Being able to comply with the GDPR by May 2018 requires preparation. If you have not yet started preparing, it is imperative that you do so now.
First, you need to understand the life cycle of all categories of data within your business. This means collaborating with the business leads across your organisation (such as the head of your HR, IT and Business Development teams), to identify:
- the entry point: what personal data you collect, where and who it comes from, how it comes into your organisation and why you are receiving it
- the process: where the data goes and what happens to it while it is in your organisation – where and how is it stored, who has access to it and why (is anything superfluous)?
- the inputs: what additional data is added from internal and external sources to the data you receive, who does it and why? Is any of this additional data inferred through profiling or similar means?
- the outputs: what will be produced with the data in terms of reports and other outputs?
- the exit point: when and how is the data deleted or exported from the organisation? If it is exported to a third party – who are they, what is the basis for the data being exported, and how and why will the third party process it?
Once you have mapped this information:
- you will be able to start to identify what has to change to enable you to comply with the GDPR
- you should document and keep the results to demonstrate what you have done to collate the information needed to underpin the development of your new data governance strategy.