How Novicell stays GDPR compliant with 400 employees handling personal data everyday

Case

Novicell focuses a lot on the GDPR as it is a demand from customers as well as a legal requirement. Novicell is an IT-company that does consultant work for a lot of customers, and because of that they handle a lot of personal data. Therefore, it has become crucial to have good processes for handling this data and to have employees who know what to be aware of in their daily work life. It’s all about taking complex legal texts and making them actionable for all employees in their daily operations.

We’ve talked to Anne, who is responsible for making all of this happen. She needs to make sure that Novicell has the right procedures and that employees know how to follow them.

Read the whole case or jump straight ahead to how Anne has used our awareness training.


Who is Novicell?

    • IT-company - Digital consultants
    • Employees: 400 in 6 different countries
    • Founded: 1997
    • Acquired: 2005

Who is Anne?

Anne is responsible for the GDPR-work at Novicell.

anne

  • Anne Mølgaard Brøndum

  • Head of Legal at Novicell

  • Responsible for GDPR compliance

  • Cand.Merc (Jur.) – Wrote her master thesis about employment law and personal data

 

Table of content

 

Who are Novicell and Anne?

Novicell is an IT company that provides digital life consulting services to other companies . This means that Novicell helps companies with a broad spectrum of things. They help with web development, eCommerce, digital strategies, digital marketing, UX and much more. You could call them experts in digital business development. They’ve done this successfully for a couple of decades and now have more than 400 employees across 6 countries with their headquarters located in Denmark.

One of the 400 employees is Anne Mølgaard Brøndum. Anne is the Head of Legal at Novicell, which means that she’s got the responsibility of making sure that Novicell is following the rules of the GDPR. Anne wrote her master thesis on employment law and personal data, which in many ways are a perfect way into the mysteries of the GDPR.

We’ve talked to Anne about her work at Novicell and how she makes sure that they are GDPR compliant.

How do you create a strategy for your GDPR work

The GDPR is here to stay. We all know the rules, but we are all still a bit unsure of how to follow them correctly because of the lack of real-life examples of do’s and don’ts. The rules are in many ways the same as before the GDPR, but the GDPR has made sure that companies start to prioritize them.  

Anne has the task of making sure Novicell is GDPR compliant. It is hard to talk about a general concrete strategy for their GDPR work, and instead Anne is doing two different things to frame the work at Novicell. Firstly, they get ISAE 3000 audited each year, which demands that they live up to certain rules and standards. Secondly, Anne keeps track of what other companies are doing and what news the data protection authorities are sharing. She does this to get inspiration and to stay up to date. She adjusts Novicell’s processes to make sure they are following best practice.

As Anne puts it:  

“There are always new things coming up. It’s about having your finger on the pulse. There are new statements from the data protection authority. New legal cases. New recommendations. We try to adjust and stay up to date with what’s happening.” 

Of course, both of these things lead to the last part of the “strategy,” which is to make sure that all employees understand the logic behind why they need to protect personal data every single day. 

The ISAE 3000 as a framework for their GDPR work 

Novicell has chosen to become audited each year. Anne says that this creates a lot of tasks because the audit process has a lot of standards they must live up to when it comes to handling personal data. In that way, the ISAE 3000 works as a framework for their GDPR work.  

In the beginning when Novicell was getting audited for the first time, it created a lot of tasks that helped them strengthen their security. By now, it’s more of an annual check-up to make sure that they are compliant. Therefore, the audit is not the primary driver for their everyday GDPR work anymore. 

But it is still valuable. It helps to get outside auditors to come in and check-up on your work once every year, as they do find small things to improve: 

“They do controls and check us from A-Z when they are here once a year. Every year new challenges arrive from these check-ups, so it does create tasks for us.” 

Besides the tasks the check-ups create, the fact that the auditors visit once a year ensures that Anne makes an effort – it’s demanded.  

Novicell started with a Type-1 audit report before getting a Type-2 

The first year Novicell got audited, they got a Type-1 report . A Type-1 report is the foundation, it’s where you build the house so to speak. This means that a Type-1 audit report provides a report of procedures and controls the organisation has put in place, but not how they carry them out. This is often a good way to start as it is cheaper and less work than the Type-2.   

In 2020 and 2021 Novicell got the Type-2 report, where it’s not enough to have the procedures and controls in place but you also need evidence that you are operating accordingly by having a third-party accountant look through your operations. This is a lot of work but it’s also a way of verifying you are doing well, as Anne says: 

“It’s most challenging the first time because it also gives you insights on if you interpret the law correctly. It was really nice when the accountants said we had one of the best setups they had seen. It gives me a peace of mind and confirmation that we are doing the right things.” 

 The audit report is a way to verify the work you do in your organization. 

