GDPR
The 5S model is a good starting point when working with the GDPR
Businesses should work efficiently and the 5S model is a good starting point when working with the GDPR. In order to comply with the GDPR and do so smoothly, it is good to have clear processes.
What is the 5S model that can be used when working with the GDPR?
The 5S model consists of:
- Sort – Sort documents and contracts.
- Structure – Systematise the work.
- Sanitize – Remove unnecessary personal data.
- Standardise – Standardise processes and documentation.
- Sustain – Create good habits.
Use the 5S model at workgroup level
It is more advantageous to use the 5S model at the working group level. In other words, the employees agree together on the parameters of the five S’s. In addition, it is important to create a good structure in order to achieve the best possible results. Management also plays an important role in the GDPR work and therefore it is important that they also engage and believe in the work.
Benefits of streamlining the GDPR work
There are several advantages to having an effective GDPR work through good and clear processes. If it is unclear, it may feel heavier for employees who must comply with GDPR in their daily work and be done in a time-efficient manner. There is also a greater risk that employees will violate the GDPR if there are no clear processes for them to follow.
It is good to remember that the majority of the time employees spend in their work does not go to increasing customer value. The more you can streamline the work, the more time they can spend on increasing customer value.
Sort GDPR-related documents and agreements
Companies need to create different documents as part of their GDPR work. Everything from different types of internal procedures to external information texts and agreements. For example, privacy notices and personal data processing agreements. Which contracts and documents are needed more precisely depends on the situation and circumstances. Therefore, it is good to sort documents into different groups and to name them clearly. A problem that can arise if this does not happen is that new employees do not find the right documents in a smooth way, because there is no clear structure.
Document classification
A good way to sort documents is to work with document classification. In other words, use cloud services, such as Google Drive or SharePoint, to sort documents into different folders with clear headings and version history, so it is easy to find what is needed.
Systematize the work
It is important that information and documentation is available to the right people within the organization. Therefore, it is good to systematize the work and create a well-functioning structure. The information shall be available in a suitable location. Please note that it may be inappropriate to have both sensitive and non-sensitive personal data in the same location, as more security may be required for sensitive personal data.
Removing unnecessary personal data
Companies must delete personal data that is no longer needed for the purpose for which they were collected. It is not uncommon for employees to find personal data that is not needed when they make a process map, and in such cases they should be deleted. It is important to stop processing immediately, as it is only allowed to process personal data that is necessary for the purpose.
Have predetermined dates for deleting personal data
In order not to forget to delete personal data at the right time, it is good to have predetermined dates, such as quarterly erasure. On that day, employees will delete personal data that is no longer needed, such as emails. It can also be useful to use the day to discuss GDPR work, get internal feedback and suggestions for improvement opportunities from employees.
Standardise processes
It is beneficial to create a structure for employees that is standardized. For example, by implementing digital folders with the GDPR documentation, so that it is easy to find. The company should also create standardised processes by developing templates, checklists and other documentation that employees can use in their GDPR work.
Creating habits within the company
In order to create good habits within a company when working with GDPR, the employer should establish internal routines that employees should follow. Within larger companies, it is usually appropriate to have several different types of internal procedures. Here are some examples of areas that companies may need to have routines for:
- Erasure or anonymisation of personal data;
- Handling received requests for erasure of personal data from data subjects;
- Handling, documentation and notification of a personal data breach;
Good to update and improve routines
Routines usually change over time and therefore it is good to create them in a way that makes them easy to change. Employees should have a great influence, as it is they who should implement the routine in practice. In addition, it is important to communicate the changes clearly, so that employees understand and follow them.
Good habits come from above
If the management takes the work of GDPR compliance seriously and communicates it clearly, it will more likely lead to employees under management also doing so. The same goes for managers in the workplace. In order for employees who in practice work with matters covered by GDPR in their tasks to get good habits, it is important that their managers also follow good habits. In order for managers to have good habits, it is important that they in turn have received it from management.
Learn more
Improvement work
Few things are perfect and so is the GDPR work for businesses. There is almost always room for improvement. To improve the work, it is good to take advantage of the employees’ skills and experiences, as they are the ones who work with GDPR in practice in their tasks. A good way of working to make improvement work easier is to work agile. In other words, have a vision and work in stages to try to reach it. Between each stage, it is good to stop, to analyze the work and try to improve it, before the next stage begins.