GDPR compliance? Make it tangible
For many companies GDPR (General Data Protection Regulation) legislation is somewhat of an abstraction. And it’s for this reason that our client asked us to translate legislation into a specific GDPR compliance working method, ensuring that the existing information flow, data management, authorisations and archiving comply with GDPR requirements. In this context, all employees had to be aware of the legislation and adapt their working methods to be GDPR compliant.
Thanks to our approach, we make GDPR legislation tangible for companies. We also give companies’ employees the tools to comply, and keep complying, with the relevant legislation. Our approach for this client comprised several phases, namely: analysis, remedial measures, implementation and embedding.
The project team, together with the GDPR-SuperUsers of the 11 departments from the client’s organisation, kicked off by analysing over 850 processes and deliveries. These were reports with financial and management information to underscore the correct management and accountability of the entire organisation. Several different questions were analysed in this phase. In which databases is personal data processed, for example, and does GDPR actually apply? Which employees are authorised to access these databases and how are the data carriers archived? Which GDPR issues are encountered and what needs to be done to make the data carriers, authorisations and archiving of data and databases GDPR-proof?
During the analysis phase it transpired that 324 processes and deliveries were susceptible to GDPR issues, in other words, risks. After categorising these issues we identified potential solutions. Applying Agile/Scrum methodology and using sprint schedules enabled us to address all issues in the existing processes and deliveries, spread over four departments and the 11 teams.
In a Brown Paper session we defined improvement proposals for the GDPR risks that were identified in all the existing processes. Eventually, we proposed a completely new GDPR working process, complete with the necessary roles and authorisations. By giving implementation training, we coached all 252 employees in GDPR awareness and in the new working process. This gave employees tangible tools to ensure that all new processes and deliveries would, in future, comply with GDPR legislation.
Given that the GDPR is not of a temporary nature but here to stay, it is important to continuously monitor the quality. To this end we set up a complete control framework in which all key risks were translated into key controls and test questions. We trained the business controllers to carry out first- and second-line checks. Now, the results of the checks are recorded in a dashboard. This makes it possible to see, at a glance, the level of quality and in which areas improvements can still be made. In each team a GDPR SuperUser and Data Coordinator has been appointed, to support all employees in the implementation of GDPR and to guarantee the required level of quality.
Compliance with GDPR legislation is, of course, mandatory. ITDS helped this client translate this compliance into concrete solutions and methodologies. The client’s entire information flow, data management, authorisations and archiving now comply with GDPR legislation. We have implemented new processes that ensure that all existing activities are carried out in accordance with GDPR legislation. A solid foundation has been laid down and all 252 employees have been trained in awareness and the new processes. It means that the client has been made GDPR-proof and will remain so in future.