Have you placed your trust in us and commissioned us to become your external data protection officer? Then we start with what is known as the initial assessment. This is about getting to know the client. Of course, we already know a lot about you from our discussions. But that’s not enough. We therefore start with an analysis of the company organization, i.e. the various departments and their tasks. How do they work? Which systems are used? Are there interfaces, special networks or overlapping areas of responsibility?
First and foremost, legitimis naturally looks at the departments that increasingly work with personal data. It is also important for us to get to know the people in charge of the departments personally. Because not only during the inventory, but also afterwards, we will come into contact again and again to support and implement the necessary measures. Legitimis goes into personal discussions, but also works with questionnaires and analyses process descriptions and existing guidelines.
In addition, an impression is gained of the corporate culture and the associated data culture in the company. How do the departments and their employees handle personal data? Do they use data sparingly or is every document stored in different places twice or three times? Are the same systems used across departments or does each department cook its own “data soup” with different systems and storage locations? The range of project management solutions alone, whether prefabricated or self-programmed, is endless.
The focus is on the consideration and documentation of the processors. Many companies rely on cloud-based solutions and manage their data in the browser instead of on their own servers. Whether it’s digital personnel files, customer data management or employee training and awareness, many things are in the cloud or outsourced to service providers. Why is one of the main focuses on service providers? Well, the documentation in the record of processing activities also includes the transfer of data to processors and third parties. It should also be known whether data is transferred to third countries.
One of the most frequently asked questions in connection with the inventory is the question of deletion, i.e. how long data may be stored. Collecting personal data is not difficult. However, it is not always easy to delete data again, taking into account the applicable retention periods. Legitimis supports you here with the relevant information.
Particular attention is paid to the HR department, which manages employee data. Are the data protection obligations up to date? How is the data of applicants and employees handled and are all aspects of the information obligations towards employees and applicants fulfilled? Awareness-raising and training measures should also be considered. Has training on data protection already taken place? Can an internal learning management system (LMS) be used?
The marketing department usually operates a customer data management system with a large amount of data on contact persons, interested parties or subscribers to information offers such as newsletters or webinars. An analysis of the website and the various social media presences “with data protection glasses” is essential in order to evaluate the company’s public image and identify any need for action. Often, an internal intranet presence is also operated with a wealth of information about the company and its employees. Legitimis does not miss the opportunity to gain an insight here either.
Both departments are important points of contact for taking stock. However, finances, controlling, payroll accounting, occupational health and safety, employee representation and not forgetting the IT department are also the target of an in-depth analysis. Basically, you can also start with a 6W question in data protection. WHO does WHAT, with WHICH personal data, FOR WHAT PURPOSE and on WHAT legal basis?
Of course, all this information could be collected in countless video conferences and emails. And then send out tons of Excel spreadsheets or online forms. We have that too. But people and personal contact are also important to us. That’s why you can’t avoid an on-site visit. Because data protection also needs to be considered on site. Not least in order to be able to assess your existing technical and organizational measures appropriately. Video surveillance or visitor management? We take a closer look.
The assessment ends with a report to the management, combined with a catalogue of measures for the implementation of the future data protection management system. Getting to know a company with its people, processes and systems is exciting and always a new experience for us. It’s as exciting as data protection.