Getting all actors within your organisation on the same GDPR page is nothing short of a formidable change management challenge for any data protection professional. Formidable because it first of all requires a mandate from the top-ranking executives, a mandate that should be clearly communicated to and accepted by everyone involved in the processing of personal data.
Obtaining this mandate requires an internally focused GDPR policy. Why? In the past four years we have seen our share of mandates that were questioned the moment they were given to the data protection professional in charge, i.e. mandates without substance. It is for this reason that we decided to devise the role of Policy maker, a role that has to make certain that this internal GDPR policy becomes a reality.
What is this internal GDPR policy about?
In essence it is about training, awareness and taking stock of potential GDPR risks, about defining a first set of ‘guidelines’ used to plot a course regarding the way the organisation is going to implement the GDPR. Again we tried to learn from our previous corporate experience and decided that this policy should at least incorporate a ‘privacy mission’, ‘privacy rules of conduct’ and an initial ‘GDPR implementation planning’.
1. Privacy mission
Once agreed on, this privacy mission will serve as the organisation’s compass when confronted with challenges regarding the protection of personal data.
2. Privacy rules of conduct
The privacy rules of conduct are directed at all persons within the organisation who are directly or indirectly involved in the processing of personal data. These rules should reflect all data protection principles defined in the GDPR, which are derived from the OECD’s Fair Information Principles. Similar to the creation of the privacy mission, the formulation of the rules of conduct should involve the most important, if not, all stakeholders. Getting them involved again represents a second step towards the implementation of a (top-down) GDPR Training & awareness program as referred to in Art. 39(1)b GDPR.
Once agreed on, these privacy rules of conduct will serve as guidelines when being confronted with difficult decisions, decisions that require finding a balance between the corporate interest and the data subject’s interest.
3. GDPR implementation planning
Once agreed on, the initial ‘GDPR implementation planning’ will serve as the basis to prioritise the execution of the 50+ mandatory privacy activities, i.e. a privacy activity planning representing the technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR (Art. 24 GDPR).
In the next blog we will discuss in more detail how the ‘Planner role’ allocates the execution of privacy activities to the members of a privacy team, ultimately resulting in a detailed privacy activity planning.
The TPF team