Pillars of the Global Data Protection Program
Description of key actions implemented
Privacy by design
An End2End Privacy Compliance Process, which comprises various questionnaires for risk assessment and impact analysis, was put in place during Fiscal 2022. This process is summarized in the diagram below:
This diagram describes the key actions implemented under the pillars of the Global Data Protection Program.
We separate all new projects into two categories as follows:
- Involves personal data (without an IT solution/solution). Involves an IT solution/tool.
- Involves personal data (without IT solution/tool).
The first step is the privacy impact assessment. The impact is categorized into three parts:
- High data risk projects require a data protection impact assessment.
- Projects involving legitimate interest as a legal basis require a legitimate interest assessment.
- Projects involving a processor require a compliance assessment of the provider's personal data. If this involves a transfer to an unsuitable country, an assessment of the impact of the transfer is required.
The second stage consists of compliance actions, of which there are three as follows:
- Informing data subjects is protected by the privacy policy and information on processing.
- Records of processing activities.
- Conclusion of a binding contract, which may be an agreement on data processing and, if necessary, a transfer framework instrument.
Involves an IT solution/tool
The first step is to assess the security risks. If personal data is involved, the project requires a privacy impact assessment.
If a third-party service provider is involved, the service provider's security compliance must be assessed.
If the service provider is acting as a processor, the service provider's personal data compliance must be assessed.
Otherwise, a review of the technical and organizational measures must be carried out, followed by the data processing agreement stage.
The processes and tools ensure better risk management and personal data protection from the project design phase (“privacy by design”)
The starting point for this process continues to be the questionnaire that must be completed for any IT or digital project to identify the risks associated with information security. If internal stakeholders indicate that the project involves the processing of personal data, the data protection teams automatically remain involved in reviewing the project. They are then able to carry out systematic assessments from the project design stage, an assessment of the impact of personal data processing on the rights and freedoms of the data subjects. If a high risk is identified, they conduct an impact analysis to evaluate the origin, nature, specific features and severity of this risk. Consequently, the data protection teams remain able to determine, from the project design stage or the modification of such projects, the initial measures to be put in place to ensure that this data processing complies with Sodexo’s overall compliance program and the applicable data protection regulations.
This process also gives internal stakeholders greater accountability, and allows other compliance assessments, such as a risk assessment when a supplier is involved, an impact analysis of an international data transfer or an analysis of Sodexo’s legitimate interest, to be conducted automatically.
A guide on using the various automated risk assessment and impact analysis questionnaires was rolled out to local data protection single points of contact and also to internal stakeholders in Fiscal 2022.