Good stewardship at corporations

Renzo Klijn (EntrD) about good stewardship at corporations

The GDPR came into effect in the corporate sector five years ago and the legislation is still a concern. Because complying with the letter of that law and complying with the spirit of the law are two different things. In conversation with CorporatieGids.nl, Renzo Klijn from EntrD explains the difference and talks about the image of the GDPR in the sector, the comparison with Tata Steel and being a good steward.

As a professional organization, especially in the field of sensitive personal data, you should not push the boundaries of what is or is not legally justifiable, Renzo begins: “You should do everything you can to prevent personal data from ending up on the street.” lie. No organization can afford to only look at the legal aspect.”

Not a simple checklist

When asked how the perception can exist that working with masked data is not legally necessary, Renzo says: “Organizations may be unfamiliar with GDPR advice. These have been drawn up in the interests of tenants and provide guidance on how a corporation can best handle personal data. It does not do justice to the interests of tenants at all when the advice is viewed in a legal light.

“Moreover, the GDPR is very broadly formulated in terms of its nature. It is not a simple ‘tick list’ explaining what is and is not allowed. This may lead to several possible interpretations. We believe that as an organization you must above all act in accordance with the spirit of the law and make your own moral assessment of what is responsible with regard to guaranteeing privacy and tenants.”

Good stewardship

A tenant can expect good stewardship from her corporation, Renzo continues. “In other words, the corporation is doing everything it can to prevent my data from being involved in a data breach. In addition, the corporation ensures that only employees who need my data can see my data. By focusing on the interests of the tenant and focusing accordingly, you automatically meet the requirements of the GDPR. So this is a completely different approach than starting from the GDPR and seeing if you can explain articles in such a way that you can get away with not doing something.”

Tata Steel

Renzo draws a comparison with the steel company Tata Steel: “With their attitude, they have made themselves virtually impossible in the social discussion. Pushing the boundaries in legal terms regarding emissions of hazardous substances cannot be sustained if this is at odds with what people expect from you as an organization. In other words; Even if Tata Steel complies with the legal framework, there may still be ‘bad’ behavior in the perception of society. After all, if behavior deviates from what is seen as the spirit of the law, you cannot successfully rely on the letter of the law in the eyes of politicians and society.”

“This has a major parallel with the handling of personal data by corporations. Even in that situation, as a corporation you cannot rely on legal terms. The interests of people – in this case GDPR advice in the interests of tenants – must be taken as a starting point.”

The interests of people must be taken as a starting point. Even if Tata Steel adhered to the legal framework, there could still be ‘bad’ behavior in the perception of society.

Renzo Klijn

Legality, proportionality and data minimization

“It is important to ensure that testing with personal data complies with the principles of lawfulness, proportionality and data minimization as set out by the GDPR,” Renzo continues. “As a corporation, you should therefore ask yourself whether and how these principles have been implemented within your organization. Do you really need all the tenant data that you process? Are there processes where you can also work with other data? And is it in the tenant’s interest that his data is also used outside primary processes?”

Cultural change

This rethinking requires a cultural change within the organization. “As a corporation, you must focus on creating an intrinsic motivation among employees to want to protect the privacy of tenants. Now the GDPR is sometimes seen as a burden that you would like to get rid of as quickly as possible. But you have to turn this around and, as a corporation, be proud that you are doing everything you can to guarantee the privacy of tenants. You then have to look at the systems and processes from this mindset.”

Putting privacy first

“As EntrD, our mission is to enable corporations to work securely and compliantly with the data they have,” Renzo explains. “We do this by offering a solution with the DataFactory that allows any type of database and application to be masked quickly and easily. This masked data can then be safely used in the production environment. Our customers use the DataFactory, among other things, to create representative and irreducible test data for training or analyses.”

“The FileFactory is also the solution for quickly and easily finding, masking and removing information in documents and files. Our customers use this to clean up a digital archive, ‘blur away’ unwanted data, automatically clean up new or changed documents, classify documents based on content and make documents easily searchable. But even if corporations use a different solution to work securely with tenants’ data, that is of course fine. The most important thing is that awareness is created and corporations take up the challenge and put privacy first.”

Being able to look tenants straight in the eye

The biggest advantage of this is that you can always look tenants ‘straight in the eye’, Renzo concludes: “The social position of a corporation simply means that corporations are clearly under a magnifying glass in these types of areas. Politics and society assume that corporations will deal with something as valuable as the privacy of tenants with integrity. Then it is not appropriate for your organization to play the ‘Tata Steel’ card; What we do may not be ethically sound, but I’ve found a legal loophole so I can get away with it. In our opinion, that is an attitude that does not suit corporations.”