GDPR AUDIT &

COMPLIANCE
CONSULTING

Westbrook International Ltd.

164 - 168 Regent Street
Linen Hall
London

Email: info@westbrook.co.uk
Phone: +44 20 7096 2480
Website: westbrook.co.uk
 Preparing for GDPR
Ensuring your Organisation is Compliant in 2018
What is GDPR?
The General Data Protection Regulation (GDPR)
is a significant update to the existing laws around
handling and communicating personal information
of EU Citizens.
Fundamentally, GDPR sets out a range of regulations
that allows EU Citizens to control who has access to
their personal information, how it can be used, and
whether they continue to give permission for it to be
held.
GDPR also places the responsibility for data security
and privacy on any organisation involved in the
‘processing’ of personal information. Processing
is a broad categorisation covering almost any
use of personal data - including the tracking,
capture, storage, and movement of data between
organisations.
The definition of personal data is equally broad,
and relates to any data that can be associated with
an identified individual. This means it is not only
sensitive data such as financial transactions, medical
history or account details that requires strict security
and control, but any basic information that can be
associated with any individual citizen.
Non-compliance with GDPR risks strict penalties -
with the maximum penalty at €20 million or 4% of
a company’s annual global revenue, whichever is
greater. This means that while the legislation doesn’t
come into force until 25 May 2018, it is important to
prepare now for the transition.
The legislation expands the responsibility for data to
include everyone who handles it - from the database
administrator, down to the company hosting the
database. This means if you are a Salesforce or
Cloud CRM user, both you and your provider are
both responsible for compliance with GDPR.
Contact Westbrook
T: +44 20 7096 2480
2 E: info@
PAGE
Ensuring Compliance
GDPR represents a significant shift in how data
is managed within an organisation and requires
changes in both how your systems and culture
operate. However, there are guidelines for how
to become an organisation that has appropriate
processes in place to comply with the new regulation.
Referred to as ‘Protection by Design & by Default’
in article 25 of the GDPR, these principles provide
approaches to safeguard customer data. Adopting
these methodologies is not a legal requirements -
but doing so will significantly reduce the risk of non-
compliance and the associated penalties.
Our GDPR Consulting
Westbrook Consultants work to review your system,
and provide a roadmap to ensuring appropriate
GDPR compliance.
We help you to build the foundation for your
organisation that protects privacy by design &
default, and how best to transition from your existing
business processes.
We conduct a detailed review your system from a
technical and user perspective, highlighting areas
where privacy controls can be improved.
Our Consultants focus on five key areas to ensure
compliance;
• Identifying where customer data is held
• Identifying where data is captured
• Reviewing data accessibility & usage
• Complying with customers’ data requests
• Evaluating data security
Key GDPR Focus Areas
Understanding how GDPR will affect your business

Identifying where customer data is held

To begin reviewing the security and privacy of your customer data, you must first identify
all your systems that contain personal information - or data that can be used to identify a
person. We work with you to conduct a system wide review, mapping out how systems
interact to share customer data.

Identifying where data is captured

With an understanding of where your organisation’s data is held, we review the technological
tools and manual processes that generate prospects, leads, contacts or person accounts
within your systems. We review how an identifiable individual is created, and how information
about them is enriched, updated and processed, and what technology or business user is
responsible for creating it.

Review data accessibility & usage

We review the level of data access and availability across your systems, identifying how
much customer information each user profile can view or edit. We work with you to evaluate
how much of this information is relevant to your users for their business role - identifying
areas where access to personal information can be streamlined, and offering approaches
to limit unnecessary access to private data.

Complying with customers’ data requests

GDPR provides customers’ rights over their personal data. We work with you to ensure your
system can comply with customer’s data requests in a format that complies with GDPR. We
review the current processes in place to action, log, export and delete customer data, and
how this can be enhanced to comply with GDPR. This is particularly relevant with the widely
publicised ‘Right to be Forgotten’.

Evaluating data security

We work with you to audit the security processes in place for protecting the data from
misuse internally, and how they comply with GDPR standards. We review where security
could be improved, as well as where data could be effectively encrypted, made anonymous
or restricted without negatively impacting business activities.

PAGE 3
7 Day GDPR Compliance Audit
Building the Foundations of a privacy focused system

STEP 1: STAKEHOLDER WORKSHOPS

• Initial Kick-Off Call
½ Day
• System Landscape Review

Beginning with a kick-off meeting, your lead consultant will work with you to map out the scope of the GDPR
Audit, the privacy measures you already have in place, and any key concerns that may apply to your organisation’s
data.

