The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. To prepare for this, NS commissioned an external agency to perform a scan. The scan identified areas for improvement in order to be compliant with the regulation. For example, we developed work packages that were implemented across the entire organisation. NS also paid a lot of attention to education and awareness, for instance with mandatory e-learning. To guarantee that NS remains compliant with the privacy regulation a new privacy structure and governance was set up.
For NS, the privacy of passengers and staff is more than just a mandatory regulation. We defined four principles that take priority when processing personal data: ‘Transparent’, ‘Safe with NS’, ‘Choice and control’ and ‘Innovative and open’.
At the end of 2018 the GDPR programme was terminated, and the remaining points from the programme were transferred to the business units. The Integrity and Compliance department monitors how they implement these points.