The company carries out actions towards compliance with rules that came into effect in May 2018.
Concerned about continually providing quality service to its customers, Blue Screen has been working internally on the guidelines for the new General Data Protection Regulation in order to achieve full compliance.
The scope of the new regulation is global and targets companies that process data or monitor EU citizens behaviour, including their employees. The aim is to transparently control the life cycle of all information from its collection to its exclusion.
The Blue Screen compliance project began in early 2017 preparing the definition of data protection policies and procedures. On the second quarter, the company started the data protection awareness and engaged on an as-is assessment to have an understanding of the current situation.
There was a dedicated training session involving everyone that will take part in the process as well as those that have frequent contact with customers so they also can take their part in bringing awareness to entities that interact with Blue Screen.
Activities to follow
Gap and risk assessment
- Set data flow scope;
- Map critical data flows;
- Identify gaps and risks;
- Evaluate and prioritize;
- Plan remediation.
Organizational change management
- Review your privacy notices;
- Review the models of new contracts and contracts in force;
- Define internal policies and procedures for protecting your team data;
- Define internal policies and procedures for protecting your customers data;
- Update the business processes for future contracts;
- Evaluate a need for new hires and training for current employees;
- Perform internal actions for data protection awareness.
Governance framework (continued process)
- Assess risks and processes;
- Protect controls and policies;
- Sustain compliance efforts;
- Respond to incidents and breaches.
Control and policy implementation
- Ensure controls are in place.
The goals cover three areas: Financial, customers and innovation. Financial, by reducing the risk of financial loss resulting from fines. Customers, having the ability to demonstrate that Blue Screen’s business is compliant with the GDPR and the organization is in control of personal data and have the ability to act on the data subject rights. Innovation, by gaining an overview of how and where personal data flows through Blue Screen’s systems and get an early view of data protection risks in new initiatives and projects.
Assuming, personal data in the organization is primarily held in HR and CRM systems and processes, internal controls for data privacy is built upon the defined Information Security framework.
Data containment procedures must also be developed by the intelligence and information security team to take action if risks are identified in the future.
In addition to all these activities, a Blue Screen has a legal enterprise that has accompanied the project from the beginning so that there is the total suitability of the company. All business partners will be evaluated to certify that they are also following the new rules of data protection, a security for the customer and for the organization.