A topic that was already on the table in 2016 – there was the basic data protection regulation (DSGVO)… And now again? I see that many people are now rolling with their eyes as they read; -) But fair trade involves dealing fairly with the data of the people with whom we trade and work together – and that is why it should even be a boss issue.
A comprehensive data protection reform will enter into force across the EU in May 2018. The rules have been known for some time and will be updated and obligatory on this date with the Federal Data Protection Act (BDSG).
It is generally relevant for PCG users – even if you run a system without an online shop. The essence of the matter is personal data. But on this occasion you can also illuminate other data flows.
For larger companies there are detailed regulations (ITIL) and best practices, which often serve as a precondition or preparation for certification. But even if you don’t want to have an ISO9000 stamp, the tables of contents of such manuals offer good hints where all risks can be hidden.
Few people will have the patience to work through this, so we will discuss some aspects of the law in the next issues. This reading material can be regarded as a homeworkers’ task – so the company is fit for it in May.
Alternatively, you can get help from service providers who – in contrast to us – can also make legally binding statements.
Step one: Process Inventory
Many companies have grown over the years – new employees have taken on tasks that had previously been performed by the boss herself; growth often leads to the specialisation of areas of responsibility with their own rules and procedures. Something of the overview can get lost – and this is what you need in order to identify risks for the “data” of employees, customers or the company itself.
It is best to start with a list of processes known in the company. “Create new customer” or “process order” are obvious, but also “employee leaves us” or “article purchase” should be found in this list. After a while of thinking, the list should have 20 entries, maybe more. Some processes that have always existed will be given a name for the first time.
Such a process directory is also helpful to train new employees or to measure and optimize internal processes. But that’s not what this is about.
In the next step, you write the data processes that are involved for these list entries. With the example of the new customer installation, this would be first of all the collection of data – from the online shop or an email or by telephone. Maybe a little sketch might help. Now you could add who “moves” these data (one name or a role, e. g.”customer service”), with which he moves them (“email program”,”PCG”) and where these data “store” (“server with PCG”,”oekobox-online”). Probably first in an email mailbox, then locally in a database and then online in a database – the new customer should be able to log in to the shop.
Here are a few more ideas for processes, which can be found in one form or another for each of them, some of which are possibly very similar and can be summarized:
- Subscription changes, vacation entries, customer master data changes
- Modification of employee data (o-yes, these are also persons!), time recording or vacation arrangements
- Tracking data collection of web pages and the online shop: who collects, who does what with the data?
- Collection and maintenance of supplier data
- Processes in Ordering
- Driver and delivery processes (driver app)
You may not be aware of some of these things (because they are hidden behind a button in the PCG) or you may not even be interested in them – please feel free to ask us in the PCG team. Often it is more interesting than you think; -) – besides, as mentioned above it is a matter for the boss, it could also be, a data protection officer comes by and asks you.
In four weeks we will need this list to identify data fields, identify risks and identify responsibilities.