In particular, they were concerned about being fined for non-compliance, or losing market share if they were subjected to sanctions requiring them to temporarily cease operations. They also recognized that if they were found not to be compliant, other compliant companies would not do business with them.
The company initially tried to do this assessment in house. However, it was taking 30 days to respond to Data Subject Rights requests (DSR), which was the maximum time allowed by law, when it should have taken only two days to respond. It was also taking an average of 200 work hours to complete each DSR, instead of the eight hours or less that was budgeted.
As a result, qualified resources were being exhausted, and they would be stressed even further with an expected increase in demand – which, in itself, could result in an investigation and a potential fine.
Making matters worse, the company’s IT systems were located in multiple regions, causing an additional challenge, because evaluating the infrastructure of all subsidiaries was within the project scope.
How Mazars helped:
The company asked Mazars to assist in developing a viable DSR program, based on IT-related auditing and consulting work that Mazars had done for them in the past.
In less than four weeks, Mazars, working together with the client’s IT, Compliance and Legal departments, developed a GDPR compliant DSR program that enabled the company to perform DSR’s on 20+ selected systems within one week, in less than 40 working hours – a fraction of the time it had previously taken them.
By adopting Mazars’s approach, the company was able to perform roughly five DSRs per month using only one person, instead of four to five people per DSR. Given that the subject matter expertise required to complete DSRs is an expensive resource (roughly $150k-$200k per FTE), the customer was able to avoid hiring an additional six resources, creating a savings in excess of $1 million annually.
And, best of all, the company’s senior executives now have a high level of comfort that the risk of fines, and the associated impact on the brand’s reputation, have been minimized.