One of the leading producers of expandable polystyrene (EPS) in Europe asked us to help with the implementation of GDPR compliance. An organization like this might not seem to have much to do with privacy at first sight. Yet, an EPS producer also processes personal data from clients and staff. Moreover, impact of local compliance standards should also be considered in addition to European legislation (GDPR). The complexity of a diverse IT-landscape in an international organization (that recently went through several mergers and takeovers) creates an extra challenge for all departments involved.
The sector is typically known for quick growth and mergers. This makes the organization a collection of self-supporting and self-operating entities (to varying extents), who use the same ICT-facilities on a global basis. A take-over by a foreign organization midway through our project demanded extreme flexibility on all sides, also concerning privacy and information security. In this process an integral approach has been adopted for the entire organization, supported by Audittrail as the trusted advisory partner.
First, we conducted a baseline status assessment on privacy (GDPR) and information security (ISO27002) to map the organizational structure. Beside a documentation study we conducted interviews with employees from several offices throughout Europe, in person and via Skype. Based on the findings from the baseline status assessment a delivery and action plan was devised.
This has been the starting point for running a solid GDPR-project. Audittrail acted as project leader and parallel to this an internal program to improve information security awareness was initiated in which Audittrail took up an advisory role. The multi-lingual awareness campaign ensured an international outreach to all employees throughout all locations.
After the take-over an additional baseline status assessment was performed on the ‘new’ entities in the organization. By repeating the assessment, we were able to map how different entities related to each other in terms of learning points and how different compliance elements could be integrated into the organization. Based on a roadmap provided by Audittrail the GDPR project was extended, focusing more on an integral approach involving all entities of the global organization.
This caused the GDPR project to be the first point of contact for some new entities with other parts of the organization, and the start of a closer collaboration with the main office. Also, in this new GDPR project the awareness campaign was executed in local languages to ensure maximum reach and effectivity.
The next challenge for InfoSec is a further integration of the different entities in terms of ICT. The continued organizational growth reinforces the importance of making InfoSec an integral aspect of the approach. This will enable all corporate entities, both old and new, to access the network safely and timely.