How to start Syntec Numérique’s RGPD compliance project?
What’s the first step?
At the risk of making you smile on such a serious subject, the first step is taken by management, in this case myself, as Managing Director. It’s my responsibility to the association to provide and organize the necessary resources for this project, in which Syntec Numériques must, as always, we hope, be exemplary.
So my first decision was to recruit an additional person to strengthen our legal department from the end of 2017 with the main task of managing Syntec Numérique’s compliance project.
The advantage of entrusting this task to someone new to our organization is that they will inevitably take a systemic approach. As he or she doesn’t know where the personal data is, who uses it and why, the approach must cover all our activities and processes. A “veteran” of our organization would go straight to the essentials: members and staff. With the risk of missing out on practices or work habits of some or others, unknown even to senior management.
The next step is to set up a kick-off meeting, explaining what’s at stake and the benefits of working on this project as a team, all together. A unique opportunity to revisit our operations and further improve our procedures, to strengthen our security in terms of information systems, with a commitment: to review everything together every 2 weeks. Everyone has to play along, so as not to slow down the work.
What are the first steps?
Initially, our project manager took the initiative of compiling all the job and mission descriptions. We do this internally as part of our AFNOR quality certification (Quali’op standard). This is a real asset, as our job descriptions are constantly updated and reflect the full range of tasks carried out by each Syntec Numérique permanent employee.
Based on these job descriptions, our project manager is currently interviewing everyone to understand and identify the cases where personal data is processed or archived.
The results may surprise us, because we don’t always suspect all the cases when we think only of CRM and HR management systems!
Which tool?
At the same time, our project manager is compiling a list of existing tools and will no doubt be attending demonstrations of data mapping software. I’ll come back to this point later to suggest some selection criteria, without of course making any recommendations, as there are many solutions on the market, each with its own advantages and disadvantages. You’ll have to choose according to your own criteria and situation.
To conclude?
As my legal managers tell me, as I urge them to move even faster in the process: don’t confuse ends and means! Don’t confuse speed with haste when it comes to RGPD compliance.