IDEWE is all set for GDPR compliance thanks to audit by SecureLink and BDO
IDEWE is widely viewed as one of the best-known Belgian external service providers for health and safety at work.
Today, health and safety at work cover a much broader range of aspects than ever before: for example, one of IDEWE’s main areas of focus is ensuring employees can stay active in the workplace for longer by increasing their health and well-being and by creating the right working environment to facilitate longer careers.
Another of IDEWE’s core goals is the integration of social groups such as people with disabilities, people from different ethnic backgrounds and refugees, both through large-scale campaigns and through smaller interventions, such as translating instruction videos on the work floor.
Employers may pay the bills for its services, but IDEWE considers employees to be its main target audience, Marc Beurms, Director ICT & Finance at IDEWE explains: “The health, safety and well-being of employees are at the core of everything we do. Not just because of statutory duties, but also because it helps businesses to prosper. Healthy and happy employees are more productive, and increased productivity automatically leads to better business results — a clear win-win situation.”
Challenge: Guarantee GDPR compliance
IDEWE’s staff deal with sensitive and confidential information about employees on a daily basis — a reality reflected by the company’s policies, in which privacy and data protection are some of the highest priorities.
As a result, IDEWE’s management wasn’t overly concerned about the looming deadline of 25 May 2018, the date on which GDPR becomes legally enforceable. “It did however seem like a good idea to have an external audit carried out specifically for this purpose”, Marc Beurms continues. “At the end of the day, GDPR provides an entirely new legal framework that may contain elements we haven’t dealt with before. That’s why we started looking for an external party who could handle both the legal and technical aspects of these new regulations.”
This combination of legal and technical aspects made it difficult to outsource the proposed external GDPR audit to a single party, according to Marc Beurms. “That’s why we were attracted to SecureLink’s offer: they could provide an external audit in collaboration with BDO, a specialist in financial, fiscal, legal and operational services. BDO mainly deals with the legal aspects of GDPR compliance, while SecureLink takes care of the technical aspects around security infrastructure — an ideal combination that speeds up and simplifies the entire audit process. On top of that, we knew from experience that SecureLink is a reliable and extremely professional partner to work with. As a result, SecureLink was the obvious choice.”
Streamlined audit process
Every aspect of the audit followed a highly streamlined process, Marc Beurms testifies: “First of all, the project was closely and professionally managed by SecureLink and BDO’s teams. The project was kick-started in early 2017, when all people involved at IDEWE gathered round the table to hear an explanation of the aims of the audit, the proposed time scales and what was expected from each of them. Next, all interviews with the relevant people were scheduled throughout the summer and in September and October. The final report was ready by the start of November.” This relatively long audit period was mainly due to the thoroughness of the process, Marc Beurms explains.
“All aspects of privacy, data transparency and security were covered. Based on their experiences at other companies, SecureLink and BDO were often able to highlight perspectives we had never thought about ourselves.”
The end result — a report on the current state of affairs at IDEWE and the actions to be taken by 25 May — was presented to IDEWE’s management at the start of November. “The report didn’t contain too many surprises”, Marc Beurms happily confirms. “Overall, we’re on the right track, but there are points on which we can improve.” The formalisation of specific approval processes was one area that needed more work. For example, how should the company deal with personal data such as business cards and mobile numbers?
“If an employee at one of our clients gives us a business card, can you use their mobile number to send them a reminder for their next appointment? Or do you need their explicit consent to do so? These are the types of questions we hadn’t fully thought through. We’ve got perfectly sound procedures in place for dealing with confidential medical data, but we hadn’t spent enough time doing the same for less sensitive personal data.”
Action points dealt with immediately
The report clearly showed which action points still had to be dealt with to be completely prepared by the GDPR deadline. “The most important thing we’ve got to do is provide clear communication to our employees on what will change to ensure we are fully compliant”, Marc Beurms clarifies. “In addition, we’ve set up several working groups to tackle each of the different areas for improvement. We’ve also scheduled the necessary improvements to our infrastructure to cover the security aspect — all with a healthy dose of realism, and in the realisation that the full extent of our compliance with GDPR will only become clear on 25 May. The Belgian government could still issue Royal Decrees that present us with new challenges at any time before that date. Still, generally speaking, we will be fully — or as good as — compliant with GDPR by that date, and SecureLink and BDO played no small part in that achievement.”