STEP 2: IDENTIFYING WHERE CUSTOMER DATA IS HELD

• Standard Object review (Leads, Contacts and Person Accounts)

• Identify points of Integration 1 Day*

• Review of Custom Objects

*
The 1 Day estimate assumes our team are working exclusively within a single instance of the Sales Cloud. If your
system architecture is significantly more complex, additional time will be required.

STEP 3: IDENTIFYING WHERE DATA IS CAPTURED

• Identifying Automated Data Capture
1 Day
• Identifying Manual Data Capture

Our consultants document where data is created across prospects, contacts, accounts and person accounts,
mapping it to a Manual or Automated input source. This includes data created by your company connected to a
customer, just as activity tracking, profiling information, lists and campaigns.

STEP 4: REVIEW DATA ACCESSIBILITY & USAGE

• Review of Data & Object access by User Profile
1 Day*
• Review of User Security Permissions

*Our consultants document what data is visible to each of your users. The 1 Day estimate assumes a Salesforce
instance with 15-20 Custom Objects and 2-3 user profiles. If your permissions structure is significantly more
complex, additional time will be required.

Contact Westbrook
W:
4 T:
PAGE +44 20 7096 2480
E: info@westbrook.co.uk
 STEP 5: COMPLYING WITH CUSTOMERS’ DATA REQUESTS
• Review of Customer Contact Processes and Logs

• Review of Data Portability and Deletion Processes 1 Day

• Review of Reporting & Export Processes

Our consultants document how customer requests are managed, how an audit trail for customer requests is
created and how GDPR compliance can be reported on.

STEP 6: EVALUATING DATA SECURITY

• Review of Data Security

• Review of Potential Data Encryption

1 Day
• Review of Potential Data Anonymisation

• Review of Potential Data Pseudonymisation

Our consultants review the personal data held within your system and identify areas where data security can be
improved. Our team evaluate where personal data can be accessed for business functions that do not require
direct identification, and whether anonymisation would impact their business function. We also identify all users
with the capability to export personal information from your CRM system.

STEP 7: DOCUMENTATION & FEEDBACK

• Documentation of Findings
1 ½ Day
• Feedback & Review of Findings

We compile our findings into a report that documents your current state solution and its compliance with GDPR
regulation, including areas for attention and suggestions for improvement. To conclude the project we provide
feedback on our report with your project stakeholders.

TOTAL TIME 7 DAYS

PAGE 5
 Extending Your GDPR Audit
Building Compliance into your Salesforce Systems

Strategic Consulting Ongoing Support

For organisations with customer information
distributed between multiple integrated or siloed
databases, we can extend your GDPR audit to review
your wider systems landscape.
Delivered on a ‘Time and Materials’ basis, we will
estimate the amount of time required dependent on
the complexity of your business systems.
We will then conduct an audit of each system,
evaluating each system through our 7 step process
- creating a single GDPR compliance document that
comprehensively outlines your path to compliance.
Salesforce Projects
Westbrook offers a range of services to ensure your
organisation is on track for compliance with GDPR
on the 25 May 2018.
Our end-to-end project delivery capability can Scope,
Design & Build a solution for GDPR based on the
output documentation from your Audit.
If your organisation has skilled internal Salesforce
resources, Westbrook can provide help and support
as you transition to GDPR compliance.
Through our Salesforce support services, your team
can access Certified administrator, consultant and
developer resources as and when you need them.
By pre-paying for a specified amount of support, you
can obtain maximum value from preferential rates
and guaranteed access to resources.
Once the Audit is complete, you can choose the type
and amount of support they need - all managed
through a single support contract.
Ready to get ahead of
GDPR?
If your interested in learning more about how
Westbrook Consulting services can benefit your
business, don’t hesitate to get in touch:

We will estimate the level of work required, manage

the project and provide all the Salesforce Certified
resources you need to build privacy controls into
your system.

Where business activities may need to change to Email: info@westbrook.co.uk

protect customer’s personal information, we offer Phone: +44 20 7096 2480
experienced consultants with extensive experience Website: westbrook.co.uk
in redesigning and restructuring business processes.

Our team can also provide the training and support

your users need to transition to the new system and
privacy focused approach.

Contact Westbrook
:
6 T:
PAGE +44 20 7096 2480
E: info@