The audit report is also a competitive advantage 

Besides strengthening your security by making sure you protect personal data well, the ISAE 3000 also has advantages when it comes to branding. It is a selling point that Novicell can show customers that they are certified because it shows that they take the GDPR seriously. They obviously take serious actions to follow the GDPR.  

“It’s a huge competitive advantage. It creates value for our customers. And it creates value for me and Novicell to know that an external party has checked our work. It’s not just ourselves who say we’ve got it covered.” 

Novicell can see that it creates value, as it creates trust and makes customers and partners calm to have proof that Novicell knows what they are doing when they handle personal data. 

Staying up to date with the GDPR climate 

The second part of the strategy for Anne is to stay up to date and adjust as they go. The reason for this is that the GDPR landscape develops all the time. This means that you need to follow new legal cases and recommendations to make sure you are up to date, aside from the regulation itself. Legal cases create precedence, which helps you to know how much or how little you need to do to stay compliant. 

Simply put, we are all learning as we go.  

Anne is aware of that, and it means that a big part of her job is to stay up to date with what Datatilsynet (the Danish Data Protection Authority), industry leaders (companies working only with GDPR) and others are doing. Then, she always evaluates if the news is relevant for Novicell. If it is, then it’s all about putting it into action. Therefore, she needs to be flexible in her GDPR –work, as the field of work changes all the time. 

Take news and put it into action for all employees 

It is a lot of work to evaluate the news or recommendations and make it actionable for employees. We can break it down to three oversimplified steps: 

  • Gather information/inspiration from news/companies/legal cases 

  • Put it into legal perspective (what does the GDPR say about it) 

  • Take the law and the inspiration and create a pragmatic approach 

But how do you do that?  

E.g., you might figure out that you need to have an IT-security policy. That’s all good, but how does that help the employees who will find the policy irrelevant for their daily work? Well, Anne has taken their policy and picked all the relevant things for employees out of it to create a small guide/handbook with only the relevant and actionable information for the employees.  This way, she makes sure that the strategic document becomes useful for everyone.  

I’ll return to the small handbook later, as it’s a key part of Annes work. 

The audit report and staying up to date are what frame a lot of what Anne does, but what does it come down to?

The biggest challenge is communication 

The real challenge is to create an organization-wide culture that makes sure that Novicell is GDPR-compliant. This is because it might be Anne who knows what needs to be done, but she can’t do it all by herself. All employees must help to make it happen. Therefore, one of Anne’s biggest challenges is communication. She must take the complexity of the GDPR and translate it into actionable processes for employees. Besides that, she must make employees understand why compliance is important in a busy workday to make sure they follow the processes. Employees don’t need to know everything, but they need to know what to do and what do be aware of.   

“Our biggest challenge is staying up to date all the time. It’s impossible to do all the time. It’s a tough challenge to make sure that employees prioritize completing education and training in a busy everyday life where calendars are filled with customer meetings, deadlines and launches.” 

Effective communication is the solution.

A GDPR handbook and Awareness training for employees are key 

The GDPR is not sexy and doesn’t spark a natural joy for the employees. Most people get tired when they hear the GDPR mentioned, as they see it as an obstacle to what they do in their work life: 

“I spent a lot of time communicating to make sure the GDPR was not a scary thing, but to associate it with something positive. In the beginning, I could hear a lot of people say ‘Oh, what are these extra requirements’ or ‘This really gets complicated.’ So, I’ve tried to show how we can handle it with a lot of small steps.” 

Even though the GDPR is a legal challenge, it is also about communication, processes and getting people on board. Anne focused a lot on how she framed the challenges and how she talked about it to make it more approachable and positive. Anne has implemented two big things to make sure that they communicate the importance in an effective way. She has implemented a GDPR handbook for all employees + awareness training for all employees. 

We’ll start with the handbook. 

GDPR handbook for all employees 

I’ve already briefly mentioned the GDPR handbook which Anne created together with a few co-workers for all employees in the company. This handbook is one of the key components for the employees’ GDPR work. It’s a small guide where the employees can look up what to do when in doubt of anything related to personal data. You could call it an employee-guide.  

Let’s say they are done with a project and Novicell then needs to delete all personal data from this project. Then, the employees can search through the handbook to see how to start this process. Often the employees’ first step is to make Anne or another person aware that a process must be started. From here on, the responsibility is not on the employee anymore. The handbook shows them what to do without going in depth with what happens afterwards – they don’t need to know.  

“The important thing is to get the process started. It’s not you who needs to do the work, but you need to make me aware, so I can start the process.” 

If the employees needed to know the whole process, then it would become burden for them as it’s a lot of information to take in. They have enough on their plate. If they know the first step of the process, everything works. 

