Christelle Amodio, Business Manager at EBRC, Aline Moyret, Governance Risk & Compliance Practice Lead at EBRC, and Stéphane Omnes, Data Protection Officer at Post Luxembourg, discussed the issue during a webinar organised by EBRC and dedicated to the management of the GDPR. For them, being compliant with the GDPR at a given moment is no longer enough. Companies evolve - new services or products appear, others disappear - and with them, the processing of their data. It is therefore more than urgent to go beyond operating on a per-project basis and begin implementing a real personal data protection management system.
|Learn more about our GDPR services|
Manage your GDPR compliance thanks to a control framework based on 9 topics and 24 control points
The approach proposed by EBRC is part of a risk management policy based on a control plan. The control plan makes it possible to take stock of the company's compliance, to identify areas for improvement, to give feedback to the various stakeholders, whether business line managers or management, to re-assess the risks and to update policies and procedures in order to continuously improve the data protection management system.
The control plan is based on 9 topics: governance and its methods, the register of processing operations, compliance, Privacy By Design, data subject rights, data breaches, subcontractor management, business customer management and security. These 9 topics are broken down into 24 control points for which a correspondence has been established with the GDPR-CARPA (Certified Assurance Report-Based Processing Activities) certification scheme, drawn up by the National Data Protection Commission (Commission Nationale de Protection des Données - CNPD), and ISO27701, the international standard for data protection.
Protecting your sensitive information - three levels of responsibility: from business line managers to internal auditors
Based on this compliance framework, there are three levels of control. The first level is the responsibility of business line managers. Their main task in this respect is to carry out, at regular intervals - generally twice a year - a self-assessment of their compliance with the GDPR. Level 2 controls are the responsibility of the Data Protection Officer and their team. They also audit the business line managers on a regular basis, analyse their responses and challenge them on their self-assessment. The objective is to measure the status of their compliance with reproducible indicators (KPIs) and to identify the points that have been improved and those that still need to be improved, the residual risks and the possible lack of resources allocated to compliance. The results and the action plans to be implemented are then documented in the form of reports that provide feedback to management and specialist committees and thus give them more visibility on the implementation of GDPR compliance. The third line of defence is provided by the internal audit.
The benefits of this data protection management system are manifold. You continuously monitor and control your GDPR compliance. You manage the risks. You inform and educate all stakeholders about their level of responsibility in handling personal data. What's more, the approach is simple - all you need is an Excel spreadsheet to create a single, decentralised dashboard – a solution that is pragmatic, agile, iterative and adaptable to any industry, regardless of the size of your business.