Shredded paper

CUSTOMER CASE –  At the start of July, Brand Compliance issued the first GDPR BC5701 certificate to MOResult. The proof that GDPR Certification is also feasible for SME organisations. MOResult advises companies on recruiting and selecting the right people and on developing employees within organisations.

What was the question?

At the end of February 2018, MOResult was surprised to receive a draft Data Processing Agreement from a major customer. Until then, they had not given any thought to the GDPR. In response to this question, they decided to give it their full attention. MOResult considers the privacy of candidates, participants and clients to be important. The idea arose that they were generally complying with the new legislation, but not yet demonstrably. Opting for a management system and certification guarantees a correct working method. This optimises business processes and creates a controllable system. The choice for certification through Brand Compliance was made within one day. The GDPR training course was scheduled for 8 March.

The certification process

From 8 March, MOResult started to write procedures, consult with (sub)processors etc. Within 2 months, 98% had been achieved. The final 2% and the decision on the concrete certification took another four weeks. The biggest challenge was that while the legislation is in place, there is no case law yet. There is also little useful “expertise” present as yet at the Dutch Data Authority. This means that everything must be arranged exactly according to the law. In the MOResult system for the register of processing activities, all activities are clearly registered and updated. However, the system did not comply 100% with the text of the law. Internal audits were also required to audit matters that had already been identified as not being relevant to MOResult. This creates some inefficiency in a system that is designed to improve processes, which caused some resistance along the way – they even almost pulled out. Remko Cuijpers, auditor at Brand Compliance, helped MOResult to make a practical transposition into practice of what is written in the law. He consulted with the Dutch Data Authority and regularly consulted with MOResult face-to-face as well as by telephone and email.

The result

The BC5701 GDPR certification confirms your good image to clients, candidates and participants. Now that the economy is picking up, all kinds of recruitment & selection agencies are emerging. CVs of candidates are offered to potential clients without permission, assessment profiles are shared without permission and ‘end up’ in the bin. Data is regularly handled badly in the Netherlands. MOResult has a management manual that describes in concrete terms which activities have to be performed in the context of BC5701:2018. This is already quite a natural process, and takes very little time. It is important that the GDPR legislation really takes off and lives.

Tips for other organisations

“If an organisation is already paying proper attention to privacy, this certification is very easy to achieve,” says Willem Olthof of MOResult. “The certification can also be used to optimise business processes. We often store too much data, and for too long. Don’t believe the scare stories about what the GDPR doesn’t allow. We have not come across any unreasonable demands,” says Willem Olthof of MOResult.

Would you like to know what we can do for you in terms of the GDPR? Then please contact us.