Protecting sensitive data
GIZ’s data protection strategy is based on the EU’s General Data Protection Regulation (GDPR) and is applied at all sites worldwide. The company has appointed a Data Protection Officer with two deputies. Responsibility for implementing the GDPR at operational level lies with the Data Protection Management Unit.
Data protection at GIZ
The main role of GIZ’s Data Protection Officer and the Data Protection Management Unit is to structure processes involving the collection or processing of personal data in such a way that they meet data protection rules at every stage.
Whereas the Data Protection Officer and their team report directly to the designated member of the Management Board, the Data Protection Management Unit forms part of the Digital Transformation and IT Solutions Department (DIGITS).
The Data Protection Officer advises internal and external data subjects across the company, monitors compliance with data protection rules and regulations in the company and maintains an ongoing dialogue with the supervisory authority. The role also involves providing regular advice to the Management Board and senior company managers on every aspect of data protection. The Data Protection Officer reports to the Management Board on an ongoing basis and is a member of the Risk Management Committee, whose remit extends across the company.
In 2019, one of the priorities of the Data Protection Management Unit was to set up a new team. This meant recruiting new staff and establishing appropriate work and communication structures. All the company’s data protection processes were documented and communicated to staff, and existing GDPR-related documents were examined, supplemented and harmonised to create a robust framework for the unit’s future work.
The most time-consuming activity was dealing with incoming queries. In 2019, as well as checking all the company’s online surveys, the team handled approximately 1,200 queries.
The unit’s work centres on GDPR compliance and the comprehensive record-keeping this entails. In addition to performing its key role – maintaining the statutory record of processing activities – the unit is also responsible for checking, approving and documenting all third-party data processing work. In 2019, the unit dealt with 550 new reports of processing activities.
One of the unit’s main tasks is to raise awareness of data protection issues among staff worldwide and to provide appropriate training. To this end, it arranged a continuous series of information and training measures, adapted existing information to the GDPR and designed various new formats.
One such example is data protection screening in the field structure, which is designed to prepare country offices for the demands of the GDPR. This involves checking existing business processes against GDPR requirements and documenting reports of local processing activities. There is also a training day for all staff. In 2019, data protection screening was conducted in four countries (Kenya, Burkina Faso, Nepal and Bosnia and Herzegovina). More than 150 employees attended awareness-raising and training sessions.
Growing focus on data protection
In 2011, the number of data protection queries handled by GIZ was just 190. By contrast, the figure for 2019 was around 1,200, more than double the total for the previous year. GIZ has been performing data protection audits worldwide since 2014/2015 – to date in 19 countries and country offices. In addition, the Data Protection Management Unit has completed four local office screening processes (see above).
There were eight substantiated data protection complaints in 2019, the same number as in the previous year. These were all individual cases and were resolved by mutual agreement. One request to delete personal data was duly actioned.
In April 2019, the Office of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) published a report on its first advisory and monitoring visit in December 2018. The report raised no concerns and concluded that data protection is given a high priority at GIZ.