How DuPont makes GDPR a natural behaviour
If you want to learn best practice in handling data in light of the General Data Protection Regulations (GDPR), you can do no better than to look at DuPont. Now part of science giant DowDuPont following a merger last year, data is part of the DNA of the organisation and it has a long history of embedding data protection into its culture.
At the SD Worx European Conference 2018, we talked to Edith Hamelryckx, HR Manager Integrated Operations & Industrial Relations Leader EMEA at DuPont de Nemours.
“GDPR is not shocking at all to us. It’s natural behaviour.”
Founded back in 1802, DuPont has a long background in protecting intellectual property, inventing everything from nylon and lycra to teflon and owning brands ranging from Corian solid surfaces to Kevlar fibre and Pioneer seeds. As such, data security has always been at the heart of what it does. You could call it a pioneer in the area.
Hamelryckx views GDPR as a positive step forward, bringing harmonisation to Europe. “As well as being an obligation, it reinforces the message that you are a strong employer, respecting customers and suppliers and doing the right thing with core information. It has a reputational and image building side,” she says.
With such expertise to impart, SD Worx asked Hamelryckx to share some of the data handling practices used at DuPont.
- Embed it into your values
DuPont has four core values: safety and health, environmental stewardship, respect for people and highest ethical behaviour. Data fits perfectly into this latter value, which says that the company and its people conduct themselves and their business affairs in accordance with the highest ethical standards and in compliance with all applicable laws, striving always to be a respected corporate citizen worldwide.
- Make data training highly visible
Every year, all employees go through four hours of training followed by a test on data management, records management, data protection and ethical behaviour, which they must pass. Employees are provided with instructions on what they can share or not share when at their desk, how to ensure data protection when they are working in an open space and on clean desk and clean screen approaches.
- Communicate regularly
Reinforce the message regularly. Hamelryckx says she gets email messages almost every day regarding keeping records and cleaning the office. But it’s not only about instructions: “We have special officers in the company whom we can contact once we receive strange emails or experience IT related issues, such as phishing. They are easy to approach and make it feel natural getting in touch with them whenever you have a question.”
- Regularly review with your third-party vendors
Every time a new process involving personal data is established, or an existing process where personal data movement is taking place is changed, make sure you check if information is being exchanged with third party vendors. For example, where are they storing the data and is the transaction secure? In 2016 alone, DuPont itself undertook 26 privacy impact assessments.
- Be wary of Bring Your Own Device policies
Be extra careful if you allow people to come in and use their devices to go on your network. DuPont has always refused such requests, instead providing company laptops or smart phones for those that need to access remotely or who regularly travel.
At DuPont, IT, HR and Legal meet once a month and discuss issues around data processes. Good collaboration will help the smooth introduction of GDPR.