BekaertDeslee

BekaertDeslee on its way to GDPR compliancy

Pragmatic approach creates support for renewed privacy policy

By May 2018, companies within the European Union must comply with the European Directive ‘General Data Protection Regulation’, better known by the English abbreviation GDPR. BekaertDesleechose the pragmatic approach of LoQutus to enable compliance with the new privacy legislation.

BekaertDeslee is a leading global specialist in the development and production of mattress textiles, mattress covers and creative sleep solutions. The company, with its head office in Waregem, is part of the German investment group Haniel. BekaertDeslee employs 2,500 people worldwide at 22 locations across six continents.

The company operates primarily in a B2B model, so direct interactions with external individuals are fairly limited. However, departments such as Sales & Marketing, Human Resources, HSE (Health, Safety & Environment), Facilities Management and IT do work with a great deal of personal data. Rik Holvoet, the CIO of BekaertDeslee, explains, “The ‘privacy’ theme was not a top priority within the organisation until recently. This new legislation was an opportunity for us to review the situation and take the necessary actions to comply with the GDPR regulations.” In practice, that means successfully passing a possible EU GDPR audit and being able to handle a potential data breach in the right way.

Initially, the CIO consulted the company’s trusted legal partners and IT suppliers. The legal partners offered legally sound work and the IT suppliers suggested some useful tools. “But I missed a more pragmatic overall approach in both proposals,” Holvoet adds. “We clearly needed a partner with experience in this material.” After aconsultation, the Board assigned Holvoet to search for such a partner.

Creating awareness

Rik Holvoet and Chris Van Daele, Data Protection Officer at LoQutus, immediately got on well. The LoQutus proposal to first conduct a thorough analysis of the current situation and to subsequently deploy the necessary tools to be GDPR compliant by May 2018 was exactly the phased approach that BekaertDeslee’s CIO was looking for. In addition, Van Daele obviously had a lot of expertise on privacy issues.

Van Daele states, “We started off with an awareness-raising workshop on privacy and GDPR management. Then I spoke with people from all the services involved. This way, I could ascertain how personal data was currently being handled within the company: how this data is stored and processed, how it fits into the current process handling, etc. Based on this information, BekaertDeslee could then compile a (mandatory) processing register containing the personal and sensitive data of individuals. Within LoQutus, there is a template for creating a processing register, which will be implemented at BekaertDeslee.”

“The biggest challenge was finding the personal data in the company: where and by whom is it all handled? 20% of this information is easily retrieved from the CRM system and the HRM application, but in 80% of the cases, it is so-called ‘free form data,’” adds Chris Van Daele.

Various tools, guidelines and features were, and are being, created to further shape the company’s privacy policy: an awareness brochure to raise staff awareness about the importance of privacy and GDPR (clean & clear desk policy, screen protection on their PCs or laptops, a physical privacy filter, email security, etc.). In addition, the different roles of privacy management within the company are being defined, including privacy stewards with certain responsibilities being appointed within a privacy governance framework, drawing up a privacy communication plan, determining Binding Corporate Rules and more.

“We hope to fully complete this phase by the end of September,” Holvoet continues. “By then it must be clear what next steps we must take to complete the project successfully. Meanwhile, it has become clear to us that we needed a strategic partner like LoQutus, who can guide and advise us on such projects.”

The GDPR project in a nutshell

  1. Workshop for the Board about privacy and GDPR.
  2. Interviews with the responsible managers about how to handle personal data.
  3. Provide the template for creating a processing register, processing contract, and data breach declaration document.
  4. Create awareness concerning privacy and GDPR among employees.
  5. Assist in compiling the processing register, privacy communication plan, Binding Corporate Rules.
  6. Verifying the laws with the BekaertDeslee legal department

'We needed a strategic partner who could guide and advice us on such projects and we have certainly found that with LoQutus' - Rik holvoet, CIO BekaertDeslee

'The biggest challenge was finding the personal data within the company: 20% of this information is clearly visible, but 80% is so-called 'free form data' ' - Chris Van Daele, Data Protection Officer LoQutus