultaneously, without reinventing the wheel for each new governing body.
How Mazars helped:
Working with multiple divisions and departments, Mazars was able to rewrite the company’s contract language around compliance, significantly limiting their exposure to fines and cease orders.
At the same time, Mazars was able to work with the company’s data protection offices to create a Data Subject Rights (DSR) response program, which was closely related to the privacy protection processes, both operationally and legally. By working with compliance, IT and the company’s data protection offices, we were able to develop Privacy Impact Assessments (PIAs), along with a Record of Processing Activities (ROPA) program.
In six weeks, Mazars developed a GDPR-compliant roadmap with specific deliverables around privacy notice, established a data protection office, built a customized process for the company to respond to Data Subject Rights requests (DSR), and a template for how to manage a record of processing private data (ROPA), along with how to perform ongoing PIAs within their environment. We also provided a data protection officer (DPO) service, to support the company until the program was fully mature.
As a result of the initiative, the company was able to continue with its expansion and integration with its partners, supporting a prosperous outlook for the future.