We are happy to support you in implementing and maintaining your privacy organization
Gone are the days when protecting personal data at companies had to be implemented. Companies have made extensive investments in training, but have failed to organize knowledge and change management and incorporate structural measures into business processes “by design.”
Companies allocate limited budgets for protecting personal data or incur extensive costs by appointing officers as part of risk and compliance management. Only limited business process support IT systems that organize business activities have management, security and compliance measures that effectively shield data. The trained employees have since left or are performing other duties.
The legislature is not sitting still and is using the GDPR for other areas of legislation (for example, regulating the use of artificial intelligence, the AI Act) and the regulator is coloring the legislation with guidelines. There is an expectation gap.
What is the expectation gap?
Lawmakers have discovered the beauty of the European General Data Protection Regulation (GDPR). In general, personal data is reliable, confidential and available to a person of concern. If the individual determines that the quality of personal data is inadequate then the GDPR gives the individual a range of tools to hold the controller; the company or institutions, accountable. In parallel, the law requires the data controller to be compliant with legal and contractual obligations so that personal data is demonstrably effectively protected. This legislative complex applies to many laws and regulations; for example, for the application of artificial intelligence, the AI Act. As a result, the GDPR is being used by more and more other legislation to give rights to individuals; data subjects and impose obligations on data controllers; companies and institutions.
European regulators explain legislation in guidelines, see: Guidelines, Recommendations, Best Practices and national supplementary rules. It is notable that regulators are stretching the obligations on data controllers by requiring, for example, effective operation of management, security and compliance measures in place. Companies and institutions can only meet these requirements if they build into their processes (by which business activities are organized) the management, security and compliance measures “by design” creating a situation that business operations are “by default” compliant with legal and contractual data protection obligations; thus effectively protecting personal data.
In its Focus DPA 2020 – 2023, the Dutch Data Protection Authority emphasizes the supervision of the effective protection of personal data. We see a series of fines, especially at government organizations, see fines and other sanctions. From the annual reports of the Dutch Data Protection Authority, it is difficult to distill a clear picture of the status of companies in how they are organized to effectively protect personal data.
When organizing the effective protection of trade secrets, the court expects an inventory of the trade secrets, an overview of the control measures and proof that the measures have worked effectively. The AI Act assumes that a company handles personal data responsibly, does not harm an individual’s interests and is accountable for applying artificial intelligence fairly.
For many organizations, expectations regarding effective protection of (personal) data from legislators, regulators and individuals are higher than the management, security and compliance measures actually in place in (primary) processes. Without the necessary privacy implementation and management that follows expectations, the gap will continue to widen.
What is our approach?
We are always adapting Data Protection Officer (FG) training and related training programs for new legislation and regulators’ interpretations of legislation. We know the impact of new legislation and interpretations of regulators on the organization of business activities.
If a company sees the interpretations of the legal framework as a duty, we can imagine that “there’s no hope”. It is also possible to view the guidelines of the supervisors from the perspective of business operations. This broader perspective offers opportunities to effectively organize company and personal data, as well as trade secrets, while at the same time keeping liability and cost risks manageable.
The plan of approach for the implementation of the next phase, protecting company and personal data and trade secrets, is based on a business case.
Implementation
Based on the organization of the business activities, the signals from employees to organize business processes more effectively and the assessment that employees are prepared to handle the business processes, we draw up an action plan. We discuss the action plan with clear milestones and products with the company management and department management. After an agreement, we implement the plan in collaboration with the employees.
The implementation can relate to various points of attention. In general we can mention:
- Overview and insight create responsibility domain of entities and partnerships;
- Using legal operations with partners (customers, employees and suppliers), in a systematic manner, agreeing coordination and processing agreements and setting up contract management;
- Based on the organization of business activities, inventory and record processing of personal data and trade secrets, document the control measures and collect evidence of effective operation;
- Record incidents resulting from the passing on of management and security measures and promote them to data leaks, documented or otherwise;
- Continuously make employees aware and train them;
- Include control measures aimed at protecting personal data “by design” in the business processes with which the business activities are organised; and
- Targeted and insightful compilation of management reports.
The scope of the steps to be taken is to protect company and personal data and trade secrets. The protection of data is organized in a process and supported by IT resources.
Maintenance
The project leader invests the results of the implementation in the business organization. The department management and employees take over the management and take care of maintenance. The company management periodically enables management and employees to take note of new developments in the field of protecting personal data and trade secrets.
Submit your question to our experts
Questions about our services? Feel free to contact us, we are happy to help you.