With the new EU General Data Protection Regulation (GDPR) scheduled to take effect on May 25, 2018, organizations with EU employees or customers need to be able to demonstrate compliance.
GDPR expands the scope of previous EU regulations to include any data processor or data controller that collects, stores, or processes the personal data of EU residents. It mandates data portability, imposes stricter conditions for consent and data retention, and dramatically increases fines and penalties for violations. Faced with this daunting reality, many companies have been dragging their feet, putting off the inevitable until the last possible second. That time has come.
We’ve covered the GDPR extensively in this blog and have dedicated a page on our website with links to additional references and thought leadership. To help spark action, however, I wanted, in this post, to provide a clear and unequivocal starting point. That starting point is Discovery.
Discovery is a two-phase process in which information flows are inventoried and mapped to produce a concise summary that will serve to comply with GDPR Article 30, “Record of Processing Activities,” or ROPA – the official reference for any inquiries pertaining to the company’s use of personal data.
Phase I: Inventory – Identifying the Elements
The first step of the discovery process is taking an inventory to figure out what personal data an organization collects, processes or stores that is in scope for GDPR purposes. This is accomplished through a top-down interview process that collects information from department heads and department managers to identify processing activities down to the individual system, with an eye toward discovering and documenting any workarounds and data leakage that might fly below the radar.
In this discovery process, special attention should be paid to third parties that are processing a company’s data (vendors or others) – they are considered to be within the scope of GDPR and must be held to the same standards as your organization. I caution organizations not to cut corners when inventorying third parties. Based on our experience, for every documented vendor relationship there are two more that may no longer be active but may still possess customer data. Article 28 of GDPR provides a good laundry list of third party compliance requirements for reference.
Phase II: Data Mapping – Connecting the Dots
Once the processes have been inventoried from the top-down, the next phase in the discovery is to determine which systems or vendors are involved with personal data associated with EU subjects, and identify a point of contact for each, to answer specific questions on how that personal data flows, how it is processed, how it is stored, and whether there are any subsequent transfers of that data.
That bottom-up survey information is then used to map how data flows through the organization. Although the GDPR does not specifically call for data flow charts or data mapping, we have found them to be highly effective as a resource for preparing the ROPA required by Article 30, as well as several additional compliance requirements, including:
- Article 5 — identification of inaccurate personal data
- Article 9 — identification of high risk processing activity which would require a Data Protection Impact Assessment (DPIA)
- Article 16 — data rectification requests
- Article 17 — erasure requests
- Article 20 — data portability requests
- Article 24 — data protection measures
- Article 32 — processing security measures
- Articles 33-34 — 72-hours to notify the supervisory authority of a data breach
As you can imagine, data maps could be incredibly detailed – chances are, organizations will discover data paths and data dead ends they never knew existed. But the process yields collateral benefits outside of GDPR – think business intelligence, automation or audit analytics. The larger benefit to the organization comes from the increased understanding of its data collection, processing and storage procedures, as well as other data-handling and security protocols, such as incident response. This knowledge is one of the fundamental goals of the GDPR, but is also critical to good data governance in the digital future.
Inventory and data mapping are both complex and time-consuming processes, which is why many organizations have retained outside assistance to meet the compliance deadline. Whatever avenue an organization chooses, we strongly urge companies to move forward with utmost speed. The deadline looms, and every indication suggests the authorities are ready to begin enforcement immediately.
Stephen Nation of Protiviti’s Security and Privacy practice contributed to this content.