Playing Out Guidelines Correctly

Guidelines exist in almost every organisation. At best, they regulate how certain things must be done to ensure that all processes within the organisation function properly and legal obligations are met.

Our team of over 150 consultants frequently deals with guidelines in their work in data protection, information security, and compliance. Guidelines are not just digital text deserts, but are used as sensible measures to set guidelines for certain areas and actions.

The relevance of particular guidelines varies across organisations. However, the following five guidelines are commonly implemented in practice:

• Information Security Policy: An information security guideline provides instructions for specific situations. It aims to protect information as well as its availability, confidentiality and integrity. It is aimed at all employees.
• Guideline for dealing with data breaches: In the event of a data breach involving personal data, the organisation must act swiftly. A decision needs to be made promptly on whether to report the incident to the data protection authority. All employees must understand what constitutes a data breach and how to respond. A clear policy with specific instructions for such incidents is essential.
• Use of AI Chatbots and Other Internet-based Services: Employees increasingly asking themselves whether they are allowed to use their work email addresses to register for free online services, such as ChatGPT, and use them for business data. Similarly, the use of personal email addresses for business-related services can also become an issue. And what about the use of services without registration, like DeepL? Can these be used for processing business or even personal data? Organisations should proactively address these questions with a clear policy for all employees.
• Handling Employee Data for Managers: As a manager, one might receive information unsolicited – for instance, if an employee confides in them about personal issues, illnesses, or private matters. What if this information seems relevant to the employment relationship? Are personal notes by managers acceptable? All these questions should be addressed in a policy before they arise in practice, as mishandling can quickly lead to substantial fines.
• Implementation of New Procedures, Systems, and Service Providers: In practice, one can become the project lead faster than expected. What needs to be considered when acquiring software and systems or hiring service providers? Who should be involved, and what must be observed? Do data protection, information security, and compliance play a role here as well? The right guidelines can help here too.

However, a good policy alone is not enough, because even if you have one, there are still two very formal and one very practical question.

How are policies distributed to employees?

The formal question involves ensuring that policies reach the correct recipients – sometimes all employees. This is often a matter of accountability, and some policies require confirmation from the recipients. How can policies be rolled out effectively and efficiently?

Is everything done with the distribution?

The practical question is: Who actually reads the policy and acts accordingly? In other words, is simply sending out a policy sufficient to create real awareness of an issue?

If you find yourself overwhelmed by how you or your organisation can implement all of this, we can reassure you.

Our experts in data protection, information security, and compliance have over 20 years of experience in creating meaningful guidelines. We operate with a balanced approach, considering the unique characteristics of your organisation.

We also support you in distributing policies effectively. This requirement is not new to us, and we have developed a system to smartly distribute policies to the right recipients within the company, including new employees. Our system also provides a status overview of who has received which policies and whether they have been confirmed, allowing you to meet accountability requirements at the individual employee level. If desired, our system can be integrated with your Active Directory to ensure that changes in personnel are managed automatically without manual imports.

Creating Awareness is part of it

Smartly distributing policies is just one step towards increasing awareness. Important policies should be further explained through good training or eLearning programmes. Our system allows you to distribute both policies and corresponding eLearning courses. This way, you can create genuine awareness. We have already developed training content for many policy topics, but we are also happy to work with you to create custom eLearning courses and distribute them through our system.

Interested? Get in touch with us!