For many businesses GDPR compliance is now a pressing priority. There are only a few weeks left before the legislation comes into force and there is still a lot that you can achieve between now and May 25th to set your organization on the path to GDPR compliance.
In this series of blog posts, we are looking at six practical steps you can take over the coming weeks to build a robust GDPR compliance program. These are:
You can see the first post in this series (GDPR: 6 Reasons to be Cheerful?) about GDPR scoping and mobilization here.
In this second post we'll look at step 2 in our FREE GDPR project plan, we will explore one of the fundamental requirements of GDPR, Article 30. Article 30 requires data controllers and processors and, where applicable, their representatives, to maintain a record of processing activities. Record keeping requirements are extensive and many organizations will, of course, be both data controllers and data processors.
At first sight, this looks like an onerous task. However, once you have put in place systems to comply with Article 30 you will have created the basis for compliance with many other aspects of the GDPR. You will have
- audited the personal data in your organization and the systems and services used to manage them;
- documented and risk-assessed third parties involved in the management or processing of personal data;
- mapped and categorized data flows including cross-border data transfers;
- considered the technical and organizational security measures in place.
In effect you will have created a 'golden record' - that is, a single source of truth that will enable compliance with many other aspects of GDPR such as:
- data protection impact assessments
- data protection by design and by default
- subject access management including the right to be forgotten and the right to portability
- breach management
- privacy notices and consents
Although the case for prioritizing the mapping and recording of data processing activities is strong, it is an aspect of GDPR with which many organizations are struggling. At a recent webinar hosted by SAI Global, only 18% of the audience said that they had finished mapping their data processing activities. A little more than half (55%) said they had started but were finding the exercise challenging; and a further 18% didn't know what the status of their data mapping was.
Where to start…
Gathering all of the required information in a thorough and systematic way and implementing appropriate systems to record and manage the information in a dynamic business environment is not a simple undertaking. My recommendation for getting off to a good start is not based on technology or processes, but instead on people. First and foremost, ensure you have all of the right stakeholders involved to capture an enterprise-wide view of your processing activities. No matter who ultimately owns the data privacy risk, many parts of the organization are involved in managing it - make sure you bring them to the table. For example, consider the following:
Once key stakeholders are identified and briefed, they can take part in the systematic identification and recording of what data are held in which systems and documenting the processes and data flows involved.
At a basic level this may simply involve the distribution of a structured questionnaire to capture the information required by Article 30. Results from our webinar suggest that many organizations (71% of our respondents) are relying on this essentially manual approach to data mapping:
While this may be a good starting point, the personal data landscape is complex and fragmented, particularly for larger organizations. Automation using one of a number of data discovery tools on the market can make the process both quicker and more efficient.
The outputs of both automated and manual data discovery exercises can be consumed by SAI Global's GDPR compliance software which also includes a structured database and pre-defined workflows to assist with Article 30 compliance. SAI's solution creates a comprehensive, central register of processing activities; maps information flows and information assets that hold personal data using customizable, pre-defined forms and uses business intelligence tools to produce insightful analytics.
About the AuthorMore Content by Rob Van Straten