ICT group Simac has taken a centralised approach to GDPR to make sure that the company’s 16 separate units are not operating in isolation. ‘If something goes wrong with our clients’ data, it will have a disastrous impact on our reputation.’
GDPR is having a two-pronged impact on Simac. On the one hand, the company sells technology to its clients and advises them on becoming GDPR compliant. On the other, it has to make sure the message about the importance of privacy when processing client data hits home across 16 separate units and a workforce of 1,100.
It is not the easiest of tasks. The family company from Veldhoven offers a complete range of ICT-related products and services to medium and large enterprises. Networks, cloud services, retail automation… You name it, Simac does it. ‘Information security and privacy protection are crucial in every aspect of what we do,’ says Peter Veraa, Director Business Development and the company’s GDPR chief. ‘We don’t just sell our clients goods and services, we help them to use the technology properly.’
For example, we’ve developed an e-learning module to teach our clients’ staff to be aware of everything that is required to become GDPR compliant. This programme makes it clear how prepared the client’s organisation is for GDPR, so that they can identify the areas where their staff need training.’ An added advantage, he says, is the boost the course gives to the company’s skill set during regulatory checks. ‘A regulator will always want to know what you have actually done to improve your workforce’s GDPR expertise,’ Veraa points out.
Simac processes its clients’ personal data in a variety of ways. ‘For example, we offer healthcare providers systems to develop digital medical records,’ he says. ‘At the same time, we guarantee that the data will be properly protected. As the party responsible for protecting data, our clients are required to sign a processing agreement with their ICT service providers, such as ourselves. As the processor, we make explicit agreements on the security of our clients’ personal data, so that it is completely clear who is responsible. This is how you build up a chain of responsibility for the various risks. It’s a good development because in a sector like ours, you are only as good as the weakest link. And if you are that link where problems arise in protecting client data, then it will be disastrous for your integrity and therefore, for your reputation.
‘Every Simac unit has a
whose job is to keep abreast of every
aspect of privacy’
Simac is active in the Dutch market but also has clients in Belgium, Luxembourg and the Czech Republic and the group is made up of 16 separate units. This diversified structure gives rise to another dilemma – to focus on GDPR via the holding or to decentralise the processes. Simac has taken a centralised approach and is coordinating the process from the Veldhoven HQ.
‘This is not something that we are doing just for GDPR,’ Veraa says. ‘We do this for all quality-related systems. This stops each unit inventing the wheel for itself. We’ve taken on a lawyer who has now become the focus of GDPR-related questions throughout the entire company. This system is working very well and of course it is good to know that there is someone on board who understands the regulations inside out. Of course, we hire in experts, but GDPR is so essential to operational management that you should have the expertise in-house as well.’
Digital GDPR platform
Veraa is responsible for all the quality assessment systems within Simac and has recently set up an in-house team to focus on governance, risk, and compliance issues at a holding level. ‘We are also developing a digital GDPR platform which will host all the documents and processes relating to GDPR and which all our companies can access. That will prevent each unit developing its own protocols and quality systems without the holding company knowing what is going on.’ After all, since the Imtech bankruptcy – caused because the holding company found out too late about the risks the company’s Polish and German units had taken - diversified conglomerates have been keen to make sure that the central holding company is on top of what is going on elsewhere within the group.
Destroy confidential emails
Each Simac unit has its own ICT network, which is maintained, as the centralised standards dictate, from within the holding company. ‘This allows us to be sure that each unit is delivering the same consistent quality in information security. Each unit has its own GDPR official whose job is to remain on top of GDPR developments, supported, of course, by our lawyer. Each unit has undergone a privacy scan and we’ve discussed the results with the GDPR official. We’ve also drawn up the necessary measures for improvement.’ These, he says, relate to ‘more awareness of the client data we are processing, the rights and obligations facing the Simac unit involved, and the like.’
Despite all this, accidents can happen to anyone, Veraa admits, even himself.
‘I was director of one of our units for a time, and I recently discovered that I still have lots of emails dating from that period – chock-a-block with personal details, cvs, names etc. And I too sometimes forget our privacy protocols, or leave a USB stick lying around. Happily, that can’t cause too much trouble as they are encrypted. The trick is to keep a continuous critical eye on your own business practices and those of your immediate colleagues. This is why we continue to educate our staff and will carry out our own checks on our GDPR compliancy from time to time. It is crucial to remain aware of the importance of GDPR and to keep our expertise up to date. Human beings are the most important factor in this process.’