Policy Maker: getting everyone on the same GDPR page

Policy Maker: getting everyone on the same GDPR page

Getting all actors within your organisation on the same GDPR page is nothing short of a formidable change management challenge for any data protection professional. Formidable because it first of all requires a mandate from the top-ranking executives, a mandate that should be clearly communicated to and accepted by everyone involved in the processing of personal data.

Obtaining this mandate requires an internally focused GDPR policy. Why? In the past four years we have seen our share of mandates that were questioned the moment they were given to the data protection professional in charge, i.e. mandates without substance. It is for this reason that we decided to devise the role of Policy maker, a role that has to make certain that this internal GDPR policy becomes a reality.

What is this internal GDPR policy about?
In essence it is about training, awareness and taking stock of potential GDPR risks, about defining a first set of ‘guidelines’ used to plot a course regarding the way the organisation is going to implement the GDPR. Again we tried to learn from our previous corporate experience and decided that this policy should at least incorporate a ‘privacy mission’, ‘privacy rules of conduct’ and an initial ‘GDPR implementation planning’.

1. Privacy mission
The privacy mission, based on the six principles pursuant to Art. 5 GDPR, constitutes the first part of an internally focused privacy policy. As with all missions, it should be the result of a process involving the most important, if not all, stakeholders. Why? Because it’s not only the privacy mission itself that is important. Getting the most important stakeholders involved is maybe even more important, as it represents the first step towards the implementation of a (top-down) GDPR training and awareness program as referred to in Art. 39(1)b GDPR.
Once agreed on, this privacy mission will serve as the organisation’s compass when confronted with challenges regarding the protection of personal data.

2. Privacy rules of conduct
The privacy rules of conduct are directed at all persons within the organisation who are directly or indirectly involved in the processing of personal data. These rules should reflect all data protection principles defined in the GDPR, which are derived from the OECD’s Fair Information Principles. Similar to the creation of the privacy mission, the formulation of the rules of conduct should involve the most important, if not, all stakeholders. Getting them involved again represents a second step towards the implementation of a (top-down) GDPR Training & awareness program as referred to in Art. 39(1)b GDPR.
Once agreed on, these privacy rules of conduct will serve as guidelines when being confronted with difficult decisions, decisions that require finding a balance between the corporate interest and the data subject’s interest.

3. GDPR implementation planning
The final part of the internal privacy policy is the initial ‘GDPR implementation planning’ which is the final output of a Privacy Quickscan survey. This is a survey asking its recipients to qualify the level of implementation of the 50+ mandatory privacy activities the GDPR requires organisations to execute, and as such representing the third step towards the implementation of the earlier mentioned (top-down) GDPR training & awareness program as referred to in Art. 39(1)b GDPR.
Once agreed on, the initial ‘GDPR implementation planning’ will serve as the basis to prioritise the execution of the 50+ mandatory privacy activities, i.e. a privacy activity planning representing the technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR (Art. 24 GDPR).

In the next blog we will discuss in more detail how the ‘Planner role’ allocates the execution of privacy activities to the members of a privacy team, ultimately resulting in a detailed privacy activity planning.

The Privacy Factory editorial team

Close Menu
cookie

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.