Client Cases

Case 1 - Projects Compliance Model

Developed a customized Data Protection Compliance Governance Model for an large IT program (incl. 20 IT projects) for a multinational energy provider in Sweden

Purpose:

To guide and monitor compliance with all applicable requirements throughout each phase of the project, from planning through execution, ensuring integration of privacy, information security, governance requirements, and internal obligations across legal entities.

Key Actions:

[Aggregated compliance controls applicable] for GDPR, local regulations, info security and industry standards e.g. ISO27K1.

[Established governance model, policies and guidelines] Into the project lifecycle and program governance.

[Aligned with key departments and obtained leadership buy-in and support] IT, Legal, Security, Procurement, and Works Council for approval.

[Communicated and integrated the model] Into processes, setting clear usage requirements.

[Trained staff] follow up, support, and monitoring

Results:

 + Streamlined compliance oversight, improving transparency and accountability.

 + Strengthened risk management and ensured compliance by embedding data protection by design throughout the project lifecycle.

 + Simplified alignment on compliance in projects with auditors and other stakeholders (e.g. works council. 

 + Created a versatile blueprint initially for HR, now adopted by other departments.

Key Actions:

[Assessed Supplier Risk Levels] Classified suppliers by risk and renegotiated contracts for high- and medium-risk suppliers.

[Established Governance Structures] Created a governance framework with defined responsibilities and meeting schedules.

[Established Regular Audits and Assessments Calendar] Implemented an audit calendar as part of the Master Service Agreement, focusing on key certifications.

[Established Penetration Testing and Security Review Requirements] Defined requirements for regular third-party penetration testing and security reviews.

Case 2 - Suppliers Governance Model

Developed a comprehensive risk-based supplier management strategy for a multinational energy provider in Sweden, incorporating an advanced governance framework to ensure compliance, security, and accountability in supplier relationships.

Purpose:

To ensure the 300+ suppliers maintain an adequate level of data protection to safeguard and work proactively with legal compliance, information security and enterprise risk management.

Results:

 + Set a blueprint for supplier management, re-used as a best practice by several departments e.g. IT, BA Wind

 + Reduced data breaches by suppliers with hands-on reporting and monitoring.

 + Minimized security risks with regular assessments and testing.

  + Built partnerships with suppliers improving transparency, feedback and accountability.

Case 3 - Gap Analysis and Response Plan

Performed a gap analysis and response plan for HR processes for a multinational energy provider in Sweden ensuring GDPR compliance across 30+ processes, including documentation, data retention, and processing activities.

Purpose:

Assess and ensure GDPR and AI act compliance, including supplier contracts and data protection practices, and implement necessary response actions.

Key Actions:

[Conducted GDPR compliance analysis] Reviewed over 30 HR processes for compliance with GDPR principles, ensuring proper documentation, security and data retention practices.

[Assessed supplier contracts] Evaluated contracts with third-party suppliers to ensure data protection requirements were met and reported on.

[Conducted DPIAs] Coordinated and conducted Data Protection Impact Assessments (DPIAs) for critical HR activities.

[Ensured data governance] Verified that data processing activities adhered to GDPR principles, including appropriate authorizations and accountability.

Results:

+ Documented 30+ compliant HR processes across 10 jurisdictions.

+ Reduced data risks with thorough DPIAs.

+ Improved data governance policies to be more granular and action oriented.  

+ Conducted Legitimate Interest Balance Tests.

+ Strengthened data security with robust safeguards.

Key Actions:

[Developed content and added controller questions] Created HR training on data protection, security, and governance, with controller questions for comprehension and accountability. Worked with an external provider to produce videos with graphics.

[Coordinated translation, and aligned with the training department] Leveraged internal resources to support with translation, and provide feedback.

[Aligned with legal teams and works councils] Ensured internal alignment by collaborating with legal, DPOs, and works councils.

[Launched and added to onboarding process] Deployed to existing employees and tracked engagement for effectiveness

Case 4 - Data Protection e-learning for HR Professionals

Designed and implemented a mandatory e-learning program for HR professionals in a multinational energy provider in Sweden, covering data protection, information security, and governance to ensure compliance.

Purpose:

Equip HR staff with the necessary knowledge to navigate data protection and governance requirements, with training localized in English, Swedish, German, and Dutch.

Results:

 + Trained 5,000+ employees, ensuring harmonized compliance approach across regions.

+ Reduced the number of Data Breaches by 78%.

+ Recognized by head of internal audit as a best practice.

+ Enhanced internal knowledge of data governance and accountability.