Who is Hesehus?
Hesehus is a consultancy specializing in e-commerce. They help their customers get top-of-the-line e-commerce solutions, and they’ve won Gold at the E-commerce award 14 times. In addition, they have been named Denmark's best agency for e-commerce. And if they should say so themselves, their e-commerce platform is one of the most complete e-commerce platforms on the market.
Hesehus has over 200 employees, around 180 of whom are in-house developers and digital designers. They receive awareness training from CyberPilot, which is why we spoke to Dennis Benneballe Arnold-Grade, who is a Compliance Officer & Legal Assistant at Hesehus, to hear more about their GDPR work.
About Dennis Benneballe Arnold-Grade
Name: Dennis Benneballe Arnold-Grade
Position:: Compliance Officer & Legal Assistant
Education: Cand.mag. from 2015 in German and philosophy. Has been studying law part time next to his full-time job since 2021
CV: 2019-2022: Experience working with the GDPR and compliance as well as several law-related assignments
2022-now: Working in Hesehus
Dennis and Hesehus' challenge
Dennis is responsible for the GDPR work at Hesehus. GDPR and compliance are important for Hesehus, since they have a lot of customers and a bunch of personal data to take care of. However, in a company like Hesehus, responsibility for GDPR work is not a full-time position, so as Dennis mentions, he does a lot of different work in the company.
"In addition to GDPR and especially ISAE 3000 related tasks, I work with ESG, contract management and drafting, especially the commercial contracts for clients, I assist the management with other legal tasks and involve myself in the GDPR circles – webinars, articles, presentations, blog posts, podcasts, conferences, etc.”
Dennis wears many hats. We imagine that other GDPR officers doesn’t wear quite as many hats as Dennis. In this article, however, we will focus on Dennis' GDPR work and elegantly skip past ESG and the other subjects.
ISAE 3000 gives Hesehus a competitive advantage
Dennis completes an ISAE 3000 company audit for Hesehus every year.
"I am responsible for completing all the ISAE 3000 related tasks, which I have experience with from previous employment - both the time report that must be completed the first time, and the period report, which can only be done one year after the time report has been completed."
ISAE 3000 is a report that acts as a stamp that certifies that you and the systems that you use process data correctly and in accordance with the GDPR. You start with a time report, which shows that your company has the correct controls and procedures in place. Then, the periodic report verifies that these procedures and policies are followed throughout the whole year and that this can be proven. You can say they’re kind of like the different types in SOC 2 called "type I" and "type II".
ISAE 3000 proves that Hesehus is doing well
It's one thing to get the first report, but proving it year after year provides great value in addition to, of course, forcing your company to follow good GDPR processes.
For Dennis, ISAE 3000 is not just a legal and bureaucratic task, but something that can be used as an advantage across the entire business. He points to different dynamics:
"E.g., between sales and compliance when it comes to speeding up the sales process by having material available at all times. Or by marketing ourselves with compliance as a parameter. Or to optimize the contract universe by having GDPR compliance as an innate element in the DPAs. GDPR compliance and ISAE 3000 reports can be important and decisive tools for attracting new customers, not scaring them away during the sales process, keeping customers, and staying safe from complaints or supervision from the Danish Data Protection Authority. In short: ISAE 3000 means that Hesehus can spend more time on what we do best - creating award-winning e-commerce solutions.”
ISAE 3000 is a good example of how the GDPR does not have to be a necessary evil in order to protect personal data, but can also be used actively to differentiate yourself from competitors. It is a win-win-win for all parties, from end-users to Hesehus’ customers.
Hesehus receives awareness training
Part of their GDPR work also consists of teaching and making employees aware of the GDPR. Since Dennis has a bunch of other tasks that require attention in areas other than teaching about the GDPR, Hesehus teamed up with us.
"It's fantastic to have a tool like CyberPilot to take care of the awareness courses. We’ve put together a "reading plan" for our employees based on their roles, functions and areas of responsibility, which they review monthly."
In addition to simply receiving the courses, Dennis has also adapted the curriculum so the important courses are repeated once a year and again if there is a relevant time.
"We have distributed the courses in such a way that each individual course is repeated annually at a minimum. Also, we have distributed them in such a way that they fit into the year and especially the typical times for threats that we seek to avoid with the help of awareness - for example, awareness about phishing just before Christmas time.”
