The GDPR places data security at the heart of every organisation controlling data in Europe and/or the data of European citizens. Its emphasis on privacy by design means that all data processes within an organisation have to be compliant. Data security is no longer only a concern for the IT team.
While IT departments will still be the port of call for storing data securely and providing secure networks, IT will need to understand how marketing, sales, finance and HR process data in order to keep it secure.
To guide other departments towards privacy by design, IT needs to be able to ask the right question to the right stakeholders in an effort to obtain and maintain compliance.
Providing a starting point
Our compliance experts have created a GDPR Mapping Questionnaire based on how we already approach PCI DSS compliance with our customers. With this questionnaire you have a solid starting point to guide these internal conversations.
- Gain an overview of how the GDPR will affect the entire business
- Outline the questions that need to be solved in the most common areas of the business
- Provide a starting point for the necessary data documentation under the legislation
- Demonstrate areas where additional external support in becoming compliant might be needed
Next step: Data Processing Inventory
Once you have mapped the answers to these questions, you’ll want to start thinking about how to become compliant. The most straightforward way of doing this will be actually tackle one of the GDPR’s requirements:
By creating a Data Process Inventory you’re not only fulfilling the requirement to document your processes, but perhaps even more importantly, you are creating an overview of all your processes that involve personal data. This allows you to assess for example, whether your processes meet the Article 5 processing principles.
A data processing inventory should list each activity and outline at least:
- The name and contact details of the controller
- The name and contact details of any processors or joint controllers
- The purpose of processing
- The legitimate basis for processing
- The category and type of data you are processing
- The members of your organisation who will have access to the data and their location
- Any data transfers to third countries
- The time limit that you will hold the data
- The security measures put in place to safeguard the data
Find the complete Article 30 here.
As IT might not be aware of some ‘hidden’ processes (e.g. downloading and storing of spreadsheets locally or marketing monitoring tools), every department should be actively involved in the creation of a process inventory.
If you’d like assistance in setting up or managing a Data Process Inventory, get in touch with us and we can guide your organisation through the actions necessary.