Three years ago, many companies were working towards GDPR compliancy as a result of the binding European guidelines. Does that imply that today GDPR is no longer a hot topic? No! As we have seen in practice in recent weeks even semi-public companies like the GGD did not comply with GDPR and security measures. This was uncovered due to a fraud data breach and the company was put under special receivership by the AP (autoriteit persoonsgegevens). This resulted in severe long-term consequences including bad publicity and decreased customer trust.
3-phased approach
At BearingPoint, we assessed application landscapes at multiple companies, where we defined the risks when handling personal (customer) data and defined mitigating actions to resolve these risks. As a result, we developed a 3-phased methodology to mitigate major compliancy risks with minimal efforts.
BearingPoint developed this 3-phased approach which can optionally be supported by an awareness and employee training program:
- Phase 1 - Quick scan assessment: select high-impact applications
- Phase 2 - Determine and approve on retention periods and implement
- Phase 3 - Create a customer centric privacy way of thinking
By executing a quick scan in phase 1, the most person sensitive applications are assessed and risk mitigating actions are defined. Via this approach retention periods are implemented for, by example, SAP, Salesforce and other applications with minimal effort, resulting in roughly 80% of compliance risk mitigation.
Phase 2 is about actually changing the business by execution of high-risk application focused workstreams. The aim here is to build-up retention policies wrapped in user stories, ready for implementation and meeting GDPR guidelines without affecting current business activities. The results are ensured and compliant applications, resolving severe compliancy risks.
In phase 3, after the major risks are mitigated, organizations can be transformed to outstanding customer-centric privacy organizations by embedding personal data insights and protectionary measures in the current organizational structure. Hereby building on the proven BearingPoint Information Management principles.
How we can help
We created a proven approach to leverage our valuable and multi-disciplinary project experience. The initial focus is to mitigate major risks in the application landscape, but this approach is part of the broader BearingPoint Information Management knowledge stream.
We as BearingPoint guide and support organizations in mitigating compliancy risks and support embedding a proven information management governance structure which will be integrated in the organization’s processes, products and culture.
Feel free to reach out as we are happy to elaborate on our phased GDPR approach and our overarching Information Management proposition.
Author
Vincent Huissen
Senior Business Consultant / Information management specialist