Take your organisation to the next level of GDPR data privacy maturity and demonstrate compliance

As mentioned in the GDPR, data “controllers” and “processors” must demonstrate their compliance with the regulation. Being transparent in terms of how you as an organisation comply with GDPR provides the trust that your business partners, other stakeholders and the society in general are looking for when doing business with you. Consequently, you might face competitive disadvantages or even severe fines if you are not compliant. 

How PwC can help

As a multi-disciplinary practice, we are uniquely placed to help you adjust to a new environment driven by regulatory scrutiny around data privacy. Our data privacy team includes lawyers, consultants, auditors, cyber security and forensics experts. Our team is truly global, with expertise in all major economies. 

Within Switzerland, we have a dedicated team available with proven expertise in connecting the dots between Data Privacy, Information Governance, Data Management, Cyber Security and Trust and Transparency. Our team has extensive hands-on data privacy knowledge and experience and provides you with solutions that expand over the compliance horizon. We have helped many organisations in their journey to GDPR compliance. 

Data Privacy Trust services portfolio

Organisations are facing various challenges in protecting their data and responding to the need for trust and transparency in this area. We therefore have created a comprehensive trust services portfolio. Through a variety of available services, we are able to offer you a tailored solution, including designing and implementing the relevant controls within your existing process and technology control framework (e.g. ICS and ITGC). Alternatively, we can assist you to adopt a reference framework or other public available data privacy standard.

Our trust services portfolio allows you to further enhance and increase the maturity of your data privacy environment in a structured manner. It covers the main areas that address the GDPR requirements as outlined below.

1. Strategy, Governance & Accountability
2. Data Processing & Individuals’ Rights
3. Policy Management & Data Protection Notice
4. Risk Management & Compliance
5. Data Lifecycle Management
6. Incident Response & Breach Management
7. Third Party Risk Management
8. Data Security

Quick scan

Through our online and interactive platform, we offer a free-of-charge quick scan assessment of your current and desired data privacy environment, based on the key GDPR principles. Our quick scan solution provides you almost instantly with an overview of how your data privacy environment currently addresses the GDPR requirements. Our quick scan focusses on the most important GDPR principles: transparency of data processing, legitimate purposes, application of data minimisation, security measures taken to protect data and ability to demonstrate compliance.

The outcome of the quick scan comprises of a high-level maturity indication with generic yet actionable recommendations. This provides you with an excellent starting point for discussions with your management to start further enhancing the data privacy maturity level and your overall state of compliance in this area. 

Readiness assessment

Our detailed maturity readiness assessment focuses on all GDPR elements and the principles for effective data privacy management. The assessment is based on our best practice framework, but can be supplemented with other privacy management standards if required. Our assessment can help you to provide your internal stakeholders with the confidence that you have taken the necessary steps to comply with the GDPR requirements. Furthermore, it helps you to prepare for more formal certification or assurance-related activities. The readiness assessment is also an excellent way to identify and assess your third parties (e.g. vendors and services providers) for their state of GDPR compliance. Based on the results we enable you to determine the impact of third parties on your target state of compliance and take the appropriate actions. During the assessment, we will provide you with advice on how technology can be leveraged to support your certification/assurance objectives.

We make use of our proprietary GDPR Maturity Assessment tool to measure, in a granular way, your current maturity level and define a desired maturity level for data privacy management. This will result in a maturity assessment report with detailed findings, risks and prioritised and actionable recommendations to reach the desired maturity level.

Data privacy certification & assurance activities

Our experienced auditors and privacy specialists offer data privacy solutions from controls to certification and/or assurance programmes for organisations that have completed their GDPR implementation.

We will define and agree together with you the required certification and/or assurance scope, amount of controls to be tested and testing methodology. We will apply the right certification/assurance framework based on your organisational needs and our experience. Examples of data privacy frameworks that we typically apply are the GDPR-CARPA (Certified Assurance Report-based Processing Activities Certification Criteria) from Luxembourg or the NOREA-PCF (Privacy Control Framework) from the Netherlands. Moreover, we have also developed our proprietary PwC Data Privacy Control Framework consisting of 700+ control criteria mapped against the GDPR’s legislative requirements.

Based on the selected applicable framework components, we will evaluate and attest the controls you have adopted. Where needed, we will communicate to you any necessary requirements for additional (good practice) data privacy controls. 

Finally, our certification and/or assurance deliverables, which are based on known standards (e.g. GDPR-CARPA, NOREA-PCF), and PwC proprietary frameworks will enable you to have the necessary transparency in place. The transparency will build trust with your relevant internal and external stakeholders that you have implemented and operated the necessary measures to comply with the requirements as stipulated in the GDPR. 

^{* ZHAW Zürcher Hochschule für Angewandte Wissenschaften – «Datenschutz in Schweizer Unternehmen 2018 : eine Studie des Instituts für Wirtschaftsinformatik und des Zentrums für Sozialrecht»}