In the previous article, we explained the initial meeting, the questions we have and the key personnel we talk to in order to get to know the company, its processes and its people. This resulted in a report that will serve as the basis for optimisations and adjustments for our customer in the coming weeks and months.
Implementing the measures means making adjustments in the company on many different levels and with different means. Depending on the size of the company, the appointment of a data protection coordinator (DPC) is a good idea. For larger companies, entire steering committees (SteCo) are an effective means of implementing the measures using project management methods. Based on the aforementioned report, packages of measures are put together with those responsible for implementation and monitoring. Existing tools are often used for this purpose. For example, planning software from the M365 Suite. Why do we do this? A large number of companies are already familiar with such solutions and already use them for their own internal projects. JourFixes are arranged with the SteCo or DPC to discuss, monitor, adapt and finalise the measures. The progress is documented.
When prioritising measures, we adhere to the principle of “external impact before internal impact”. This means implementing measures that have an external impact on the customer and the public or where data protection risks or obligations exist.
This includes, for example, the company’s public presence on its websites and social channels. What functionalities and technologies does the website have? Which solutions are used to track visitors and how do you interact with customers and interested parties? Are there web-based forms or is a newsletter offered? How is consent obtained and how are transparency obligations met? To this end, the responsible department and contracted web agencies are consulted and the aforementioned packages of measures are put together and addressed.
Another focal point is the record of processing activities (RoPA), which we maintain in the customer’s system. Legitimis follows the approach “Your data protection – your documentation”. This is why we do not use self-hosted data protection solutions and instead utilise the customer’s systems. We work confidentially with guest access in the customer’s systems, as provided for by Google Suite or M365. When creating the RoPA, we use templates to guide employees. However, even templates are never the final solution, as there is always a need to adapt the descriptions, the systems used and the processors.
Speaking of processors: as already described in the initial meeting, we document processors. We also look at the respective contracts. Long-standing contracts in particular need to be checked and even after 5 years, outdated clauses or invalid BDSG references are sometimes identified. Incidentally, when our customers ask “when will we finally be able to finalise the RoPA?”, we usually answer: “Never, because it is a living document that needs to be adapted, expanded, partially archived and checked at least once a year to ensure it is up to date.” This is because companies change in terms of processes, solutions used and structures. The RoPA must reflect all of this. The RoPA forms the centrepiece of data protection law, so to speak, as all processes, data, systems, processors, deletion periods and more are mapped there.
Just like data protection information on websites, internal documents must also be checked and adapted (keyword: transparency. Are all employees adequately informed about the processing of their own data? Is the information available to all employees in the company (keyword: data protection portal) and are contact details for the data protection officer communicated appropriately? We would be happy to support you with our experience and knowledge in setting up an appropriate place for data protection on your intranet.
It is also important to check whether the data protection policy is in place and still up to date or whether further data protection regulations need to be issued (handling requests for information, order processing agreements, etc.).
Another important point is the issue of training and awareness. After all, guidelines and process specifications are not effective if the company’s attitude towards data protection is not right or employees are not aware of the regulations. This can only be achieved with appropriate training measures; varied and sometimes specifically tailored to the company as well as target group-orientated.
In addition to on-site training by our consultants, legitimis also offers training videos, short thematic videos (legitimis KOMPAKT), data protection quizzes and supplementary information material (legitimis InfoDocs). Our video formats in particular can of course be integrated into a company’s own learning management systems.
Implementation must be approached transparently with our contact persons. Understanding and comprehending the measures is crucial for implementation and in some cases it is also necessary to break up established processes and rethink them. Accompanying a company in this process is exciting. So let’s do data protection in your company together.