GDPR, the days after 25th of May - Now what?
CLIMBING TEAMS ON EACH LEVEL
Climbing a summit takes a lot of preparation, perseverance and team effort, climbing the EU General Data Protection Regulation (GDPR) summit is no exception to this rule. Many organisations have focused on the 25th of May to get their processing of personal data in line with the GDPR. Some of you reached Basecamp and were able to achieve a certain level of GDPR maturity satisfying the regulatory obligations. Some of you had other important business to take care of and will start the journey to compliancy soon. Some of you made it to the top and were able to embed privacy protection to the fullest extent in your organisation and that of your partners. In other words, we see organisations at different heights climbing the Privacy Mountain.
DPA Privacy can support your climbing trail with knowledgeable guides who will help you decide what will suit you best and then guide you to your goal. That goal can be reaching the summit or getting to Basecamp. You can step in at any level from ‘ground zero’ to the last level before the top. DPA Privacy identifies 5 different levels to reach the top:
1. Start of the trail
Starting at ground zero the first track brings you to level 1, the ‘start of the trail’. At level one, the organisation collects and processes personal data whereby choices about the processing are made on the execution level. This takes place from a personal perspective and depends on the knowledge and expertise of the individual that does the processing. No formal guidance stands at the basis of these processes and no management cycle is implemented to plan-do-check and act on privacy choices and incidents. If your organisation is at this level, DPA Privacy can help you rearch the next level. To be GDPR compliant you have to climb at least to level three (Basecamp).
2. Into the foothills
But to stay on track, moving ‘into the foothills’ means looking at level 2. Here organisations collect and process personal data whereby choices about the processing are made based on operational policies and guidelines that are shared by the departmental data processors. This does not yet take place from an organisation-wide approach but rather on a (sub-)departmental level. The learning cycle is therefore limited to the department only. Limited structural reporting takes place about data protection, but it doesn’t end up in the organisational dashboard of performance indicators.
From level 2, ‘Basecamp’ is in sight. Here at level 3 the organisation collects and processes personal data, whereby choices about the processing are made based on organisation-wide operational policies, work instructions and guidelines. This takes place from a top-down formal and broad established decision making process with an integral and organisation-wide learning cycle. Structural data protection reporting and evaluation takes place implying that top-management is involved in governing the progress. The GDPR sees this level - and this is crucial - as the minimum level for data protection compliance.
4. Slope of the mountain
If we continue our journey we will head towards the ‘slope of the mountain’. This is level 4 and here organisations collect and process personal data, whereby the speed and quality of the interactions are controlled. The operational reality at the slope of the mountain is constantly monitored and adjusted to achieve the organisation-wide policy goals.
5. The summit
Then there is only ‘the summit’ above us, the final track towards level 5. Arriving at the highest level, there is a strong and explicit link between external requirements, security objectives, general policy, specific policy and implementation. All choices are based on an extensive, accurate analysis. This results in the possibility to dynamically adapt the organisation based on practical experiences and prognoses from outside the organisation… and the view from the summit is magnificent!