The following article identifies and proposes an approach to analysing and identifying the impacts of the General Data Protection Regulation (GDPR) on your organisation. This focuses not on explaining GDPR, (there are plenty of articles available for that) but more practical advice on how to go about identifying the impacts, making changes and what deliverables will be provided.
2. Introduction
• To address GDPR compliance in your organisation our analysis
approach covers three aspects:
– Data Sources
– Processes & Governance
– Security
• In this presentation we focus on the first two points and covers
– Discover, document what & how Personal data is used,
– How to address GDPR & what artefacts are produced
• Cyber/IT Security work would be in partnership with a Security
expert.
3. Data Sources - Discovery & Document
• Identify Personal Data sources (via processes and/or system analysis) to investigate (Customer, staff, other 3rd party
individuals).
• Forensic investigation of data sources quality & integrity, determining what data and consent your organisation holds for a
Data Subject, to ensure you can identify each individual as a single entity.
– What data is held, Duplications, Quality, integrity?
– How secure, where might it be shared, reliability?
• Classify and Catalogue Personal data, this includes (similar to PIA but more)
– Current level of encryption/anonymisation
– Classification of personal data
– Retention, legal use
– Sources (where from), where stored; All Systems/Location/dept/3rd party/International/mobile devices etc
– Data Owner: person, authority, agency or other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data.
– Consent details (you can’t have bundled consent) and Access rights/Who uses data
– Processes used in (any operation or set of operations which is performed on personal data or on sets of personal data)
4. Data Sources - Discovery & Document
• Define a common/system independent data transfer format (for portability requirements) consider
Associations doing this?
• Identify the Data GDPR non compliance issues/risks from the data analysis
• Recommended changes for data (security changes, delete unneeded data, Single/common view etc.)
5. Processes & Governance – Use of data
• Identify processes impacted by GDPR to be covered:
– Use customer journey mapping, value chains, events/activity lists, by business area, & plan your workshops.
• Run Process workshops:
• Identify issues and propose changes
– Establish, modify or remove/prevent any data processes/activities that are not compliant with GDPR (e.g.
regular data retention housekeeping, consent changes)
• Plus Specific GDPR processes to define:
– Information requests, erasure, move, reporting data breach etc.
Preparation:
•Right Attendees SME,
bring relevant materials
•Clear Aim: Document all
data processes and bring
them into alignment with
GDPR requirements. Keep
accurate records of all
data processing activities
•Determine level of detail
required
Run
•User stories/Process
modelling walkthrough
•Identify additional
processes/activities where
PI is stored/used
•Identify systems and
actors (where data is and
who uses)
•Identify issues
Follow Up
•Actions
•Issue and review outputs
•Feed into the Data catalog
6. Processes & Governance - PIA/PBD
• Build into Change and Project Management considerations for
Personal Information concerns.
• Cover by:
– Architecture & Data Principles
– Use of PIA template (see example)
• ICO good source of information;
– https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/
7. Key Artifacts
• From this analysis work the following deliverables will be delivered
which will help you meet GDPR and manage Personal Data better:
– Personal Information register/catalog
– Revised Process Models/Descriptions
– Recommended Change specifications and Plan
– PIA template
– Risk Register
– Revised Policies
– Compliance reports
– Personal information data transfer format