Originally published on 17th October 2017, and updated on 21st December 2017
After making everybody aware of the upcoming GDPR, the business should take a look at the data it holds to discover:
What personal information it has
How it come to hold that information
Who it the information shared with
GDPR requires that businesses maintain records of processing activities, to make sure for instance, that inaccurate data can be corrected everywhere it was shared with, not just your in your own records.
For this, it is important to map out where the data came from, and in which circumstances it was shared. Think of it as WWW: What, Where (from), and Where (to).
By documenting the data that is being held, the procedures to acquire that data, and what other procedures are in use to share it will be a step in the right direction for compliance with GDPR, as it will help your organisation show how you comply with the data protection principles.
Most importantly, by doing this discovery exercise, where you might find lots of unexpected repositories of data in place that the organisation wasn't aware of due to organic growth or any other reasons, it will help you work towards putting those procedures and policies in place to reach compliance, bringing that "rogue" personal information into compliance, by either follow the right procedures to make sure you obtained it correctly, or dispose of it in a safe manner according to the procedures you have set for this purpose.
Unstructured vs Structured
It is extremely important to consider all sources of data within the organisation, as unstructured data is as important to discover as structured data, and here is where the devil might lie in the detail.
Unstructured data is the one that is stored in platforms that are not (and should not) be used for the purposes of storing data, such as emails. It is incredibly common to see companies using emails sent from customers to keep that customer's details, which might include name, address, phone numbers, and any other information relevant to that customer. Calendars are also places where data has been found related to customers (appointment data where the calendar information holds a lot more data than it should need to hold the booking, even credit card details sometimes. These kinds of platforms should be checked to make sure data can be extracted safely and the records destroyed (if you even need to keep that data at all!)
Structured data refers to platforms that are usually used to hold data in a way that a machine can understand, for example, Spreadsheets or CRM databases, where it is easy to interpret that the column name holds the name, the column email address holds email addresses, etc, therefore, it is easy to feed those into machines to do batch processing if needed.
What you know you need to address, you can address, what you don't know about your data will not be an excuse for lack of compliance in the future.
GDPR comes into force on 25th May 2018
< 1. Awareness 3. Communicating Privacy Info >