After an extensive review of where we stand as a business operator on Data Privacy, Harel Mallac recently kick-started its compliance project with a tailour-made training for project team including its data protection officers (DPOs), delivered by Juristconsult. Our Group Head of Legal Affairs –also Group Data Protection Officer – Anshi Saminaden explains how this exercise is transforming the way we do business.
CONNEXION: How did Harel Mallac first approach the Data Privacy topic?
Anshi Saminaden (AS): With the coming into effect of our new Data Protection Act on 15th January 2018 (DPA) and the General Data Protection Regulation (GDPR) on 25th May 2018, there was a need to scrutinize our approach to data privacy, whether it be for statutory purposes or for the purposes of safeguarding the trust of our stakeholders.
Back in March 2018, Management and key persons across the Group were trained on data privacy. This was followed by two e-learning modules on the topic for all staff in June 2018 and July 2019 respectively. In view of the size of the Group and the diversity of its operations, Management entrusted a Gap Analysis study to Ernst & Young in the second half of 2018. During this same period, the Group’s Data Protection Policy was approved by the Board and published. The Gap Analysis report was issued in March 2019.
As part of the compliance project, which aims to reduce gaps identified in the Gap Analysis report, our first task was to review and establish the data privacy governance structure across the Group. This is now in place; I was appointed as Group DPO to drive this project, and divisional DPOs and champions were appointed at operational level across the Group.
CONNEXION: So, what is on the menu to reduce the gaps identified in the Gap Analysis Report?
AS: At the end of the day, personal data concerns each and every one of us and must be intrinsic to our way of living. For the Group, we can expect to see some operational protocols and policies, which prompt us to address data privacy issues at all stages of our business lifecycle, for example, onboarding forms for potential new recruits and suppliers, privacy notices informing individuals how we process their personal data, data processing agreements, etc. We will also be continuing our awareness campaign across the Group by means of our e-learning platform.
CONNEXION: Could you describe what a DPO does on a daily basis?
AS: In a nutshell, a DPO:
- informs and advises the Controller and its employees who carry out data processing operations, about their obligations under the GDPR and any applicable data protection law;
- monitors compliance with the GDPR and any other applicable data protection provisions;
- act as a contact point on issues related to data privacy;
- Reports to the Group DPO and Audit Committee on data privacy compliance and any data breaches and/or concerns;
- Assists the Group DPO with the implementation of group-wide compliance initiatives and/or complaints regarding data privacy;
AS: We have recently published a Data Rights Management Policy, which came into force on 15 December 2019 and can be found on our website. This policy sets out our governance structure and the process for addressing queries or requests from or regarding data subjects.