The 99 Articles of the GDPR may seem daunting and similarly the sea of thought pieces make it seem difficult to determine where to start. With the objective of simplifying your design and decision process we are sharing the short checklist of actions we work through with clients.
1. How do I find all the sensitive data across my business?
If you are a small business then you may only have one system holding personally identifiable data such as email or a cloud based CRM. For most businesses though this data is spread across multiple systems including unstructured locations such as word and excel documents making servicing Subject Access Requests challenging as you seek out all the records you may hold on an individual. To solve for this Data Discovery and Identity Discovery tools should offer a solution.
2. How do we ensure the personal data we hold is up to date?
Article 5 of the GDPR requires that the data you are holding is 'accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay'. In simple terms do you have the processes and technology in place to monitor and correct for errors such as incorrect email addresses, or change of addresses that have not been captured in your systems. A Data Quality Monitoring tool can identify missing and inconsistent data, Data Capture Validation could ensure that you are capturing personal data correctly at you contact points.
3. How do we manage customer and prospects consents and permissions?
Articles 6,7,8,18 and a number of others describe your requirements to clearly and transparently capture and manage consents and permissions. If you are a small business with only one system managing customer interactions then you should be able to build your consent management into that solution. In most organisations however there are multiple places in which personal information is being captured or processed and to such end a master record or hub of consents is required to synchronise consents and permissions.
4. How can we minimise the labour cost of documenting our processing activities?
Article 30 of the regulation requires organisation to keep detailed documentation on of their data processing activities including name and details of controller, purpose for processing, category of data, security measures and recipients of the data. Whilst for a small organisation this may be simple to capture and document in a spreadsheet for other organisations this could become a significant manual task to first document and then maintain. A Data Governance tool could substantially reduce effort through automation and deliver the required scalability.
5. Are we prepared to respond to a Data Breach?
Whilst you will be continually testing that your security technology and processes are in place to prevent a data breach, no system can be 100% effective. You should also dedicate planning to your procedures for handling a data breach. This includes the templates you will use to send communications to notify those affected by the breach, the contact data being valid to allow you to reach out to those affected, your contact priority order, how to handle inbound enquiries and press communication.
6. How do I manage for privacy and pseudonymisation in a scalable manner?
The principal of privacy by design and articles 25, 32, 40, 89 ask that organisation pseudonymise ie mask personally identifiable data when used internally or shared externally and the parties don't need the exact values. For small business this can be done manually when you prepare data for analytics or occasionally share externally. For larger businesses manually undertaking this activity and attempting to maintain referential integrity can be a very cumbersome process and add additional cost to your business. A data privacy platform could offer the automation that enables compliance whilst removing a manual bottle neck in your data processing activities.
7. I'm subject to multiple regulations how can I reduce duplicate activities?
As data volumes and capabilities have grown so has the attention of regulators looking to ensure accurate financial reporting, robust risk management and protections for consumers, clients and data subjects. As a result many of the data regulations you should be complying with have overlapping sections for example GDPR, PSD2 and ePrivacy all discuss obligations around consent. To reduce duplicate effort having guidance on the intersection is key.