Risk Assurance & Advisory

Privacy Services

How organizations protect the privacy of their employee, company and customer data is becoming a critical gauge of trust as executive teams look to future-proof their businesses. In addition, privacy hurdles for organizations across industries will only continue to grow as new state and federal regulatory regimes are enacted.

Our Approach

Mitigate Risk, Stay Ahead in the Marketplace

Current state and federal requirements already impose significant financial penalties for non-compliance and are being actively enforced. At Armanino, our consumer data privacy experts provide a range of solutions designed to help business leaders combat the quickly changing landscape of privacy and breach notification laws, and maintain compliance with new regulations. Our privacy experts can help you assess and mitigate risk, develop and manage an effective data privacy and compliance plan, and differentiate yourself in the marketplace by being one step ahead.

Whether you’re just getting started, or you just want someone to handle your data privacy needs for you, we’ve developed a selection of easy-to-implement Data Privacy Managed Services Options for your team to choose from:

  • ULTIMATE  Leave It to Us Initial assessment and implementation of our full suite of managed services, including policy creation and maintenance, employee training, outsourced Data Protection Officer and technology tools for responding to Data Subject Access Requests to ensure that your organization can focus on your core value proposition, and leave the data privacy headaches to us.
  • ENHANCED  Maintenance with Support Compliance assessments and implementation guidance with ongoing support for policy maintenance, data subject access requests, and on-call service to ensure your organization’s compliance team has the support and expertise needed to maintain your data privacy compliance program.
  • ESSENTIAL  Comply Quickly Compliance assessments, reporting, recommendations and implementation guidance to get your organization’s privacy program off the ground.

Managed Services

Data Privacy

View our service offering sheet


Privacy Managed Services

We have solutions that allow your organization to comply with complex laws such as the General Data Protection Regulation (GDPR), without investing in the cost of dedicated privacy professionals, tools and oversight. You can choose to leave it to us.

Consumers with new “data subject rights,” as well as regulatory authorities can issue a privacy-related request to your organization. This can trigger a cascade of compliance requirements, including a short window to respond, proper authentication, tracking and documentation.

Our managed services offering focuses on having our professionals leverage technology to assume the processing of all privacy requests on behalf of your organization. We provide custom privacy centers, where our professionals can receive data subject requests, leverage tools to integrate and automate data retrieval from your internal systems (including common third-party SaaS apps), and act upon the request through to closure. We can also work with your vendors to ensure that they have procedures in place to respond to requests for which you are responsible.

Privacy Impact Assessment

Armanino can work with you and your team to either facilitate or perform a privacy impact assessment (PIA) to help you identify key data privacy risks and controls. Our specialists ensure that the PIA process is conducted efficiently, provide insight for case-specific alternatives and best practices, and educate you on how best to address your data privacy risks.

Data Inventory

We work with you to perform a detailed data inventory to identify collected pieces of personal data. Our privacy specialists leverage technology to ensure an efficient approach to performing a dynamic data inventory that can be used to support ongoing regulatory compliance.

Privacy Program Assessment

Privacy program assessment means either reviewing an organization’s entire privacy program or ensuring implementation of an organization’s privacy principles into products and services right from the start of product development. Our specialists can conduct privacy reviews for different products, services or an entire organization to help support regulatory compliance and data privacy best practices.

Outsourced Data Protection Officer (DPO)

Many organizations cannot hire an in-house DPO to ensure their organization is following data protection regulations. The duties fulfilled by a DPO are diverse and can vary depending on the nature of the organization and business. Responsibilities filled by a DPO focus on, but are not limited to, the analysis and supervision of compliance with data protection rules, communication and training, and board reporting.

Armanino has privacy experts and processes in place to serve as your outsourced DPO, allowing you to run an effective privacy program, ensure compliance, receive high quality training for your personnel, report competently to your board of directors, and rest assured that it is all done correctly.

Microsoft Supplier Security & Privacy Assurance (SSPA) Program

If you are a vendor or planning to sell your services or products to Microsoft – you should know that your company’s privacy and security practices are a priority to Microsoft. The SSPA program is intended to baseline data protection efforts for all vendors given access to Microsoft personal or confidential data.

Learn More

California Consumer Privacy Act (CCPA)

The CCPA was signed into law in June 2018 by Governor Jerry Brown and will go into effect in January 2020, with enforcement in July 2020. The CCPA is the first United States law following in the footsteps of GDPR, granting significant rights to data subjects and raising the specter of significant fines for organizations that collect the data of California consumers – whether or not that organization is based in California.

Armanino’s experts can help you assess your organization’s exposure and build a strong compliance program; we can also take a managed service approach for end-to-end coverage and a manageable cost of compliance.

