23 May 2018

GDPR Compliance Status Update

Marketing Team

Overview

Willis Towers Watson is actively completing compliance activities for the new European Union General Data Protection Regulation (GDPR) that will come into effect in May 25, 2018 and is building out our long-term compliance programme. As a company, we take our compliance obligations very seriously and we have established a team with responsibility for overseeing our GDPR compliance project.

Our GDPR compliance team meets on a weekly basis to monitor GDPR related activity and allocate necessary time and resources. This will continue following the effective date of May 25, 2018 as many facets of the law will continue to evolve in the coming weeks and months. This article serves as the primary external communication from Willis Towers Watson surrounding our GDPR compliance efforts.

Under the GDPR Willis Towers Watson will be serving as Data Controllers, Data Processors and Joint Controllers depending on the work and line of business in question. We are aware of the differing requirements on these respective categories and are advising our teams accordingly. We further recognise that our clients will themselves be working to comply with GDPR.

We are working hard to ensure our internal business units are educated, assessed, and prepared for GDPR. We are dedicated to working with our clients to demonstrate compliance needed to address concerns and fulfill regulatory requirements.

Compliance efforts to date

The following summarizes the primary GDPR compliance efforts taken thus far by Willis Towers Watson:

  • Developing a governance structure for oversight of GDPR compliance efforts; Establishing a core team to set priorities, provide guidance, delegate work streams and provide regular updates to the governing body;
  • Creating a multi-disciplinary working group to assess current capabilities and execute on priorities;
  • Creating an Intranet page with thorough information on the components of GDPR, necessary steps, points of contact, and past training materials;
  • Coordinating a group of GDPR business leads to drive compliance; Implementing software to create a company record of compliance;
  • Engaging with outside experts to assist with overall strategy and asset discovery initiatives;
  • Reviewing policies, processes, notices, and contracts to ensure compliance with GDPR provisions;
  • Managing a comprehensive project plan and communication plan; Integrating GDPR into internal training programs;
  • Assessing corporate and business unit compliance with GDPR requirements; Providing specific training to legal teams regarding GDPR contract requirements;
  • Making further updates to materials premised on recent regulatory guidance;
  • Completing appropriate records of data processing;
  • Distributing Data Protection Impact Assessments (DPIAs);
  • Issuing comprehensive GDPR training;
  • Coordinating with clients and suppliers to ensure proper contract updates are being implemented.
  • A selection of specific actions from our GDPR project plan

GDPR Training

We have created a training that addresses the various compliance efforts necessary within Willis Towers Watson. This includes particular focus on key elements such as recognizing and reporting a potential breach, recognizing and properly addressing a data subject request, and the proper methods for transfers of data outside of the EEA.

Data Protection Impact Assessments

We are undergoing the completion of Data Protection Impact Assessments and logging as appropriate where we decide to not pursue one. We anticipate this process will continue to evolve as the various member state legislation is finalized and implemented and are monitoring for such activity.

Breach Response

We have developed our current security incident response processes to cope with the new requirements under the GDPR. All employees will be trained in the new requirements.

Remediation Meetings

We have had remediation meetings with each of our business units and corporate functions to review their internal compliance assessments against our GDPR requirements. As part of this process we have also been focusing on refining our abilities to track and demonstrate compliance as mandated in GDPR. These meetings have yielded plans for remaining activities which need to be undertaken to meet compliance goals.

Managing third party risk

We are issuing our suppliers with contract standards and processes to meet GDPR requirements. In addition, we have produced contract templates with GDPR wording for use in our client contracts.

Policies and procedures

We have produced a number of group level guidelines and supporting materials for the internal use of our business to meet the compliance requirements of the GDPR.

Reviewing our processes

Our central corporate services teams are reviewing their systems and procedures to meet new GDPR requirements. For example, in Information Technology, Information Security, and records retention/management. These reviews fit in with the overall remediation efforts.

Next steps in compliance

As we move into the effective timeframe for GDPR, we anticipate many aspects will continue to evolve and be clarified in the coming weeks and months. As we work to address any remaining compliance points, we will adjust and update our processes as appropriate. Our goal is to work with our clients and suppliers to ensure transparency to the data subjects and as efficient a process as possible for all parties involved.

Share this article