Too expensive and rarely justified to have your own data protection team in house.
Consulting companies often:
- Have no tech understanding.
- Get GDPR done at ''company level' without touching product requirements.
- Provide no clear roadmaps and outputs.
It's hard to understand what do you need to comply with when building an innovative product.
2. Are you processing personal or sensitive data?
3. What happens if you are not compliant?
4. How to approach reimbursement schemes and other certifications that require data protection?
2. What should you ask consent for?
3. What data are you sharing with your providers and should you do it?
4. What contracts should you have with your clients?
5. Are you dealing with US providers the right way?
2. Organisational Measures: ISO27001-level organisational policies (Disaster Recovery Plan, etc)
3. Technical Measures: Encryption, logging, Access control, backup policies, etc