Johanna Wretås is the Head of Security, Quality, and CSR at EWork Group. As regards privacy management, she acts as the company’s Data Protection Officer, and has guided the organisation’s implementation of the GDPR, while working to build and maintain sustainable privacy management processes throughout the business.
Could you tell us about the privacy and data protection challenges that your team faced before adopting DPOrganizer?
When our GDPR implementation kicked off, I was the project manager tasked with gaining an overview of our processing activities and raising awareness for privacy. We were initially using Excel when we began mapping our data processing, but this quickly got out of hand. It was hard to get a clear overview in spreadsheets. We process personal data on thousands of users, and it was exceedingly challenging to see what data we had, who we processed data on, and for what purposes.
In addition, we have 5 distinct business entities in separate countries that all process personal data differently from one another. It was difficult to efficiently explain to both internal stakeholders and to our clients the complete overview of our data processing, especially when our activities and purposes varied across data subject category and legal entity.
When it came to producing accurate privacy policies, it was very time-consuming to generate and update privacy notices for each data subject category and for each legal entity. Especially when our data processing activities inevitably changed over time, the amount of hours needed to update our privacy notices and relevant spreadsheets taxed our bandwidth as a small privacy team.
How did you manage your privacy before switching to DPOrganizer?
We started inventorying and mapping our personal data processing in the fall of 2016 using massive Excel sheets. However, we saw very quickly that we had just too many processing activities to be able to proceed confidently without a software tool. We had 100,000 users and were dealing with so much data. It was important for us that we handled this in a good way from the start.
We also knew that if we underwent an audit, it would be much easier to demonstrate compliance with an easy and well-structured tool like DPOrganizer.
Was there a specific point at which you decided to explore data mapping and privacy management solutions?
When we needed to update information and work actively with our processing information. We work with and reference our data processing details everyday, so we realised we needed a system that made sustaining and improving our data processing simple and convenient. DPOrganizer was the obvious choice.
As the acting DPO, new data processing information comes to me daily. I need to make sure that updates in the system are reflected throughout our processing inventory. This would have been inefficient in Excel sheets. In spreadsheets, I was forced to drill down every inventory adjustment that needed to be carried out when a given processing detail was altered.
By contrast, the data mapping functionality is highly intuitive and tailored to handle updates in our data processing details in DPOrganizer. For example, if I alter a Data Subject Category, I can rest assured that all the necessary updates across any records linked to the DSC are carried out.
What also attracted us to DPOrganizer at this point was the Privacy Notice Management feature, Transparency Widget. We were struggling to get the right data processing information out to the right data subjects. We had multiple privacy notices and no central, standardised way of editing them or posting the relevant information to the data subjects in question.
Transparency Widget allows our clients to pick the data subject category to which they belong on our website. They are then able to view the types of personal data we process on them, for what reason, and for what legal basis. In addition, we can centrally edit this information, as well as the level of detail displayed right from the DPOrganizer app.
In what areas of your privacy program has DPOrganizer delivered the most value? Do you have a favourite feature?
We use the reporting function a lot. I use it especially so I can be super clear about the purposes for which we process certain types of personal data. When we used spreadsheets, it was difficult to give stakeholders a big-picture view of data processing at our company, and for what purposes we can legally process the data we had. When it comes to report building, what would have taken me days in spreadsheets, now only takes me a matter of minutes.
With DPOrganizer’s detailed and easy-to-build reports, I can track my progress and educate my organisation to be more privacy aware. I am able to use practical examples from our own inventory, and explain to my colleagues what information we can and cannot use.
We have also started to use the Data Protection Impact Assessment functionality. I think it’s great that all our information is already readily available in DPOrganizer to conduct our assessments. It makes our work much easier.
What would you recommend to someone considering DPOrganizer and privacy management tools overall?
Be aware that a software tool will not do all the work for you. You need to be very organised when adding information into a system. It’s okay if you need to start again when it comes to organising your processing activities. It takes a lot of time to administer projects involving your data processing inventory because you may only be a team of one or two full or part-time on this. What DPOrganizer really helps you with is making sure that all of your efforts stay structured, and easy to maintain over time. This is one of the few tools out there that really excels in this area.
What has been the biggest breakthrough you have achieved with DPOrganizer over the past few years?
Our breakthrough came when we found the privacy notice manager, DPOrganizer’s Transparency Widget. Now, we don’t have to update every single notice per data subject. When clients ask us questions about our data processing activities, it’s also easier to train staff to refer clients to one area of information that can be easily updated based on changes in the app (the widget on our website).