Most of us have heard of the General Data Protection Regulation (GDPR) by now, but in some areas of business, the implications haven’t fully registered. In a recent BBC article Chris Daly, chief executive of the Chartered Institute of Marketing, says:
“There is a real lack of awareness about this issue in our sector – 60% thought it wouldn’t affect their business at all.”
So, what do we need to do?
As ever, preparation and planning are crucial to ensuring that your organisation meets its obligations when dealing with personal data. A good place to start is with the advice from the regulator – the UK regulator is the Information Commissioner’s Office (ICO) who has issued guidance for UK organisations on preparing for GDPR. They have published (and are regularly updating) a 12 step plan with the first two steps shown below.
“Preparing for the GDPR – 12 steps to take now” May 2017
Note the last line – you may need to organise an information audit. I would love to think that the ICO is being slightly ironic using the word “may” here – unless you are a very rare breed of organisation, that should read “will”. Yes, we have come across organisations who have carried out an audit or are in the process of carrying one out, but even then, vital parts of the audit have often been missed.
So what should be in your audit? Well, there are two elements that determine the level of risk to which your organisation is exposed:
- The quantity, type and location of the personal data you hold
- The complexity of the business processes that use this personal data
To enable your organisation to make informed decisions about compliance with the GDPR both areas need to be covered. That means your audit needs to produce:
- A personal data “Data Map” – what type of personal data does my organisation hold, how much of it do we have and where is it stored?
- A personal data “Data Flow and Process Map” – how is the identified personal data used by the organisation, who do we share it with and how is it protected during these processes?
Once this is done, a risk assessment can be carried out and, if you want to get serious, this can be turned into a “Heat Map” for presentation to senior management to highlight high risk areas. Alongside this should be a set of recommendations and remedial actions for dealing with the risks.
Job done? No, job started.
After this, you can deep dive into more complex areas such as the legal basis for holding and processing data and those tricky new individual rights such as the right to erasure, portability and the right to restrict processing – all of which create a further set of obligations on organisations holding personal data.