Is your organisation GDPR-proof? Here are five tips from our DPO

Published on: 25 January 2019
2018 was undoubtedly the year of data privacy. The GDPR was enforced on 25 May. We were bombarded with tips & tricks. Now that things have calmed down again and the first sanctions are appearing, our data protection officer has five tips for you which you won’t find anywhere else.

Our country now has around 3,540 data protection officers. 2,551 of these have been appointed since 25 May. Select too appointed a data protection officer in 2018. He has the following tips for those of you who still wish to improve their GDPR resistance.

Tip 1: Start with data flow mapping

To set up such mapping, start with three questions: How & where do we gather data? Where do we store such data and how it is used internally? When are these details transferred to third parties?

Put the answers in a table and connect up to show the data flows. This will give you a clear summary of all data in your company. It is a major exercise, but afterwards, thanks to the mapping, you can create a processing register much more efficiently and gain a clear overview of all processors. Also, there will be no surprises later on, as everything is already included in a summary.

In the event of an inspection, this kind of mapping, together with a processing register, is the perfect way to illustrate all personal data in your company clearly and at a glance. Do you already have this kind of processing register? Then it may be worth clarifying or modifying.

Tip 2: Appoint a responsible person and follow a phased plan

Satisfying the many requirements is a major challenge for every organisation and it is time-consuming. If the responsibility for satisfying all these requirements lies with different people it is difficult to coordinate. Therefore, create a phased plan with deadlines, which makes it easier to monitor and means you can clearly tell the authorities which activities were carried out when.

This is unrelated to the obligation to appoint a DPO. If there is a DPO, I naturally advise that you ask this person to coordinate everything.

Tip 3: Awareness is key

Select currently has over 20 offices. In the run-up to 25 May, we visited every office to train each employee. I believe this is really worthwhile, as a webinar is generally not given people’s full attention and fails to generate the same level of interaction. You can also emphasise internal procedures and guidelines and their actual implementation. In addition to answering practical questions.

Besides the training, we also provided informative brochures and the appropriate awareness on the intranet, but in our experience one-to-one training is the most effective.

By visiting each office you ensure that privacy is associated with a particular person. Everyone then knows who they must contact. And, as DPO, you also find out more about the company. For example, there may be camera security that you didn’t even know about and which generates further obligations.

Tip 4: Clear communication works best of all

Transparency is a must. At Select we also go a step further. We do not stop at a short privacy declaration, but also add an extensive methodology. Details can be found on our website, but we also always explain them in person. Furthermore, we have upgraded all of our internal documents: work regulations, laptop and car policy, employment contract, etc. Our employees are totally up to date on what happens to their personal data and when.

Transparency applies to internal guidelines too. The clearer they are, the more they are respected. For example, explain why there is a clean desk policy, why a shredder should be used and why personal data may only be kept for a certain length of time. GDPR requires significant changes at the start, however, at Select I notice that people really understand the protection of personal data. Furthermore, we wish to continue providing a quality service at Select. Therefore, being transparent about the protection of personal data is not only a duty in terms of GDPR, but also our personal duty.

Tip 5: Think about your security!

Although warnings may be given, sanctions have already been issued. If we look at the sanctions issued by foreign authorities they mostly concern security. Data leaks are the biggest culprits. It is therefore best to do everything you can to avoid them, both online and offline. This is also our priority at Select. It is also recommended that you take security in general seriously and implement the necessary steps.

What does our DPO do?

My range of tasks as a DPO is very wide. First of all, I am the point of contact for everything that concerns privacy. I inform and advise our employees and ensure that the requirements are met within the company. This is done with inspections and audits.
I also create processing registers, risk analyses, an incident register and a policy plan and keep these up to date.
I track ongoing projects and new developments, and review policies, guidelines and processor agreements. Everything is focused on GDPR, data protection and continuing our quality service.