QM and data protection: How to use synergies

The structure of data protection documents can be very well oriented towards the structure of QM documents. © ConSense

In order to minimize the effort and achieve implementation as quickly as possible, the experts recommend building on what already exists and using existing resources, structures, content and methods in the company. Quality management (QM) in accordance with DIN EN ISO 9001 is particularly suitable for this, as it has many parallels in procedures and structures with the EU GDPR:

Specification documentation with revision: According to the EU GDPR, existing processes must be systematically checked for data protection aspects. The processes, procedures and responsibilities already documented in the QM system can be used to set up the specification documentation. Suitable management software provides support with workflow-supported procedures for auditing, checking, approval or resubmission, thus reducing the effort required for documentation obligations.

For the data protection impact assessment, the risk assessment can be carried out using the Nohl risk matrix, which is also used in QM. © ConSense

Data protection impact assessment (DPIA) and measures: Existing risk management mechanisms from QM can be used to prepare the required DPIA. Like the QM standard, the EU GDPR also requires suitable control processes or measures to be taken in the event of deviations. Suitable software can be used to assign responsibilities to the measures. Standardized workflows are used to manage and monitor implementation.

● Directory of processing activities: A lot of information for the required directory of processing activities can be generated from the QM documentation. Software for an integrated management system comprising QM and data protection enables, among other things, the analysis of QM documentation with regard to the processing of personal data. Relationships between the processes and the associated processing activities are established in order to derive the directory.

● Responsibilities and acknowledgements: As in QM, responsibilities and knowledge must also be clearly defined in data protection management. For example, a management system can be used to define and document the responsibilities for each process (step) and each document. Employees are prompted by the software to take note of new content, instructions and changes. These are recorded electronically and can therefore be verified at any time. In QM, a "yes" or "no" is sufficient for verification; in data protection, the date and time are also required.

● Training/instruction: According to the EU GDPR, employees must be instructed in the handling of confidential data. Existing training and qualification concepts from quality management can be used here. For example, a software-supported system offers the option of creating a qualification structure and assigning validity periods to employees' specialist qualifications. Useful extras such as eLearning and tutorials make it possible to provide training anywhere and at any time.

Implement GDPR, increase trust

The numerous parallels suggest implementing an integrated solution comprising data protection management and quality management and avoiding inefficient isolated solutions. "If you operate two separate systems, you run the risk of overlooking the essentials," says Dr. Stephan Killich. "The establishment of a systematic data protection management system is not only worthwhile in terms of avoiding sensitive fines. Existing processes that are also safeguarded under data protection law increase the trust of customers and cooperation partners."