Data Protection Management — Chaos or System
Our customers know (hopefully) how we “manage” data protection when working with them. Interested parties, but also colleagues from the industry, ask questions from time to time. “How do you deal with data protection management with your customers at ask data protection as external data protection officers?”
Fortunately, only a few interested parties or potential customers already have any kind of off-the-shelf data protection software. Not because these are generally unusable, but usually rather suboptimal when it comes to internal / external collaboration. Even if one or the other cloud solution is slowly being included, these applications usually run on premise, i.e. on the customer’s systems. For us externals, this would mean setting up and maintaining a large number of VPN clients and access solutions on all devices of the ask team. A considerable effort. And there are even said to be organizations that completely prohibit remote access to internal systems. Therefore not optimal.
In addition, we not only work as external data protection officers, but are also active in the field of information security. Here, among other things, due to time constraints (such as funding deadlines), systematic project management and close management of the tasks to be completed are critical success factors.
A platform for (almost) everything, not just for data protection management, is needed
So more than 10 years ago we started looking for the jack of all trades or — as we say here in Franconia — the beer-brewing Schäufeleklosskuh. Mandatory requirements were:
- Easy access for both our customers and us
- Easy to understand and use
- High level of security (including encryption not only for moving data, but also at rest)
- Two-factor authentication for all users administratively mandatory (otherwise no access / access)
- Flexible usability for our topics
It should always be possible to edit ready-made content together with our customers, to be able to easily add new content and to be able to keep an eye on time management for projects. And all this without hours of introduction, training or manual poring over.
The more we looked around the market and tested tools, the greater our demands became 🙂
- Document management (at least versioning) would not be wrong.
- Automatic resubmissions, e.g. a poem for regular TOM checks at contract processors.
- Documentation (also in the course of verifiability and verifiability) of discussions on customer questions at a central location instead of hours of research in numerous mailboxes (a plague, especially when there is a change in employees).
- Clear presentation of completed and still open to-dos, on the one hand to motivate those involved, but also to facilitate reporting.
- Process and document data subject requests and data breaches with easy option to delete after the retention period has expired.
- And… and… and… our wish list kept getting longer.
Yes, that’s right. Many of the data protection management tools available on the market can do this somehow, partially or completely. But you have to swallow some toad. And you get “off-the-shelf data protection”. And they can usually “only” do data protection. The control of an ISMS based on the BSI IT-Grundschutz or other standards as an external project manager is rarely manageable. Not to mention other tasks in our everyday work. And using a different tool for everything is ultimately not a solution either.
The solution many years ago: data protection management via Stackfield
And then, after a long search, we found our beer-brewing Schäufeleklosskuh many years ago. The Munich Stackfield GmbH had with the product Stackfield an alternative to Trello (a well-known US Kanban board) and both the existing product and the further roadmap were promising. And since then we have not regretted using it as a central system for data protection management for our customers and us, but also as a project management tool. Due to the continuous further development of the product, numerous features have now been added that we did not have on our list, but which make everyday work with our customers even easier. Direct encrypted chat function, video conferences (planned or ad hoc) within the project environment without a separate tool, knowledge management and much more. Stackfield has become an integral part of our everyday work. Aside from working with customers, Stackfield has also become an equally important tool for purely internal ask matters. At first glance, Stackfield may seem like just one task/project management tool among many. But there is a lot more under the hood.
But before we explain that at length and thus go beyond the scope of this article: The estimated Stephan Hansen-West, also known as “Privacy Guru” (even if he doesn’t like to hear it like that, he is one) did a videocast with us some time ago on the topic “Stackfield as DSMS”. Under the title “So arbeiten Datenschutzbeauftragte — a.s.k. Datenschutz” Anyone interested can see more details on how to use this non-off-the-shelf solution. Have fun watching!
And before anyone asks: No, this post is not a promotional post and is not sponsored. We also don’t get any perks or kickbacks of any kind. We’re just so excited about the tool that we wanted to cover it.