Today, data security can no longer be ignored in the day-to-day functioning of your business; in some cases it’s even mandatory. This means it is very important for your data security to be up to date and in line with GDPR legislation.
David Stevens, chairman of the data protection authority, tells us why data security is important
‘Personal data is a very broad concept. It includes directly identifiable details such as surname, first name, telephone number and address, which are very obviously items of personal data since they’re about me.
But it’s also a concept that’s much broader. For example, what I buy in the supermarket, which film I order from my telecom operator and my travel behaviour. So personal data includes a very broad category of data in all sorts of contexts.
Privacy is a hot topic. Not just because there are potential fines of up to 4% of global turnover for companies: we’re also seeing citizens themselves asking more and more critical questions: what do you do with my data? How long do you keep it? Is what you’re doing reasonable? And I think that’s a good thing.
Personally, it seems to me to be an illusion to think that you can ever have completed a data protection project. The technology alone is evolving so quickly that new security levels have to be introduced, and new software implemented, so I think the work will never be finished.’
Syntra and data security: a positive story
People receive practical training at Syntra’s Antwerp campus and can get to work immediately with the knowledge they have acquired. Syntra makes every effort to protect the personal data of students and teachers.
Kris Storms, IT staff member: ‘As a school we actually hold a lot of personal information. There’s the address details of students and teachers, and we also hold care records. Students undergo certain kinds of monitoring, and we report on that to the CLB (Student Guidance Centre). We have to manage such matters, and of course the information is highly confidential. The need to comply with GDPR legislation was very acute. We already had a lot of procedures and policies of all kinds, but we didn’t actually know if we were compliant with all the new legislation.’
The GDPR legislation that protects European citizens’ personal data came into force last year. Syntra brought in an external partner to find out whether it was fully compliant. The school had an assessment carried out.
VGD optimises and tightens up data security
Kobe Deraeve, data security lead at VGD: ‘The assessment includes a score that’s assigned in 18 areas. At Syntra, we noticed above all that a lot of documentation was missing. So there procedures for personnel files for example – which were kept under lock and key – but these had never been written down anywhere. It was the same story with IT: everything to do with actual HR security, the general infrastructure and finally how things were done in general. It all still needed to be written down.’
Kris Storms: ‘We scored reasonably well in the assessment in pure GDPR terms on data policies. But our score on the actual IT was a bit lower, in the sense that we did have a backup, but there was no backup policy.’
Syntra also appointed an external DPO: a data protection officer. His job is to ensure that all data is stored and processed in accordance with the GDPR rules.
Kobe Deraeve: ‘GDPR actually introduced the concept of the data protection officer. Among other things, it means that a number of businesses are required to appoint a DPO. We often act as an external DPO, which mainly means giving advice at regular intervals and also re-explaining a number of topics at regular intervals and looking at them with the company again.
You can never be 100% watertight, but we try to map the shortfalls accurately and to take steps that clearly demonstrate progress. With this approach we’ve noticed that the whole business, the whole GDPR buzzword, is becoming more manageable, so that people can actually stop worrying about it quite so much.’
Data security was already considered of paramount importance by Syntra. VGD acted as an external partner for them and helped them to optimise the protection of confidential personal data.
