RSM Malta

GDPR Services

As from the 25th May 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”, “Regulation”) came into full force and is supported by the Data Protection Act (Cap 586) of the Laws of Malta. The Regulation covers data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The Regulation is a major enhancement to the previous data protection laws, giving more control to individuals over their personal data.

Since 2016, RSM in Malta has been actively gearing up in preparation of this Regulation coming into force and could now boast of having served a number of leading organisations and entities both in the private and public sectors, across various industries. With a profile including a diversity of skillsets including Legal, IT, Risk, Project Management and Compliance, our team can currently offer a variety of services including:

  1. GDPR Gap Assessments /Reviews
  2. System Audits
  3. GDPR Audits
  4. GDPR Implementation services
  5. GDPR Ongoing Compliance services
  6. Post Breach/Remediation services
  7. Outsourced Data Protection Officer services
  8. GDPR Awareness Training
  9. Data Protection Self-Assessment Checklist
  10. DPO Weekly Digest


GDPR Gap Assessment/Review

RSM provides organisations with an appropriate gap assessment/review. This exercise consists of carrying out various analyses and checks to identify whether an organisation’s is operating in compliance with GDPR. During the gap assessment/review we will be reviewing policies, procedures, underlying processes and IT systems/applications. In addition to this, RSM will also address other essential GDPR requirements as defined in the Regulation, such as inventories and data processing agreements with third parties.

The GDPR gap assessment/review will help organisations understand their level of compliance as well as assist them in aligning to the requirements of the Regulation. In doing so, we will provide the organisation with an appropriate Action Plan outlining the high-level tasks and activities to address the non-compliant areas.

Separate to the GDPR gap assessment/review, RSM could assist an organisation in assessing and reviewing its IT systems/application in order to gauge the organisation’s compliance level against the Regulation.

GDPR ‘Audit’

Similar to the Gap Assessment/Review, our GDPR ‘Audit’ would assist the organisation with its overall GDPR preparedness and gauge compliance to the requirements of the Regulation. The GDPR ‘Audit’ consists of a review of policies, procedures, underlying process documents (including operational) covering multiple areas and inventories mandated by the Regulation. Our deliverable will include an ‘audit’ report highlighting our findings, risks and comments for those processes no aligned with the requirements of the Regulation.

GDPR Implementation services

Organisations may further engage the services of RSM to address the issues identified during the Gap Assessment/Review and assist in the implementation of the required processes and relevant actions. Our implementation services vary from assisting the Data Protection Officer with their compliance duties, drafting policies and procedures, and assisting with data breaches, just to name a few.

GPDR Ongoing Compliance

Through the ongoing compliance support, RSM offers hands-on back-end advice and assistance to the Data Protection Officer (DPO) or Privacy Officer with matters relating to GDPR. We will take on a supporting role and carry out activities to assist your organisation in the most efficient and effective way possible. This ongoing service consists of various activities providing access to resources with project management legal, risk, and IT skillsets. The activities may include but are not limited to:

  • Carrying out GDPR assessments and compliance checks;
  • Reviewing relevant policies and procedures on various GDPR-related processes;
  • Assisting with data breaches and notification;
  • Responding to data subject requests;
  • Assisting stakeholders with carrying out Data Protection Impact Assessments (DPIAs).

Post Breach/Remediation Services

In the unfortunate circumstance an organisation suffers a data breach, our team will be able to provide it with the right level of post breach remediation services. During this delicate and critical phase, we will guide and assist the organisation in executing its responsibilities as defined by the Regulation, whilst also providing it with the required corrective actions to minimise the risks of a future breach occurring.

Outsourced Data Protection Officer

In accordance with Article 39 of the GDPR, RSM can provide the services of an outsourced DPO. As your organisation’s DPO, the team will be in charge of a number of duties related to data protection, making sure that all your information is compliant to the Regulation by fostering a data protection culture within the organisation and help implement essential elements of the GDPR. As part of the service offering, we will also identify risks in relation to data protection and manage them accordingly. The tasks which we will carry out are those listed under Article 39 (Tasks of the data protection officer) of the GDPR including but not limited to:

  • Inform and advise the Data Controller or the Data Processor and their respective employees who carry out the processing of Personal Identifiable Information of their obligations and monitor compliance with this Regulation.
  • Provide advice and recommendations where requested in relation to Data Protection Impact Assessments and monitor its performance pursuant to Article 35.
  • Cooperate with the Office of Information and Data Protection Commission (Supervisory Authority).
  • Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 (Prior Consultation), and to consult, where appropriate, with regard to any other matter.

GDPR Awareness Training

RSM also offers GDPR Awareness Training services to organisations across industries and sectors. These awareness sessions provide practical knowledge which is beneficial to the organisation as a whole, covering all areas of the GDPR and making sure that employees are fully aware of the obligations the organisation must adhere to with the new Regulation in place. Furthermore, training could be tailored to your needs and specifications, including whether to adopt a classroom style approach or a smaller workshop event.

With having already provided general awareness sessions to over 2,000 client employees, these sessions cover various topics ranging from:

  • The changes from the 1995 Directive to the new Regulation;
  • Security of processing;
  • Recording of processing activities;
  • Consent and the other legal basis for processing personal data;
  • Monitoring of Data Processors;
  • Data Processor responsibilities;
  • Dealing with Data Breaches;
  • International transfers of data;
  • Fines and penalties.

Data Protection Self Assessment 

Should you wish to establish your organisation's awareness and state of preparedness in relation to the General Data Protection Regulation, kindly click this link.

DPO Weekly Digest

If you have been appointed as the Data Protection Officer of your organisation and are actively looking to find a simple yet great way in keeping up-to-date with the latest news, developments and views with respect to the General Data Protection Regulation, follow this link. We at RSM have created a weekly GDPR digest which will include important information about the Regulation for DPOs.


Our team comprises dedicated and professional staff who have the appropriate skill and experience in performing engagements of such nature. The team has several years of experience in carrying out privacy and cyber security risk assessments, implementation of cyber security compliance programmes whilst boasting the relevant GDPR skills including Legal, IT, Risk,  Project Management and Compliance. Being led and guided by key individuals with an accumulated 34 years of working experience with big-four firms, the team has already had the privilege to work hand-in-hand with numerous clients across various industries including Hospitality, Retail, Insurance, Automotive, Gaming, Financial Services, and Government.

Should you be interested in learning more about any of our GDPR services, or wish to discuss how RSM could support you in your endeavours please contact Gordon Micallef or Francois Ganado at RSM Malta.

Contact Us

William Spiteri Bailey


Position: Partner
Contact Number: (+356) 7947 5515   
Email: [email protected]


Contact Us

Vladimiro Comodini


Position: Partner
Contact Number: (+356) 79 846 536
Email: [email protected]

Contact Us

Gordon Micallef


Position: Partner
Contact Number: (+356) 99 451 641
Email: [email protected]