Anne-Cécile Colas, Group Data Protection Officer at Sodexo
July 22, 2020
The OneTrust DataGuidance ‘Thought Leaders in Privacy’ interview series is filmed across the world with leading privacy professionals discussing their advice for staying ahead of the curve and how privacy connects on a wider level with businesses and society. The series captures ideas from a range of subjects including GDPR and CCPA requirements, data security and breach notification, risk & compliance, and emerging technologies.
We met with Anne-Cécile Colas, Group Data Protection Officer at Sodexo, in February 2020. Sodexo is a French food services and facilities management company headquartered in Paris and is one of the world's largest multinational corporations with over 425,000 employees and a presence in 80 countries.
Anne-Cécile discusses how she has ensured internal buy-in to the company’s privacy policy as well as how Sodexo monitor and audit their privacy program.
How to get internal buy-in for privacy programs
Anne-Cécile notes that, for successfully achieving internal buy-in to a privacy program, it is essential that senior management understand that legal compliance is essential, but also that demonstrable compliance can be a competitive differentiator.
Beyond just the program, Anne-Cécile explains, “We also have concrete, effective processes, measures, actions that show we are privacy specialists and that we are action-orientated.”
According to Anne-Cécile, Sodexo is successful when they can demonstrate compliance to customers. As both a data controller and data processor, Sodexo is committed to properly and legally handling data. This builds into the idea of data protection as a function to cultivate brand reputation and customer trust.
Related: UK: GDPR compliance after Brexit
Monitoring and auditing privacy program performance
Since the GDPR has been in place for nearly two years, organizations must be able to measure and understand the effectiveness of their privacy programs. However, Anne-Cécile highlights that, as a multinational organization, there is a certain need to focus on the areas of risk across multiple jurisdictions.
“We take into account sensitive populations, we take into account the sensitivity of the data, the volume of the data, the jurisdiction, and the activity. It allows us to focus on high-risk areas. We also look at other more standard processing operations, such as HR operations, as there is a volume of data there that we need to monitor.”
At Sodexo, the legal team built “risk registers” that help to advise auditors, whether internal or external, on the areas of risks, taking into account many aspects of the data, that help the team to focus in on these areas to comply with a vast range of applicable laws.
Related: International: Implementing a data privacy management system
Watch the full interview with Anne-Cécile where she talks further about her top tips for implementing and managing a privacy program as well as looking at data mapping and record-keeping obligations.