CTA_e-book_blog-desktop

The benefits of the handbook 

Anne mentions that one of the benefits of the handbook is that everything is collected in one place. But it’s also important that it’s only filled with relevant stuff so it’s easy and quick for the employees to find what they need. The handbook is the same for all employees, but some parts might be more relevant than others for e.g. developers or project managers. In total, the handbook is no longer than a couple of pages. It has references to a lot of other documents, but the employees don’t have to read these, they just need to know they exist if one day they need them. 

“It’s just easier to communicate when it’s only a couple of pages with quick bullets for each area. Then we can say ‘Okay, all project leaders must be extra aware of page 2, because these things are important in your work.’ You could easily write 200 pages about handling personal data and give it to all employees and then just expect them to follow the rules. But obviously this wouldn’t work. We need to make sure that we follow the rules by communicating in an effective way, without creating an information overload.” 

By keeping it short and sweet, it’s not a demanding task for the team to look things up. You can’t expect employees to be able to navigate through too much information that changes every single week. When it comes to the GDPR, the saying “Keep it simple, stupid” applies. 

The handbook is under constant development 

It’s important to mention that you don’t just produce a handbook with a set of guidelines, send it to all employees and then lean back and say “Job’s done.”  

Anne frequently revisits the book to make sure that it’s up to date. If the National Data Protection Board creates new recommendations, she adjusts the handbook to fit these. The handbook is the number one reference book for all employees, so it must be useful and updated.  

How to make sure people use the handbook 

It’s one thing to create the handbook. Another challenge is to make sure that the whole team adapts to it and uses it as a reference book. 

“We have a control. It’s the team leader who is responsible to make sure that the handbook is implemented in their team. However, they can always ask for help. Sometimes I’ll have a morning meeting with a team to talk about the handbook. This is, for example, relevant if we’ve made changes in it.” 

The team leaders and Anne are always making sure people understand the importance of the handbook and they make sure to communicate when it’s been updated. Besides this, the handbook is also a part of every new employee’s onboarding process. 

The handbook is crucial to Novicell’s GDPR work  

As you might understand by now, the handbook is every employee’s go-to knowledge hub when it comes to handling personal data. If they can’t find the answer in the handbook, everyone knows that Anne is the one to ask.  In this way they get clear communication, and everybody knows what to do. 

But the handbook is not the only initiative Novicell has implemented. 

Novicell uses CyberPilot’s Awareness Training 

Another important initiative Novicell has implemented is CyberPilot’s Awareness Training. It’s one thing to know what to do and where to look it up. But employees also need to know why it’s important. Just like how Anne tries to stay up to date, the employees also need to be up to date when it comes to the essentials of cyber security and the GDPR. Again, they don’t need to be experts, but they must know why it’s important and what to be aware of. This is where the awareness training comes in, Anne says: 

“There might be a new recommendation about consent. And I can easily say “You must do this” to all the employees, but what does it mean and how do we do it in practice? This is where your courses fit in. They explain why and how, as well as what it secures. The courses explain how we protect personal data in the best way with some relatable examples” 

The awareness training is the second part of communicating the GDPR. 

It’s difficult to stay on the beat with everything 

Anne and her team created the handbook themselves, so why not create the awareness training herself as well? The simple answer is that you can’t do everything yourself as a one-woman army. 

“There are always new GDPR recommendations coming from different places. This sets a lot of demands for the awareness training because first you must know what to create awareness about. What topics should we cover? Therefore, we teamed up with you guys. The awareness training ensures that all employees are continuously educated. And it’s my impression that you (CyberPilot) are on beat with what’s going on. If something is up in the media or the national data protection authority, then we can expect a course about it soon.” 

By teaming up with us at CyberPilot, Anne doesn’t have to be on the beat about what employees need to know. Instead, she can focus on the internal processes and communication about these things. She thinks awareness training is a good way to make sure employees are up to date. 

“In my eyes this is the best way of doing it. In this area you can’t be ahead of what’s happening. You’ve got to keep the finger on the pulse.” 

In the eyes of Anne, good awareness training is about making sure the employees are up to date on new and important areas when it comes to cyber security and the GDPR.   

The fact that the training helps people stay up to date is also one of the reasons why CyberPilot’s Awareness Training is continuous and not just a course once a year.  

The awareness training creates real life examples 

One of the things awareness training helps with, that the GDPR handbook and internal processes can’t, is providing examples on how different topics and situations affect real life. The examples help put the processes into perspective as they show the importance of strong security. The news value of the awareness training does the same – it puts processes into perspective and explains why they are important. Describing the awareness training, Anne says: 

“It works really well. The news value means a lot to me. It gives us an assurance that we educate our employees on what’s important here and now. And then it also gives us some practical examples. You can have a lot of to-dos in your head, but it’s important with the explanation and examples of, ‘This is how to avoid a security breach’ or ‘when the damage is done this is what we need to do.’ We’ve also covered phishing and spam-mails. It’s nice with concrete and understandable courses about what’s important.” 

