The EU Directive on General Data Protection Regulation became the starting point for Bona’s work to improve its management of personal data. We contributed to the effort with analysis, strategy and implementation. The goal: a global policy for Bona’s management of personal data, along with an annual review process to ensure adherence and improvement.
Bona AB is a Swedish corporation with sixteen subsidiaries and distributors in more than 100 countries. The company makes products for installation, maintenance and renovation of wooden flooring for both consumers and manufacturing industries. While Bona is certified according to ISO 9001 and ISO 14001, and adheres to Sweden’s Personal Data Act (PUL), the introduction of the GDPR places even more stringent requirements on handling of personal data – and the company saw the new directive as an opportunity to improve management of personal information throughout the group in both Europe and the US. The goal of the project is to establish a global policy with clear guidelines. This policy is to be reviewed on an annual basis. Not only is the protection of data important; the policy can also prevent the negative economic consequences of non-compliance, as fines of four per cent on global annual turnover would be a significant blow for Bona’s subsidiaries. To ensure that the company’s improvement project could be carried out efficiently and correctly, Bona turned to System Verification.
“System Verification is an ideal choice for us because their consultants are pragmatic and they understand the big picture. We didn’t want to focus solely on the legal aspects – we also wanted training in the new routines and assistance in implementing them.”
Tomas Malmqvist, CIO of Bona.
As is true for any business operation, digitalization means that Bona has increased possibilities to collect and store personal data, in frameworks such as SAP® systems, CRM, e-commerce solutions or local Facebook groups. At the same time, tools such as Microsoft® Office® and paper recordkeeping continue to be vital in handling personal data. The procedures were not documented for how and where Bona’s employees managed personal data, and this meant that the company could not meet directive requirements – for example, guaranteeing the 100% deletion of personal data when needed.
Analysis of how personal data was managed
System Verification began by conducting a workshop to provide Bona’s Swedish management team with greater knowledge about GDPR, as well as its purpose, scope and influence on the company’s daily work. Thereafter System Verification analysed exactly how personal data was managed in the Swedish area of the group and how Bona needed to proceed to ensure adherence to directive requirements. The analysis was based on in-depth interviews with system owners, such as the directors for sales, human resources and marketing, with questions about systems used and the types of personal data that Bona needed to register. The interviews also examined why certain kinds of personal data were being stored outside these systems, and where such data was being stored.
New light shed on personal data outside IT systems
The report revealed that Bona has good control of personal data within its IT systems – but that the company needed to improve management of data used and stored outside these frameworks. Bona also needed to create guidelines specifying the types of personal data that are permitted to be stored and routines for deleting data. It was also clear that the company was retaining some data without any clear purpose and sometimes kept data longer than necessary.
“A significant benefit of this project was that System Verification taught us to ask ourselves critical questions. Why are we keeping this data? Could this practice violate the individual’s right to privacy? This helps us in many ways, for example when we implement new IT systems and create routines for them.”
Tase Simonovksi, Bona’s manager for IT infrastructure.
Strategy based on the relevant level
As a next step, System Verification will conduct the same analysis for Bona’s subsidiaries in Germany and Austria, with onsite interviews. Then the remaining subsidiaries will be analysed as well. All the results will be compiled to determine the level on which Bona needs to work to fulfil GDPR requirements, based on a dialogue about risk, effects on the company and the planned budget for the activity. System Verification will then work with Bona to establish a strategic plan including both short-term and long-term goals.
From national to global implementation
Once the work to meet GDPR requirements is finished, Bona will involve its global marketing director in creating guidelines for personal data management and a policy for the entire group of companies, including operations in the US and Asia. These instruments will become part of Bona’s quality management system and will undergo internal review each year. Subsidiaries in each country will appoint a data protection officer (DPO). Although there’s much more work to be done, Bona is very pleased to have started this strategic improvement programme.