YG3
Privacy Services
Privacy Services
YG3 provides privacy services to helps its clients find the balance between regulatory compliance, user trust and business growth.
Data Asset and Mapping
YG3 helps clients identify what personal data they have, why they have it, and where, so they understand what needs to be secured and maintained to meet their legal and regulatory obligations.
Privacy By Design
YG3 helps clients effectively embed privacy controls, throughout the development lifecycle of new products, processes and services involving the processing of personal data.
Privacy Impact Assessment
YG3 helps clients understand and treat privacy risk when changing or introducing new services or products - balancing regulatory compliance with user trust and business growth.
Records of Processing Activity
YG3 works with clients to create and maintain a record of processing activities. Enables everyone to understand what is being processed, associated risks, and opportunities for operational efficiencies.
Data Asset and Mapping
Know what personal data you are responsible for
YG3 uses a proven methodology to deliver and record personal data asset services for clients. Once scope and priorities are agreed, YG3 works with client teams to process personal data and create 'data flow map' drafts. YG3 subsequently validate these using questionnaires and 1-2-1 meetings.
Privacy By Design
Demonstrate privacy protection from the start
The YG3 approach is based on 7 Foundational Principles of Privacy By Design. Once agreement of scope and priorities is reached with our client, YG3 performs a detailed control design review and evaluation. The final evaluation report will detail the 'as-is' and the 'to-be' regulatory target with recommendations to remediate and address gaps.
Privacy Impact Assessment (PIA)
Effectively assess and consistently treat privacy risk
YG3 provides clients with a choice of services. This includes setting up an effective in-house end-to-end PIA capability, assuring existing PIA services, or providing our very own PIA service when in-house capabilities are limited. Our PIA tool and guidance is based on best practice by the EU Article 29 Working Party.
Records of Processing Activity (RoPA)
Achieve more than regulation by knowing your data
YG3 uses proven methodology to deliver RoPA services for clients. YG3 completes an information audit and assesses existing technical and organisation measures, once scope and priorities are agreed. In parallel, YG3 document opportunities for efficiencies and the privacy critical records in-use e.g. controller-processor contracts.
Industry Experience
Telecommunications
Key Challenge:
Large global telecommunications firm requested assistance to uplift the GDPR controls utilised within its Procurement and IT change services. This included verification of personal data being processed against existing RoPAs, embedding Privacy By Design considerations, uplifting contractual schedules of technical and organisation measures assigned to suppliers based on privacy risk, and establishing a new PIA methodology. Both services required control uplifts to align to the GDPR and remove manual inefficient and inconsistent control processes and procedures that were causing service delays that impacted real time support to its telecommunication of networks.
Outcomes:
Working with the client’s legal, IT, security, procurement, and business change teams, our specialist completed a data asset and mapping exercise and created a new data flow map for the procurement service. Using this new data flow map, we redesigned and implemented privacy risk assessment and management steps within each stage of the procurement lifecycle. This included automating within the SAP procurement system, the risk assessment and assignment of technical and organisational measures for every ‘low’ and ‘medium’ rated procured item. In order to achieve this YG3 re-designed and implemented a group wide PIA methodology and supporting artefacts based on the EU Working Party 29 and CNIL methodology. This new PIA was used across the group for all change and procurement services.
Financial Services
Key Challenge:
Large global bank required support to augment privacy data transfer agreements that would effectively enable it to uplift and distribute its existing UK technology data centre operations and services to new data centres in East Asia, Europe and Africa. To achieve this, the bank needed to verify the completeness of its existing UK data centre personal data assets and flows to ensure there were no gaps in its data sources, processing descriptions, and subsequent data use and transfers. Once complete, the data flow map was used by the data centre design team to capture personal data processing activities by the new technology data centres.
Outcomes:
Working with the bank’s legal team, our specialist completed a data asset and mapping exercise of its UK data centres, resulting in a comprehensive data flow map. This was used as the basis for the creation and regulatory submission of new data transfer agreements for each new technology data centre. They were submitted and successfully approved by each of the necessary European and international data privacy regulators.