And suddenly there was the dreaded privacy law. The General Data Protection Regulation. The AVG. It seemed like every company was concerned about customer privacy. Well, concerned. It was mostly about the fact that companies wanted to show that they were "working on it." Because practice still shows otherwise.
The first quarter of 2018: the mailbox just about exploded. Every company emailed that if you wanted, you could see your own data. That you could opt out of the newsletter. That your data were really well secured after all. And often in this kind of wording:
"On May 8, we sent you an email regarding our tightened privacy statement. Our privacy statement has been tightened due to the new privacy law. This law will take effect May 25, 2018 and applies to all organizations that process personal data within the EU."
A lot of companies that process personal data were primarily concerned with being compliant with privacy laws. What that means exactly is still not clear to many companies. It is often thought that as an organization you are there with a number of processing agreements and a register in which all your processing operations are listed. Unfortunately, this is not the case.
AVG Paperwork
In addition to the whole "paperwork" that includes, of course, the documents mentioned above, there are a few more steps that are often forgotten. Think about the training of your employees. Creating support in different departments to take care of personal data and testing the processes.
That testing of processes and getting to the bottom of where privacy-sensitive data is being processed is still a tall order. In the past year I have noticed that a lot of data is processed "everywhere" within organizations. By this I mean that a customer, for example Mr. Johnson, is known in department A but also in department B but that both departments do not know of each other that they are processing data of the same Mr. Johnson. In addition, there is a huge shadow administration of personal data. Imagine an organization has as a policy to process data in a certain program. That way, anyone who needs to can find the right person in that program. And if necessary, the data can be erased, so to speak, at the touch of a button. But yes, that program is considered annoying because there is a certain field missing, a note field or something. So that's where Microsoft Notepad comes in insanely handy. The employee then creates a whole report in that and it no longer gets into the intended program to be used by the organization. Then consider how you can exercise your right to oblivion when no one knows anymore where your data is actually stored. Purely because of these shadow records.
Importance of testing
So it is important to test (or have an audit performed) on data processing processes in addition to all AVG documentation. In my opinion, this kind of testing should be part of the work processes and should be carried out regularly. In this way it can be ensured whether a process needs to be tightened and where to act.
This article can also be found in the AVG file
