Antwerp, 23 January 2023 – The merger between the ports of Antwerp and Zeebrugge became official at the end of April 2022. Of course, preparations for this fusion had been brewing for much longer, both operationally, organisationally and administratively. To manage everything in terms of GDPR and data protection, Europe’s second largest port called on CRANIUM for their DPO as a Service.
“Of course, we’ve been working on GDPR and everything that comes with it for a long time at the Port,” data governance analyst and DPO Sarah Sak starts. “But, when the decision was made to merge The Port of Antwerp with Zeebrugge, we decided to enlist outside help and expertise. An operation like this has an impact on all levels of the organisation: IT, hr, finance and marcom, but also technical innovation, and so on. Consequently, despite the knowledge and experience we have built up in-house over the past few years, we would not have been able to bring it all to a successful conclusion on our own. For example, integrating the processing registers of personal data alone was a huge task to tackle.”
The best from the test
And so, since the Port Authority is a public organisation, a tender was launched. In this, CRANIUM came out on top, after an extensive evaluation that looked at quality, references, as well as, price.
“A few years ago, when the GDPR came into force, we already leaned on CRANIUM once for a privacy scan. They had been the strongest candidate back then as well. The teamwork between various teams (such as our CISO, Cyber Resilience, and the GDPR team,…) went very well. Obviously, we were very happy to work with them again,” adds Shauni Willems, lawyer & DPO at the Port Authority.
“Price was an important factor in this, but that was certainly not the only one: in their dossier, they also addressed our specific needs very well. The shoe was a perfect fit in all areas.”
Structural partnership and external extension
The Port Authority’s GDPR team was thus reinforced by two CRANIUM consultants, who act as an external extension of the internal GDPR team. What first started as a project-based cooperation grew organically into a structural partnership over time.
Both parties are working together to ensure that all possible data processing within the daily operations of the Port Authority is carried out according to the rules.
“The list of ways we can offer support it long. Both assisting the internal DPOs in dealing with consulting questions from within the organisation (for example, how to work GDPR-compliant with external partners and stakeholders) and proactively ensuring that, as a public company, the right data processing protocols are concluded and followed are part of this. On top of that, we’re helping them create internal awareness and assure that the data protection policy and related processes are up-to-date. We ensure that they can continue to operate in line with GDPR and privacy-by-design in the long term; and so on,” says Lisa De Smet, Principal Data Protection Consultant, DPO, IT/IP lawyer and Business Manager at CRANIUM, who is following up with Privacy Consultant Louis Longeval at the Port Authority.
“CRANIUM’s role in this is twofold: on the one hand, they relieve us by taking over some of the work; on the other hand, they also act as a sound board in interpreting the rules. Those interpretations can vary, besides, as a recent form of legislation, the rules are not set in stone. So being and staying informed is crucial,” continues Shauni Willems, lawyer and DPO at the Port Authority.
Credibility and trust
“The biggest challenge as DPO, both internally and externally, was and is to create awareness, be visible and findable within the organisation on one hand; and build the necessary credibility on the other.
This requires openness and effort from both parties. The frequent communication and feedback from the CRANIUM consultants, for example, were very important in allowing that trust to grow organically, and have ensured that we have grown into a well-oiled machine in our cooperation. So the Port Authority is a very satisfied customer,” concludes Sarah Sak, data governance analyst and DPO at the Port Authority.