The awareness training is used actively and not just in order to achieve compliance. As Dennis explains,
"Each month the employees receive a new package of courses that they have to complete. In this way, we can ensure that we not only give our employees the best starting point to remain compliant, but we can also document it easily for our auditors.”
Awareness training makes it easy to document the employee training, which helps Hesehus to obtain their ISAE 3000 report and at the same time create stronger security.
The training helps the employees speak the same language
The awareness training helps in creating a common language for the entire company. Dennis mentions that it helps him, as he doesn’t always have to start from scratch in his communication.
"Everyone can talk and refer to the same knowledge from the CyberPilot courses, which means that I can start from a higher level in my work instead of starting from scratch when there is a case. "
It’s important to have a common language for GDPR and cybersecurity work, as you need to be able to talk about threats and cases before you can act on them. A common language is therefore an important step in creating an IT security culture.
Awareness training is created together
In addition to receiving our courses, Dennis also uses CyberPilot's security platform to create his own courses.
"This provides endless opportunities to run a uniform, entertaining, educational and pedagogical approach to awareness, which we are incredibly happy about."
The opportunity to create your own courses and test your employees in your own guidelines, policies and procedures helps to link the general awareness training with specific procedures in Hesehus. It can help by making the awareness measures more concrete and closer to everyday life.
CyberPilot listens to feedback so knowledge doesn’t become static
In addition to the effect of the training, Dennis mentions that he is happy with the collaboration, as we listen to feedback and are helpful.
"I have been happy with the collaboration with CyberPilot so far. Quick help and humble reception of input, feedback, praise and criticism and more have been prevalent in the communication with CyberPilot. In this way, CyberPilot ensures that knowledge doesn’t become static, uncritical or outdated. In addition to having updated knowledge in their courses, which in itself is a big task given that we see developments and changes in the understanding of the GDPR very quickly, CyberPilot enables every "course participant" (i.e., the employees who complete the courses) to give feedback about how they experienced the course. In doing so, CyberPilot not only opens up to receive valuable input on professional aspects, but also on the user experience, pedagogy, understanding, and so on.”
Inputs from our customers are an important part in our selection of course topics. We create courses that should be able to help the reality of all companies and not just become theoretical fluff. That is why feedback from our customers is essential.
Ongoing feedback in our course development
It’s one thing to get requests for courses, but we are also lucky enough that our customers want to help develop our courses. Dennis has also helped with this.
"The catalogue of ready-made courses from CyberPilot is large and constantly growing. Personally, I’ve been involved in evaluating and giving input to courses, as well as suggesting more courses. The completed courses have entertaining animations that support learning and small tests, so we can be sure that the employee in question hasn’t just quickly clicked through it.”
It is crucial for us to get this continuous feedback, as it ensures that we not only develop courses based on our own reality, but constantly get input on how others see and solve challenges within cybersecurity and the GDPR.
CyberPilot's blog receives praise along the way
This customer case or statement was really supposed to "just" be about our product and Hesehus' GDPR work. But Dennis also started praising our blog and marketing initiatives, so we’ll take the opportunity and use it to toot our own horn. Dennis gave us these beautiful words along the way:
"In addition to having a simple but manageable platform for awareness courses with a large catalogue of finished courses, and with the option to create your own courses, CyberPilot also has an incredibly and surprisingly good blog. It is not often that you can praise a SaaS service blog as being anything other than good marketing for their own product. But CyberPilot has taken it a step further, and their deep-dive blog posts have a lot of knowledge about individual GDPR areas that are typically overlooked, even by the best. I deal with and have dealt with Article 25 "Data Protection by Design and Default Settings" and I’ve come across a lot of ignorance in this area. CyberPilot is one of the few who have taken up the subject, done a deep dive, and at the same time have a good understanding of the subject."
These are words that warm our hearts. Dennis also points out that this kind of freely available knowledge is essential for working with compliance.
"Sharing knowledge in this way, without any form of payment, is one of the strongest weapons companies have in the fight to become or remain compliant with the GDPR. It’s excellent that CyberPilot is so passionate about communicating about the GDPR and that there is a high level of professionalism as well as a pedagogical approach. The GDPR is difficult stuff for most. Good communication is essential to succeed in compliance."
And with those kind words from Dennis, we’ll be rounding off. If you’re curious about our courses or our blog, you can try 3 of our awareness courses completely free of charge for 14 days, or perhaps take a look at the blog post about Data Protection by Design, which Dennis mentions.