The concrete examples and descriptions are what make it work, as it puts fluffy GDPR-talk into concrete actions you must take in your everyday life. Or at least covers what you must be aware of in your everyday life.

The GDPR-handbook and awareness training work together 

We all know the feeling – if you don’t know why a certain rule exists, then the rule often seems stupid, so why follow it? 

The GDPR handbook and awareness training work well together to make sure that all follow the processes. The GDPR handbook handles the communication about internal processes and what the employees should do in their daily operations. The awareness training covers the knowledge on a general level and helps communicate why it’s important for employees to be aware in their everyday life.  

The awareness training is the why and the handbook is the what.  

Together, the handbook and training make sure that cyber security and the GDPR is on the agenda every single day without being too time consuming. It’s a good step to creating a strong cyber security culture. 

Smart CTA_phishingcase EN

The beginning is always difficult 

It’s always hardest to get a message across in the beginning.  

“We have a lot of customer data to protect, so in the beginning the learning curve was steep. There were a lot of regulations for the consultants and the developers. But they do understand the importance.” 

Therefore, Anne and Novicell also made an extra effort in the beginning. They had to make sure that security was always a part of the team’s mindset. One way they did this was using physical awareness. 

 They created merchandise e.g., stickers to remind people of good security habits. 

“We used some nudging. For example, if we saw an employee who forgot to lock their screens when they left the computer, we would put a sticker on the computer screen or the keyboard. We did this a lot in the beginning because it also created awareness about the handbook and the guidance.” 

It’s important to get a good start and get employees on board. Stickers are one way of doing it.  

There are many ways of creating physical awareness 

Anne used stickers to create awareness at Novicell. Another way of doing this could be cups, shirts, posters and a lot of other things. Your imagination is the limit. At CyberPilot we’ve created a bunch of posters you can find right here and use in your company. It’s a quick way to get started and you don’t have to design anything yourself. 

3 quick tips for other companies to follow 

We also asked Anne if she had 3 quick tips for other companies to follow. Luckily, she did. Get ready to take notes. 

1. Get certified or audited

The first tip is to get certified. Not only is it a competitive advantage, it’s also a plan. The plan will help you create the needed processes and documentation in your GDPR work. We’ve written a blogpost that covers the ISO 27001 certification and ISAE 3402 report.  

2. Get an overview of how you document your procedures and who is responsible 

Documentation might sound boring, but it makes a lot of good sense. Documentation and who’s accountable are important to make sure that processes are followed and everything is taken care of. 

“You need to be in control of what data you handle and how. If a security breach happens, we can’t contact the relevant customers if we don’t have an overview of our own documentation and procedures. We have controls on all our procedures to make sure they run” 

Even though documentation isn’t that thrilling, get it done.  

3. Find tools to make the work easier 

There are a lot of tasks when you are trying to make sure your company is GDPR compliant. 

Why not get all the help you can to make it easier?  

It might be possible to find tools that help you in your daily work life. Some tools can save you a lot of time. 

How Anne sees the future of the GDPR 

We all love a good sci-fi story, so what about the future of the GDPR? Where will we be in five or ten years when it comes to the GDPR? It’s a good question and Anne also takes some time to think.  

“I think we will have more examples to lean on. There will probably also be more finished legal cases where you can say ‘Okay, so this is the consequence for this behaviour.’ I also think we will see more providers of systems and tools which can help us in our everyday life.” 

It sounds like it will only get easier and more tangible, but we shouldn’t get our hopes up too high. 

“At the end of the day, when we talk about privacy and data protection on a higher level, then it’s just complicated stuff. It’s fluffy and more difficult than other laws like e.g. employment law where you can say “If this, then that.” When it comes to data protection and privacy then it’s extremely fluffy and the area develops all the time.” 

So even though we do get more legal cases and examples to lean on, there’s no guarantee that what’s true today is also the truth tomorrow. The demands and level of initiatives you need to have implemented might be higher than it is today.  

One thing is for sure though, the GDPR will make sure that we haven’t gone full Minority Report on personal data handling in the future. 

Aware employees are the foundation 

The GDPR work might be in constant development and look different from day to day, but Anne and Novicell’s work shows that one thing is a grounded and stable part of the work: the cyber security culture. If your employees understand the importance of protecting personal data, everything gets easier. Aware employees who understand the importance are more likely to follow the right processes and approach new changes with a positive mindset. The employees’ awareness and a strong cyber security culture are the foundation of good data protection practices.