Personal data protection has meant a lot of work at UPM for a couple of years, due to the new regulation. Even though the situation was not poor by any standard, now all companies operating in the EU have to be able to prove that their data protection is at the level required by the regulation which became effective last week.
”A small team started looking into the regulation in spring 2016, and this turned quickly into a group-wide project. In addition to the small team working on data protection full time, thousands of UPMers have been involved in this,” says Jaakko Kortesmäki, who headed the GDPR project.
”We process personal data of our own employees as well as a great deal of personal data on our customers, suppliers, and partners. Handling their personal data responsibly is the basis for confidential cooperation.”
The key to success is people
To begin with, it was even unclear what kind of impact the regulation would have: would it need a major IT project, or would the focus be on changing ways of working through new instructions and training. Soon, it became evident that the project needed to put people in the spotlight.
”According to our assessment, the best way to mitigate risks related to the processing of personal data is to train our employees well. After that, every one of us knows how to handle personal data and will make the right decisions.”
The new internal instructions apply to all of us. Over 7,000 employees have taken a mandatory e-learning course, and people who process a lot of personal data in their work have had training sessions tailored for their needs. The data protection team has had over 150 different meetings with different personnel groups.
Two main factors have made it possible to carry out this project successfully, both of them very people-centric.
”Possibly one of the most surprising things in this project has been the way people have taken this matter not only seriously but have even been enthusiastic about it. Our team got a lot of questions related to everyday work,” says Jaakko.
The other factor contributing to the project’s success is that the full-time team had enough capacity to answer all the questions.After the regulation became effective, the work is continued by a dedicated team with representatives from different functions and geographical areas. This way the legal requirements in different countries can be taken into consideration.
Same way everywhere
The requirements of the new regulation concern mostly the documentation, reporting, and transparency of personal data.
At UPM, the new regulation and the changes it required were seen as a possibility to harmonise practices globally. The EU regulation is very strict, so complying with it guarantees good protection to personal data everywhere.
“For a company like ours, the most sensitive data is collected about our employees. We will always take good care of it, just like the personal data of our other stakeholder groups.”