The Group DPO has drawn up a Best Practice Code for sharing data, as well as template data protection clauses for supplier agreements on processing personal data, and these have been shared with the network of local points of contact. These documents allowed all Group entities to apply the same practices where data processing operations are either fully or partially outsourced.
Furthermore, a mapping of the applicable data protection laws was drawn up in Fiscal 2020 with the aim of providing a clear overall view of the formalities that need to be carried out in each of the countries where the Sodexo Group entities operate, and therefore to prepare for implementing the Group’s Binding Corporate Rules. Additionally, Fiscal 2022 provided an opportunity to update this mapping as well as to conduct an inventory of any data localization obligations that could restrict the use of the Group’s global tools in some countries or require the implementation of specific measures prior to their use.
Finally, following the publication of the new SCCs by the European Commission and the schedule it imposed for updating all commercial contracts involving the transfer of personal data, Sodexo launched a global project dedicated to this updating of commercial contracts. The Group DPO also published a guide for all local points of contact, providing them with an action plan to follow in order to ensure that the SCCs incorporated in local commercial contracts were updated in accordance with the schedule laid down by the European Commission.
During Fiscal 2022, processes for assessing the risks to the rights and freedoms of data subjects, from the design stage of projects that involve processing personal data, were strengthened. In fact, the End2End Privacy Compliance Process, which comprises various questionnaires for risk assessment and impact analysis, has been updated.
The start point for this process continues to be the questionnaire that must be completed for any IT or digital project to identify the risks associated with information security. If internal stakeholders indicate that the project involves the processing of personal data, the data protection teams automatically remain involved with reviewing the project. They are then able to carry out systematic assessments, from the project design stage, of the impact that processing the personal data in question has on the rights and freedoms of the data subjects. If a high risk processing is identified, they conduct an impact analysis to evaluate the origin, nature, character and severity of this risk. Consequently, the data protection teams remain able to determine, from the project design stage, the initial measures to be put in place to ensure that this data processing complies with Sodexo’s overall compliance program and the applicable data protection regulations.
However, the new process gives internal stakeholders greater accountability and other compliance assessments may be conducted automatically (for example, a risk assessment if a supplier that will process personal data is used, an impact analysis of an international data transfer or an analysis of Sodexo’s legitimate interests).
A risk assessment is carried out prior to any contracts being signed with suppliers.
This assessment of the risks associated with the processing of personal data by Sodexo’s suppliers has been automated. In addition, work to integrate the process within the global Information Security teams is ongoing, so that a common score can be used for supplier compliance in terms of both the protection of personal data and information security.
A regular monitoring plan has been put in place for the local data protection single points of contact in order to assist them with ongoing compliance management. This regular monitoring of the progress the Group’s entities are making on program implementation now includes a “project management” aspect, which provides a full and up-to-date view of the risks related to any non-compliance with applicable laws and the Group’s policies and procedures concerning data protection.
Fiscal 2022 saw the self-assessment framework for the data protection points of contact used by the Internal Audit and Internal Control teams to enhance their assessment of the effective implementation of the overall GDPR compliance program.
These teams have also been provided with additional training on the aspects of personal data protection to be verified, so that they can make an even more valuable contribution to the effectiveness of the compliance program.
The Group’s data protection teams adopt an ongoing process of continuous improvement as regards the procedures for managing requests relating to personal data protection rights (rights of access, rectification, etc.). To do this, they rely on recommendations issued by the relevant supervisory authorities and best practices shared by Sodexo’s data protection network.
They are required to handle an increasing number of requests from the Group’s consumers and employees, which goes hand in hand with data subjects’ growing awareness of their rights and freedoms.
To ensure that any security incidents resulting from personal data breaches are properly managed, the Group DPO and the Global Chief Information Systems Security Officer have jointly drafted a Group directive to be adapted locally by all Sodexo entities. A dedicated system has also been deployed to deal with any such security incidents even more efficiently and to enable a register of the incidents to be kept. In addition, local data protection points of contact are provided with regular training in assessing risk on behalf of data subjects. Such training is based on the recommendations of the EDPB, in particular.