The new GPDR legislation expects a lot from organisations, and extensive record keeping of all data protection activities is an obligation that will require a new granular level of detail.
One of the most effective ways for your business to meet this head on is through data mapping, a deep-dive process that will allow you to create a visual documentation that charts how your company collects, stores, uses and protects data as it moves through your organisation.
It will help you:
- Create a data inventory
- Review and improve processes and procedures
- Revisit roles and responsibilities, and plug the gaps
- Increase operational efficiency
- Achieve more control over data processing and governance
- Mitigate security risks such as ransomware attacks and malware
- Improve record keeping
- Inform decision making
- Meet legal and compliance obligations
Who’s responsible for record keeping?
According to Article 30 of the GDPR, organisations will be held accountable for compliance with record keeping requirements, with responsibility given to both data controllers and data processors.
What’s the difference?
The Data Controller is responsible for defining and justifying the purpose behind any personal data processing. They must also ensure any processing is carried out in line with GDPR regulations, as failure to do so could result in prosecution, fines or both.
The Data Processor processes personal data on behalf of the data controller. This includes collection, use, transfer, management, storage, or disclosure of personal data.
6 Steps to Better Record Keeping and GDPR Compliance
1. Use IT to map and plan
Companies with existing data maps are one step ahead of the game because they understand the importance of documenting journeys, and may have some in-house expertise.
However, you can’t just assume existing maps will be up to par for GDPR compliance. Use what you have as a starting point and build it up with your IT in mind. By taking your network and IT infrastructure into account, you’ll be forced to plan with a different level of detail and look at everything that touches on data and record keeping with a wider lens.
2. Queston everything you currently collect
Until recently, most businesses were happy to hold as much information as a customer was willing to part with (and sometimes more), just in case it proved useful at some stage. But, with more stringent rules around what you can ask for, how you can ask for it (ie, consent), how and where it’s collected, how it’s processed, transferred, secured and deleted, the new world will be about what you need and how you protect it, as opposed to how much you can get.
Think carefully about what you have legal grounds to request, and where you can add real value with the information you collect, because the companies that will come out on top post-May 2018, are those who can marry business wants with customer needs in the simplest way.
If those needs and wants are at the heart of your data processing model, your business will always have a measure by which they can justify decisions.
3. Involve the right stakeholders
Data and recording what you do with it means different things to different people across the business, so it’s important to promote collaboration and remind employees that everyone has a role to play when it comes to data protection.
Working groups might include employees from Marketing, Customer Care, HR, Procurement and Compliance, all of whom will be working with information in different ways, so a list of pre-planned questions for each team can help frame meetings and allow you to get what you need quickly.
- How are the marketing team collecting and using prospect customer information?
- What information is used to vet or select new vendors?
- How do HR protect the personal information they hold on employees, and what do they do with information they have on unsuccessful candidates?
4. Map Strategically
The devil is in the detail with data mapping, so it’s wise to break it up into bite-sized chunks, otherwise it has the potential to become overwhelming. Taking it apart also allows you to get the best people involved with each element, so you can look at what record keeping means for different workflow situations.
Smaller tasks might include looking at:
- Business processes – End-to-end journeys for things like marketing campaigns
- Data - Where it’s coming from, where it’s going, who has access to it, and how safe it is.
- Applications - Inventories of apps used, whether they’re approved, where they’re hosted, how much they cost, whether they’re GDPR compliant and who’s taking care of licensing
- Vendors - Who you’re working with, the value they bring, how they use data, how seriously they take compliance, can they keep records in the way you need them to and how accountable they are
Record keeping takes time and effort, but if it’s done poorly it has the potential to cost a business millions in fines under the new GPDR legislation, so it’s more important than ever to be clear about your obligations and the best way to meet them.
GPDR record keeping requirements will obviously form part of your thinking, but the process and output should offer some benefit to the business too. Think about the format, how information can be shared safely, whether automation can play a bigger role, how easy it is to digest, and how figures can be brought to life in more visual and dynamic ways.
Yes, GDPR is an opportunity to reassess risk, security and control, but it could also be a window to improved creativity and more useful information.
6. Get expert help
Data mapping requires expert resources and the right technology to maximise efforts and bring change to life. A certified GDPR consultant can help map and integrate that change into your business, making sure processes, policies, people and policing are aligned, while also ensuring you are compliant with regulations.
While GDPR will require organisation-wide understanding of the changes to data rights and protection, even small investments and better use of existing technology could radically improve your record keeping capability and reduce your business risk under GDPR.
As certified GDPR experts, pebble.it can help you meet GDPR compliance across your organisation, assessing what you have and what you need to do to avoid the risk of regulatory fines.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist: