FAGSTOFF > Personvern

GDPR: How to play yourself into action

GDPR: How to play yourself into action

Orkla Credit has chosen a different approach to GDPR. See how this company is playing its way to readiness for the new data protection rules.

"Remember the civil status! And account number!"

The comments hail down on Astrid Hoston, head of production at Orkla Credit in Orkanger in Sør-Trøndelag. She has been given the task of writing down all of the personal data that is processed by the company. And that is no small quantity.

They soon have more than fifty notes down on the game board. Astrid and five of her colleagues have set aside the day to get ready for GDPR, the new data protection rules to be introduced in May 2018, with the aid of Serious Game GDPR.

Stress tests and mapping

The notes on the game board form the basis of Serious Game GDPR. The game has been developed by Sticos in partnership with House of Knowledge and is a new and fun way to approach the regulations.

“We could have sat with a law book each and learned the regulations on our own, but that takes a lot of time and effort. This is an incredibly effective way of learning and everyone is included in the process,” says Oddbjørn Botnan, General Manager of Orkla Credit.

The discussion goes around the table. Suddenly it becomes quiet. One of the employees has drawn a card: A stress test! On the card it says:

“Lars has never had an eye for detail. Now he has sent an e-mail to the wrong person. The recipient is outside the company and the e-mail contained a list of customer receivables that was to be sent to a debt collection company.”

Cards are moved on the table and data protection expert and supervisor Fjellheim Tunaal from Sticos watches. She is one of the regular game supervisors and guides participants through the day.

“Think about who must be involved in such a situation. What are the problems and risks in this scenario?” she asks while the eager participants discuss it among themselves.

From theory to practice

Using 44 playing cards, the participants are taken through 10 steps that will get them ready for GDPR, explains Ranveig:

“The complex subject area is made simple by linking examples to the theory and by challenging players with tasks directly related to what they have just learned.”

General Manager Oddbjørn Botnan recognises several of the scenarios:

“Sending an e-mail to the wrong recipient is something that can easily happen. We are already very concerned about following security routines, but we can always tighten them up. And from May onwards the consequences of failure are much worse.”

The work continues

After the game is finished, the nationwide debt collection agency Orkla Credit has mapped out all the personal data that they process and what purpose and reason for processing each type of data has or lacks.

“We also assist in mapping out risk areas, existing routines and roles. All the time we keep the mapping consistent with the regulations. When have finished, you’re left with a concrete action plan for your company,” says Ranveig Fjellheim Tunaal.

Oddbjørn Botnan and the rest of the company employees are looking forward to embarking on further work:

“For many people, GDPR is something big and scary. For us it is now understandable. We now know what the challenges are and what we shall be working on, and we have the tools we need to get started. We wouldn’t have done it as well without playing the game.”

The game takes a total of 7 hours and there is an introduction to the regulations worked into the programme. You can find out more here.

Motta aktuelle nyheter og relevant fagstoff om personvern på epost.


Digital GDPR-compliance

Hva er GDPR

Personvernforordningen eller General Data Protection Regulation - forkortet GDPR - ble iverksatt 25. mai 2018 og erstattet det tidligere personverndirektivet. Reglene gir Datatilsynet muligheten til å gi opptil 20 millioner Euro i bot, eller enda mer for selskaper med stor global omsetning, til de som bryter loven. Mange virksomheter frykter dette og synes det virker omfattende, mye styr og at de kanskje får lite igjen for det. Det høye bøtenivået gjør at de fleste som ønsker å drive virksomhet innser at de må forholde seg til de nye reglene.

Bakgrunnen for forordningen er et ønske om å bedre enkeltpersoners mulighet for å kontrollere opplysninger registrert om dem selv. Personvern handler om retten til privatliv og retten til å bestemme over egne personopplysninger. Personvern skal sikre behandlingen av personopplysninger, slik at individers integritet og privatliv ikke krenkes.

Her kan du lese mer om hvorfor personvern er viktig for din virksomhet