Gamma is a UK-based telecommunications company with hundreds of thousands of users across multiple European countries. We caught up with Information Security Analyst Jennifer Daley to talk about their privacy program.
Can you tell us a little bit about Gamma’s approach to privacy and your role in it?
I’m part of the wider compliance team who deals with all of our governance and compliance activities. We’ve just moved from a decentralised compliance team across functions to a single centralised one. In the team, we have multiple areas of speciality, including business continuity, GDPR compliance and ISO certification compliance.
What would you describe as being your greatest data protection challenge?
I think for us, it’s the type of business that we operate. A while ago, the bulk of our business was selling through channel partners. So a lot of the responsibility devolved down to the channel partner level. However, over the last few years, our direct side of the business has actually grown. So the biggest challenge has been bringing in those together. Because Gamma has grown mostly organically over the last 20 years, a lot of those outlined departments were responsible for their own data mapping and compliance activities before GDPR came along.
The biggest challenge has just been to streamline and centralize it to make it easier and quicker for us to respond when we need to. Let’s say we have a data subject access request. Before GDPR made our processes more centralised, we would have to go out to probably several different parts of the company to try and gather that information, which doesn’t make it quick. So centralising that has proven to be one of the best things we could have done, but it’s also been one of our biggest challenges.
How did you deal with privacy before DPOrganizer?
I think a lot of the responsibility for responding to any type of privacy-related request would normally come through the technical team. Most people would generally see the IT team as the gatekeepers of all of the data that we hold, probably not realizing that while IT sits at the top, they don’t have the knowledge about where all of that data is or where it comes from.
So obviously, the first thing that I needed to do when I entered the role last year was kinda getting to grips with what the GDPR meant, what we needed our data map to look like, where all the information is gonna come from and how we would gather that. That’s really where my journey with DPOrganizer started.
Data mapping is obviously at the core for you, but what other functions do you feel have helped you along the journey?
I think the reporting function and how quickly you can locate information that’s not as easy to explain to someone who doesn’t work in privacy or data protection. A good example is our senior leadership team and board of directors. Their time is very much taken up with the strategic running of the company and our future. When they ask for information, they always expect that that information is short, succinct and effective at delivering the message you want.
What DPOrganizer has given me is the ability to pull the information they want in a readable format, which is easy for them to understand rather than someone having to sit there for 20 minutes and explain how we get it.
Assessments has also been very useful when dealing with the invalidation of Privacy Shield. It has given us a very quick tool to use to identify every single company that we work with where that’s going to be affected. So we’ve been able to respond really quickly to that.
Have you seen a tangible impact on a specific process since implementing DPOrganizer?
One of the responsibilities I’ve taken as a result of this role is responding to data subject access requests. DPOrganizer has given us a tool to be able to find out which departments have the data that we need in order to respond to that very quickly. Whereas previously, when one of those requests came in, it would go to IT and then someone in IT would log the request to have a look and then go through a directory of all of the systems we have, go to the owners of those systems to say what data is in there. Because before we had DPOrganizer we didn’t have a structured data map where we could say, right? It’s a customer who’s asking, and the customer data only exists in these 24 systems. We’d have to go through the whole network to try and look for it. So it has cut down the response time for those.
But it’s also taking the pressure off [that process] as well because we know that we can get the information very quickly. Once you find out where all of that data is, it’s as simple as gathering reports from those systems, which can take anything from a minute to an hour. However, if you’ve got 24 systems to do that in, finding the information is what takes the bulk of time. DPOrganizer lets us run a report and instantly guides as to whether that information is held.
Have you seen any new features that you’re really interested in?
One of the things I’ve been exploring recently is how we can just use really short, quick, effective training sessions to alert people to the dangers of being quite lax about our security measures and data security.
We’ve had a phishing email program at Gamma for a long time, where we will deliberately send out an email trying to catch people who are clicking on links that they shouldn’t be clicking on.
However, we don’t actually do anything with this program right now, other than talking with the managers of the people who clicked on the emails to say, “can you speak to these people to tell them about the dangers of clicking on links that you really shouldn’t be clicking on?”.
With the new training feature, we can tailor it to what questions we want with regards to the security of our data, the security of our network, link it all in with some training about GDPR about how important it is to protect stuff.
We’re still working on implementing it, but that’s one of the things that I looked at and thought that’s going to be really useful.