Blog
RGPD compliance

How did the Solvay Group initiate its GDPR compliance process?

After a mission to comply with the RGPD of more than a year for the Solvay Group, a world leader in chemistry, Claire de la Fouchardière proposed to Patrice Chelim, Head of Information Risks & Security of the Group, to review the approach put in place.

Par
Alessandro Fiorentino
Partagez cet article
solvay is implementing a multidisciplinary strategy to comply with the RGPD and protect data

After a mission to comply with the RGPD of more than a year for the Solvay Group, the world leader in chemistry, I proposed to Patrice Chelim, Head of Information Risks & Security of the Group, to come back to the approach put in place.

Q: We've been hearing a lot about GDPR and the protection of personal data for almost two years. Today, we feel that this data is everywhere. How did the Solvay group identify that it was affected by the GDPR?

A: Certainly, with the arrival of the GDPR, the question we asked ourselves is: is this regulation for us? After all, the collection and use of personal data is not at the heart of our job as specialty chemists, unlike Amazon, Facebook, Google or Apple. And yet, we have customer data, employee data, data transfers outside the EU, many partners, a lot of subcontractors. So we came quite quickly to the conclusion we were concerned.

“The fear of being fined cannot in itself be enough to ensure the success of a GDPR compliance project”

Q: Is being affected by the GDPR enough to get internal teams mobilized?

A: My belief is as follows: For the subject to “take hold” in the company, there needs to be strong sponsorship. Decision-makers must already be convinced that the protection of personal data is a subject of interest for the company.

For us, there has been an awareness, especially with the fear of being fined. But it alone cannot be enough to ensure the success of a project like this. In my opinion, the challenges of image and customer trust are much more important in order to mobilize resources over the long term.

“The DPO is a five-legged sheep, with expertise on almost every subject.”

Q: Based on these levers of action, what organization have you put in place to comply with the regulations?

A: We started from the observation that the Data Protection Officer (DPO), the person who orchestrates compliance, this five-legged sheep, is a difficult profile to find. He needs expertise on almost every subject: legal, IT, security, knowledge of jobs and processes. We therefore focused on setting up a multidisciplinary office bringing together people with diverse skills: the Data Protection & Privacy Office, and a board with decision-makers.

We also made the choice to be accompanied. My feeling is that we can't do it alone because the implementation of the GDPR is complex. External support allowed us to interpret the regulations in relation to our activity, to structure our approach and to review our processes in order to integrate or improve the protection of the personal data we process.

“The RGPD is not just about formalizing the processing register”

Q: “The register”, “the PIA”, “the privacy by design”... it may seem difficult to identify where to start the process? Can you explain to us where you started to manage these various projects?

A: Once the foundations of the organization were laid, we started to inventory the processing of personal data implemented within our organization. We started with the generic before looking for the specifics. Two reasons for this: already to get our hands on a subject that we did not know a year earlier but also to start where there is volume. It was only in a second step that we focused on identifying the holes in the racket and the local particularities or particularities linked to the collection of sensitive data.

Prior to this inventory work, we had a major internal debate: to identify treatments, should we take computer applications or our organizational processes as a starting point? It is finally the combination of these two options that allowed us to have the transversal view corresponding to the logic of the scope of treatments.

The RGPD is not limited to the formalization of the processing register. Also, in parallel with the inventory work, we have prepared ourselves to react to occasional events, by formalizing operational procedures to concretely answer questions: How to react in the event of a data breach? How to respond to a request from an employee to exercise law? Who should be mobilized internally in the event of an inspection by an authority on site?

We quickly realized that in order to make progress on these projects, the training and awareness-raising of employees was essential.

We therefore carried out training campaigns for our teams, starting with “at risk” populations: HR, IT, lawyers, project managers, sales representatives. Our desire was to make them aware of use cases specific to their jobs, by talking about “personal data” in the language of their job, to create reflexes. Then, for a fun cultural veneer on data protection, we deployed a gamification tool, intended for all the group's employees.

Q: At Solvay, how fast were you able to move forward? How do you see the progress of your approach?

A: We went quite quickly at the beginning, when it came to understanding the subject and understanding the law and its implications. Then very slowly we got to the heart of the matter by seeking to translate the obligations into the context of our organization and in particular to identify our operations and actions on personal data. Today we have more maturity to say that we are neither early nor late. We are making progress.

“In my opinion, GDPR compliance is close to a quality standard”

Q: So would GDPR compliance never be over?

A: Yes, the protection of personal data is a new reality, we are now living with it, and we are looking to handle it intelligently, in particular by integrating it into our upstream projects. Moreover, it could become a competitive advantage over non-compliant companies, as an element in assessing customer satisfaction. In my opinion, GDPR compliance is close to a quality standard.

Q: What is the next part of the story for you?

We will continue to identify the processing of personal data that fell through the cracks during our first wave of census, conduct impact analyses (PIA), continue to raise awareness, bring to life the Data Privacy organization and governance that we have put in place, and integrate the GDPR into all local systems.

Q: Not all organizations are necessarily at the same level of maturity as Solvay when it comes to the protection of personal data. What advice would you give to Groups, SMEs, VSEs or startups to launch or strengthen their approach?

A: In my opinion, six principles can facilitate a GDPR compliance process:

  • Ensuring support from management
  • Adapting the GDPR to your corporate culture and organization
  • Surround yourself with the right skills
  • Work on the fundamentals and concrete elements such as the register and operational procedures
  • Prioritize: not all projects can be carried out in parallel
  • Join or create a network to discuss best practices with peers

The latest news

News

Adequacy obtains the EcoVadis gold medal: a recognition of our CSR commitment

Alessandro Fiorentino
News

Adequacy ranked best GDPR compliance software by Déciders Magazine

Alessandro Fiorentino
Extraterritorial Laws and Related Laws

Data Privacy Framework: 3 factors of an inevitable shock

Alessandro Fiorentino

They have trusted us for years

Used by over 10,000 legal entities

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.
Let's discover together how Adequacy adapts to your reality on the ground.
Request a quote