Info about GDPR
Overall working methods with GDPR
There are several general working methods with GDPR that can be good to know about and start implementing.
A good starting point is to involve everyone in the business
It is good to involve everyone in the business in the work with GDPR. The management works with GDPR at a strategic level, but it is the employees who work with GDPR in practice in their daily work. Therefore, employees can have very good skills and knowledge in how it is possible to improve and streamline the data protection work. In addition, it can be good for work ethic, creativity and the work environment to involve employees and make them feel that they are contributing to improvements.
Some general working methods with GDPR
Working Agile with GDPR
It is good to work agile with GDPR, in order to easily adapt the data protection work after all changes. In addition, it can make it easier to regularly improve work and involve employees in it, which can, among other things, increase creativity. Put simply, an agile way of working is when you work in different stages towards an overall vision. Between the stages, there is room to analyse the work and to improve it for the next stage. It is important to paint the vision for the employees during the work, so that they can strive to achieve the goal.
Process mapping
In order to create as efficient and clear processes as possible, it is good to start by doing a process mapping. In other words, employees go through how they access and process personal data in their daily work. It is good to do this in groups, such as each department, because the employees within the same department usually process the same types of personal data.
Examples of common processes that take place daily within companies:
Logging and storing information about which employee has used their access badge to access workplace premises.
Registration of personal data in connection with the IT department creating login credentials or providing support to employees.
Collection of data subject’s user names in social media, in connection with the company providing customer service through its social media.
Registration of jobseekers as part of the recruitment process, when they submit their job applications to the company.
The 5S model
A good starting point when working with GDPR is to start from the so-called 5S model. It is a transparent model that contains good parts to implement in the practical work to comply with GDPR.
Sort - Sort documents and contracts
Companies need certain GDPR-related contracts and documents. What exactly is needed requires an individual assessment. It is good to sort the documentation, so that it is easy to find them if necessary.
Structure - systematise the work
It is good to systematise the process for how employees may find the necessary information. For example, a folder for internal procedures, such as how the company should proceed when a data subject requests to have their rights fulfilled. It is important to think about creating a good structure to streamline the work.
Sanitize - Remove unnecessary personal data
Companies shall delete personal data when it is no longer necessary for the purpose for which it was collected. Another option is to anonymize it. This applies to everything from emails containing personal data, call logs on the phone to notes and more.
Standardise - Standardise processes and documentation
In addition to the importance of teaching how to work with GDPR in practice, it is also good to describe it in writing. Through written policies, procedures, templates and checklists, data protection work can be standardised. In addition, it is good to constantly try to improve the data protection work and to involve employees in the improvement work.
Sustain - Create good habits
In order for employees to comply with GDPR in their daily work, it is good to create good habits. It is positive to let employees have an influence in data protection work, as it can increase creativity and motivation while gaining a better understanding. In addition, it is good to create habits that are easy to change, as the work with GDPR is rarely static.
Improvement work
It is important to always try to improve the work with GDPR over time. To be able to do that, it is good to involve everyone in the business who works with questions about GDPR in their tasks. By doing a process mapping and working agile, there are good chances of discovering improvement opportunities and being able to perform them.
Data protection culture within companies
When talking about the data protection culture within a company, it is usually about the norms, values and attitudes that lead to how employees within a company act. It is therefore important to have core values, which do not change even though the work develops over time. Companies should strive to build a strong data protection culture that forms part of the entire organisational culture.
Education at the heart of the data protection culture
GDPR consists of a comprehensive set of rules and there may be a lot to keep track of. This is especially true for larger companies, with many employees divided into different departments, that process a lot of personal data. It is positive to have education at the heart of the data protection culture, in order to provide employees with the best opportunities to comply with GDPR in practice.
Learn more
Organizational measures that the company can take to comply with the GDPR
Companies must take appropriate technical and organizational measures to protect the personal data being processed and to comply with the other rules of the GDPR. For example, to be able to fulfil the rights of data subjects. Some common examples of organisational security measures are the establishment of internal procedures, the implementation of access control, the training of staff and the conduct of impact assessments.