We continue our three-part series of articles, which are intended to give you an insight into our work and approach at the various stages of taking on a mandate.
We started with the initial meeting,, explaining the implementation of the necessary measures identified and outlining the day-to-day operations with us as your data protection service provider in this article.
Anyone who believes that everything is now done regarding the identified measures is mistaken. Because now it’s time for us to support you in your day-to-day business in various areas.
Depending on the data protection organisation, the exchange between our customers and their dedicated legitimis consultants takes place on the basis of regular meetings or discussions. This takes place together with data protection coordinators or, on a larger scale, in a so-called data protection committee. We discuss the importance and tasks of data protection coordinators in the following article.
Experience has shown that there are many different possible scenarios for how we can be involved and provide support in day-to-day operations. We would like to explain these in more detail:
Direct exchange with employees via telephone, ticket system or LiveChat
Our customers’ employees can contact us directly. We want to keep the contact threshold as low as possible so that we can be integrated effectively. Here, integration via MS Teams in your own Microsoft tenant is a good way to make contact easily. Sometimes a small question can be clarified in no time at all in this way, the so-called “short route”. Fast and personal!
In addition, a regular e-mail-based helpdesk is also available to our clients for enquiries, issues and questions relating to data protection.
Dealing with enquiries and topics together with data protection coordinators or the committees
At the meetings mentioned above, open points are discussed or enquiries from other employees are answered on their behalf. Using simple project management tools, we track the major and minor issues together and transparently in corresponding activity lists.
Concrete enquiry from project groups for system introductions or process changes
It is preferable to involve the data protection officer in larger projects at an early stage. We then look at the associated contracts, necessary data protection information or the technical and procedural implementation. Early involvement is crucial here, as it always is.
Enquiries from purchasing departments and the review of contract documents relevant to data protection
“We have now received this data processing agreement. Can we sign it like this?” This or similar is the legitimate question from Purchasing when it comes to integrating new service providers. Enquiries from the purchasing department regarding an agreement to be concluded on order processing are often also an indication of new projects in the company where the data protection officer has not been integrated. This gives us the opportunity to proactively approach the parties involved. It is also important to note here that processors must be documented in the record of processing activities.
Participation in department meetings or organisation of workshops
Sometimes topics are difficult to communicate only by email or in one-to-one discussions, sometimes topics or questions are unresolved in an entire department and do not find their way to us. In such cases, an invitation to a workshop or participation in departmental meetings may also be appropriate.
Employee training
Raising awareness is an important topic. How do we familiarise employees in the company with the topic of data protection, whether as an in person training on site, as a training video or in the company’s own learning management system? We will discuss this with you and find the best solution for your needs. We summarise current topics, important changes and news for you and your employees in easy-to-understand articles. We make these available to you on a regular basis. We also have experience with the independent publication of information on the company’s own intranet and ensure that the topic of data protection remains a talking point and that a “data protection culture” develops within the company.
Support for external data protection audits
Our customers, especially those who act as processors, are sometimes also audited. This means that the data protection measures implemented in the company are checked, either on site or document-based. It is also necessary to regularly check your own service providers. Regardless of whether you carry out the audits or are audited yourself. We support our customers during the audit, starting with planning and coordination, through preparation and implementation, to follow-up and rectification of any findings.
Data protection incident and request for information
Of course, data protection incidents are also a possible scenario. If data reaches the wrong recipient, subcontractors report a data outflow or the classic request for information reaches the company. We liaise with the people involved in the matter and, if necessary, take over communication with service providers, data subjects, or supervisory authorities. That is what we are here for and that is our service to you.
These are some possible scenarios of how we work together with our customers on data protection. Of course, sometimes the customer’s capacities are limited or responsibilities change. Data protection coordinators rarely work full-time, but rather on the side. In such cases, measures may have to be postponed or others brought forward. This is normal and ultimately we want you to be well organised and your employees to know who they can turn to.
Last but not least, we don’t want to ignore the personal factor. As a rule, we work with our customers for many years, because in addition to the legal and technical aspects, there is one thing above all that must be right between the customer and us. The personal. After all, data protection is always about change management and constantly adapting to new circumstances for the company and its employees. This is exciting, just like data protection in general.