GDPR compliance? Make it tangible

 

THE REQUEST

For many companies GDPR (General Data Protection Regulation) legislation is somewhat of an abstraction. And it’s for this reason that our client asked us to translate legislation into a specific GDPR compliance working method, ensuring that the existing information flow, data management, authorisations and archiving comply with GDPR requirements. In this context, all employees had to be aware of the legislation and adapt their working methods to be GDPR compliant.

OUR APPROACH

Thanks to our approach, we make GDPR legislation tangible for companies. We also give companies’ employees the tools to comply, and keep complying, with the relevant legislation. Our approach for this client comprised several phases, namely: analysis, remedial measures, implementation and embedding.

Analysis

The project team, together with the GDPR-SuperUsers of the 11 departments from the client’s organisation, kicked off by analysing over 850 processes and deliveries. These were reports with financial and management information to underscore the correct management and accountability of the entire organisation. Several different questions were analysed in this phase. In which databases is personal data processed, for example, and does GDPR actually apply? Which employees are authorised to access these databases and how are the data carriers archived? Which GDPR issues are encountered and what needs to be done to make the data carriers, authorisations and archiving of data and databases GDPR-proof?

Remedial measures

During the analysis phase it transpired that 324 processes and deliveries were susceptible to GDPR issues, in other words, risks. After categorising these issues we identified potential solutions. Applying Agile/Scrum methodology and using sprint schedules enabled us to address all issues in the existing processes and deliveries, spread over four departments and the 11 teams.

Implementation

In a Brown Paper session we defined improvement proposals for the GDPR risks that were identified in all the existing processes. Eventually, we proposed a completely new GDPR working process, complete with the necessary roles and authorisations. By giving implementation training, we coached all 252 employees in GDPR awareness and in the new working process. This gave employees tangible tools to ensure that all new processes and deliveries would, in future, comply with GDPR legislation.

Embedding

Given that the GDPR is not of a temporary nature but here to stay, it is important to continuously monitor the quality. To this end we set up a complete control framework in which all key risks were translated into key controls and test questions. We trained the business controllers to carry out first- and second-line checks. Now, the results of the checks are recorded in a dashboard. This makes it possible to see, at a glance, the level of quality and in which areas improvements can still be made. In each team a GDPR SuperUser and Data Coordinator has been appointed, to support all employees in the implementation of GDPR and to guarantee the required level of quality.

THE RESULT

Compliance with GDPR legislation is, of course, mandatory. ITDS helped this client translate this compliance into concrete solutions and methodologies. The client’s entire information flow, data management, authorisations and archiving now comply with GDPR legislation. We have implemented new processes that ensure that all existing activities are carried out in accordance with GDPR legislation. A solid foundation has been laid down and all 252 employees have been trained in awareness and the new processes. It means that the client has been made GDPR-proof and will remain so in future.

What opportunities do you see?

We are happy to make an appointment. Call us at 0653778749 or send an email to e.hoekstra@itds.nl.

Call me back

"*" indicates required fields

Hidden
This field is for validation purposes and should be left unchanged.