GDPR and The CA Consumer Privacy Act
GDPR and The CA Consumer Privacy Act
Scrutiny of the way organizations manage consumers’ data privacy rights has never been higher. Our experts help you navigate these new data privacy regulations.

General Data Protection Regulation (GDPR)

GDPR is a law intended to strengthen electronic data privacy for all individuals in the European Union, while creating uniform regulations for member countries.

GDPR requires businesses that control data to take into account the nature, scope, context and purpose of processing, as well as the risks of varying likelihood for the rights of natural persons, and implement appropriate technical and organizational measures to ensure and be able to demonstrate compliance.

In addition to Armanino’s managed service offerings for GDPR compliance, our other capabilities include:

  • GDPR & Privacy Program Readiness Assessment – We identify and classify personal data, conducting enterprise-wide data mapping to meet the critical requirements. This enables your organization to fully understand your compliance requirements, obtain actionable recommendations for closing gaps, and found a business case for building your privacy compliance program.
  • GDPR Privacy Program implementation – Or experts help your organization establish a robust governance program. This includes establishing the data protection officer (DPO) role; managing consent, drafting policies and procedures documentation; implementing internal controls mapped to articles compliance; and review, testing and independent audit of the controls. Finally, we help you define the breach notification process to supervisory authorities and data subjects.
  • GDPR training – We create and manage awareness programs through company-wide initiatives.
  • “SOC 2 Plus” with a mapping of your internal controls to GDPR requirements –  A SOC 2 report is a report on internal controls at a service organization relevant to security, availability, confidentiality, processing integrity and privacy. The SOC 2 is a widely used vehicle for compliance reporting, but also a tool you can use to attract and retain customers. Armanino has successfully employed the SOC 2 + to give customers reliable transparency to your organization’s GDPR compliance program. This SOC 2 provides assurance that your organization maintains a sufficient set of functioning security and privacy controls to meet GDPR requirements.

Microsoft Supplier Data Protection Requirements (DPR) Compliance & Reporting:

Is your organization a Microsoft vendor or supplier? If so, you are subject to the requirements of the Microsoft Supplier Security and Privacy Assurance Program (SSPA), formerly known as the Vendor Privacy Assurance Program. We can help you with your annual compliance requirements.

The SSPA program is a partnership between Microsoft’s procurement, corporate external and legal affairs, and corporate security departments to ensure that privacy and security principles are followed when suppliers process Microsoft personal data and/or Microsoft confidential data.

The scope of the SSPA program covers all suppliers globally that process Microsoft personal and/or confidential data. The SSPA program requirements are outlined in the DPR. An annual self-attestation of compliance to these standards is required. Suppliers may also be selected to provide independent verification of compliance in the form of an attestation from a certified public accounting firm.

Armanino helps dozens of clients every year with support for self-assessments and implementing best practices, as well as performing attestations.

As of December 17, 2018, Microsoft released the 2019 version of the DPR, which has been slimmed down slightly, with additional clarity on evidence of compliance added. This version will be applicable for vendors with an anniversary date in 2019.

If you need independent consulting on your self-assessment, or a full attestation of compliance, please contact one of our privacy experts.

Personal Information Protection And Electronic Documents Act (PIPEDA)

PIPEDA, or the PIPED Act, is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information during commercial business. Armanino can help your company meet these international data privacy requirements.

Pippa Akem - Senior Manager - San Francisco, CA
Senior Manager
Pippa has over 10 years of governance, risk and compliance experience in healthcare, technology and other sectors.

San Francisco, CA
Mirena Taskova - Managing Director, Privacy & Cybersecurity - San Jose CA | Armanino
Managing Director, Head of Privacy and Cybersecurity
Mirena Taskova has over 13 years of wide-ranging privacy & cybersecurity experience.

San Jose, CA
Liam Collins - Partner, Audit - San Francisco CA | Armanino
Liam has more than 18 years of assurance and consulting experience, including 10 years with Big Four firms.

San Francisco, CA
Privacy News, Tips & Insights
Digital Media & Ad Tech Firms Are Handling Stronger Privacy Regulations
Data privacy is becoming more important and is being blended with cybersecurity efforts.

May 07, 2021
How a Privacy Engineer Can Facilitate Privacy Compliance
Companies are using privacy engineers to add privacy protections at the earliest development stages.

April 02, 2021
Celebrate Data Privacy Day One Day Early to Help You Stay One Step Ahead.

January 27, 2021 | 11:00 AM – 12:00 PM PST
Need to Talk?

We're Here For You

If you have any questions or just want to reach out to one of our experts, use the form and we'll get back to you promptly.