The GDPR requires companies to have a clear documentation of the systems that handle personal data, as well as a developed strategy on how to increase awareness and competence of both management and staff on GDPR issues. The questions Norrbil asked us to answer were:
* What type of personal data is processed in the respective. system?
* Who has access to the personal data?
* Who is responsible for ensuring that personal data is processed lawfully?
* How to ensure that handling remains safe?
* What policies need to be designed to know when, how and who should act on a personal data ex. should be deleted?
We interviewed staff on site to get demos of all the systems and to understand the day-to-day operations. This resulted in the following:
- Current situation analysis – a report that clearly indicates where resources should be added to move forward with the GDPR work
- Mapping – both of systems and various different documents that answer the questions above
- Documentation – digitally saved in a customized personal data processing system
- Training - for all staff in what the data protection regulation entails incl. IT security
- Next step report - containing tips and advice for safer handling of personal data and a plan for how Norrbil should work further internally