Project management: the road to the GDPR privacy law

Since 25 May 2018, the new European privacy laws (GDPR) has been applied. Preceding this date, consultant Madelon Snel was asked to assist the Credit Exchange group privacy expert as project manager during this implementation challenge. Various substantive improvement actions were already initiated. But in order to be compliant with the legislation, awareness in the field of privacy and information security had to be greatly increased.

The start

Within the privacy project team, a working group ‘Communication & Change’ was formed. This working group together made a plan, which included the objectives, message and desired perception for internal communication. On this basis, plans and updates were communicated on a weekly basis via intranet, narrow casting and personal channels.

Privacy pioneers

In order to increase the support within the entire organisation, in each department a staff member was asked for the role of privacy pioneer. A privacy pioneer is an employee with above-average knowledge in the field of privacy. He or she serves as a point of contact for his colleagues and identifies improvement possibilities. In addition, the privacy pioneer acts as an ambassador and motivates his colleagues to deal with privacy and information security in a proper manner. The privacy pioneers meet each month for a knowledge session, workshop or skill training. In addition, they work together as a community through a collaborative platform. For example, they share best practices or can share requests for help.

Broader initiatives

To increase the overall awareness, all employees were obliged to follow an E-learning ‘privacy and information security’. All employees had to pass a test, which must be repeated annually. Other ways have also been assessed. For example, the office in Rotterdam was visited by a ‘mystery guest’, the front office was called by a ‘mystery caller’ and a ‘phishing test’ was performed among all employees. Also, members of the project team carried out weekly checks of workstations and green and red cards were deposited at workplaces.

Awareness in order

Through the integral ‘communication & change’ approach, awareness in the field of privacy and information security proved to be sufficiently in order when the new European privacy laws came into force. This was demonstrated by the various tests carried out from the project team (E-learning, mystery guest, mystery caller and phishing test). The most ‘signals on green’ were also for the substantive subjects and the Credit Exchange Group was ready for the new legislation well in time.

Next project