DPA Privacy can support your climbing trail with knowledgeable guides who will help you decide what will suit you best and then guide you to your goal. That goal can be reaching the summit or getting to Basecamp. You can step in at any level from ‘ground zero’ to the last level before the top. DPA Privacy identifies 5 different levels to reach the top:
1. Start of the trail
Starting at ground zero the first track brings you to level 1, the ‘start of the trail’. At level one, the organisation collects and processes personal data whereby choices about the processing are made on the execution level. This takes place from a personal perspective and depends on the knowledge and expertise of the individual that does the processing. No formal guidance stands at the basis of these processes and no management cycle is implemented to plan-do-check and act on privacy choices and incidents. If your organisation is at this level, DPA Privacy can help you rearch the next level. To be GDPR compliant you have to climb at least to level three (Basecamp).
2. Into the foothills
But to stay on track, moving ‘into the foothills’ means looking at level 2. Here organisations collect and process personal data whereby choices about the processing are made based on operational policies and guidelines that are shared by the departmental data processors. This does not yet take place from an organisation-wide approach but rather on a (sub-)departmental level. The learning cycle is therefore limited to the department only. Limited structural reporting takes place about data protection, but it doesn’t end up in the organisational dashboard of performance indicators.
3. Basecamp
From level 2, ‘Basecamp’ is in sight. Here at level 3 the organisation collects and processes personal data, whereby choices about the processing are made based on organisation-wide operational policies, work instructions and guidelines. This takes place from a top-down formal and broad established decision making process with an integral and organisation-wide learning cycle. Structural data protection reporting and evaluation takes place implying that top-management is involved in governing the progress. The GDPR sees this level - and this is crucial - as the minimum level for data protection compliance.
4. Slope of the mountain
If we continue our journey we will head towards the ‘slope of the mountain’. This is level 4 and here organisations collect and process personal data, whereby the speed and quality of the interactions are controlled. The operational reality at the slope of the mountain is constantly monitored and adjusted to achieve the organisation-wide policy goals.
5. The summit
Then there is only ‘the summit’ above us, the final track towards level 5. Arriving at the highest level, there is a strong and explicit link between external requirements, security objectives, general policy, specific policy and implementation. All choices are based on an extensive, accurate analysis. This results in the possibility to dynamically adapt the organisation based on practical experiences and prognoses from outside the organisation… and the view from the summit is magnificent!
