Pillars of the Global
Data Protection Program
Description of key actions implemented
Privacy by design
An End2End Privacy Compliance Process, which comprises various questionnaires for risk assessment and impact analysis, was put in place during Fiscal 2022. This process is summarized in the diagram below:
This diagram shows the description of key actions implemented for the pillars of the Global Data Protection Program.
We categorize all new projects into two categories as follows:
- Involving personal data (without an IT tool/solution)
- Involving an IT tool/solution
Involving personal data (without an IT tool/solution)
The first step is the privacy impact assessment. The impact is categorized into three parts:
- Projects with high risk require a data protection impact assessment.
- Projects that use legitimate interest as a legal basis require a legitimate interest assessment.
- Projects involving a processor require a third-party privacy evaluation. If this involves a transfer to a non-adequate country, an assessment of the transfer's impact is needed.
The second step consists of compliance actions, which are divided into three as follows:
- The information of data subjects is protected by the privacy policies and notices.
- Records of processing activities
- Conclusion of a binding contract, which can be a data processing agreement, and if necessary, a transfer framework instrument.
Involving an IT tool/solution
The first step is the assessment of security risk. If it involves personal data, the project requires a privacy impact assessment.
If, on the other hand, a third-party provider is involved, an evaluation of the third-party's security compliance is necessary.
If the third-party acts as a data processor, the step of evaluating the third-party privacy’s compliance with personal data is required.
Otherwise, a review of technical and organizational measures is needed, followed by the step of reaching an agreement on data processing.
The processes and tools ensure better risk management and personal data protection from the project design phase (“privacy by design”)
The starting point for this process continues to be the questionnaire that must be completed for any IT or digital project to identify the risks associated with information security. If internal stakeholders indicate that the project involves the processing of personal data, the data protection teams automatically remain involved in reviewing the project and are able to carry out systematic assessments from the project design stage, an assessment of the impact of personal data processing on the rights and freedoms of the data subjects and, if a high risk is identified, they conduct an impact analysis to evaluate the origin, nature, specific features and severity of this risk. Consequently, the data protection teams remain able to determine, from the project design stage, the initial measures to be put in place to ensure that this data processing complies with Sodexo’s overall compliance program and the applicable data protection regulations.
However, the new process gives internal stakeholders greater accountability, and allows other compliance assessments, such as a risk assessment when a supplier is used, an impact analysis of an international data transfer or an analysis of the Sodexo's legitimate interest, to be conducted automatically.
A guide on using the various automated risk assessment and impact analysis questionnaires was rolled out to local data protection single points of contact and also to internal stakeholders in Fiscal 2022.