With GDPR Deadline Looming, the First Step Is Discovery

With the new EU General Data Protection Regulation (GDPR) scheduled to take effect on May 25, 2018, organizations with EU employees or customers need to be able to demonstrate compliance.

GDPR expands the scope of previous EU regulations to include any data processor or data controller that collects, stores, or processes the personal data of EU residents. It mandates data portability, imposes stricter conditions for consent and data retention, and dramatically increases fines and penalties for violations. Faced with this daunting reality, many companies have been dragging their feet, putting off the inevitable until the last possible second. That time has come.

We’ve covered the GDPR extensively in this blog and have dedicated a page on our website with links to additional references and thought leadership. To help spark action, however, I wanted, in this post, to provide a clear and unequivocal starting point. That starting point is Discovery.

Discovery is a two-phase process in which information flows are inventoried and mapped to produce a concise summary that will serve to comply with GDPR Article 30, “Record of Processing Activities,” or ROPA  the official reference for any inquiries pertaining to the company’s use of personal data.

Phase I: Inventory – Identifying the Elements

The first step of the discovery process is taking an inventory to figure out what personal data an organization collects, processes or stores that is in scope for GDPR purposes. This is accomplished through a top-down interview process that collects information from department heads and department managers to identify processing activities down to the individual system, with an eye toward discovering and documenting any workarounds and data leakage that might fly below the radar.

In this discovery process, special attention should be paid to third parties that are processing a company’s data (vendors or others) – they are considered to be within the scope of GDPR and must be held to the same standards as your organization. I caution organizations not to cut corners when inventorying third parties. Based on our experience, for every documented vendor relationship there are two more that may no longer be active but may still possess customer data. Article 28 of GDPR provides a good laundry list of third party compliance requirements for reference.

Phase II: Data Mapping – Connecting the Dots

Once the processes have been inventoried from the top-down, the next phase in the discovery is to determine which systems or vendors are involved with personal data associated with EU subjects, and identify a point of contact for each, to answer specific questions on how that personal data flows, how it is processed, how it is stored, and whether there are any subsequent transfers of that data.

That bottom-up survey information is then used to map how data flows through the organization. Although the GDPR does not specifically call for data flow charts or data mapping, we have found them to be highly effective as a resource for preparing the ROPA required by Article 30, as well as several additional compliance requirements, including:

  • Article 5 — identification of inaccurate personal data
  • Article 9 — identification of high risk processing activity which would require a Data Protection Impact Assessment (DPIA)
  • Article 16 — data rectification requests
  • Article 17 — erasure requests
  • Article 20 — data portability requests
  • Article 24 — data protection measures
  • Article 32 — processing security measures
  • Articles 33-34 — 72-hours to notify the supervisory authority of a data breach

As you can imagine, data maps could be incredibly detailed – chances are, organizations will discover data paths and data dead ends they never knew existed. But the process yields collateral benefits outside of GDPR – think business intelligence, automation or audit analytics. The larger benefit to the organization comes from the increased understanding of its data collection, processing and storage procedures, as well as other data-handling and security protocols, such as incident response. This knowledge is one of the fundamental goals of the GDPR, but is also critical to good data governance in the digital future.

Inventory and data mapping are both complex and time-consuming processes, which is why many organizations have retained outside assistance to meet the compliance deadline. Whatever avenue an organization chooses, we strongly urge companies to move forward with utmost speed. The deadline looms, and every indication suggests the authorities are ready to begin enforcement immediately.

Jeffrey Sanchez

Managing Director
Technology Consulting – Security and Privacy


Michael Walter

Managing Director
Technology Consulting – Security and Privacy

Stephen Nation

Senior Manager
Technology Consulting – Security and Privacy

Subscribe to Topics

Protiviti Director Kyle Swanson explains how SAP Fiori can help increase user adoption, reduce workload and process complexity and free up time for your resources to focus on higher value tasks http://ow.ly/DACw50D9RWc #SAPblog #SAPFiori

Is your organization managing to the speed of emerging technology? Is its business model at risk of digital disruption? If the board's not sure, it’s time to assess digital readiness http://ow.ly/xlJX50D5MX0 via @cci_compliance
#DigitalReadiness #DigitalDisruption @DeLoachJim

Session voting and registration is OPEN for DynamicsCon, a free, virtual event focused on Microsoft Dynamics and Power Platform! Vote for our sessions and register today!
Vote: https://bit.ly/3oIxS4y
Register: http://bit.ly/3nHTH2Q
#Dynamics365 #PowerPlatform #Microsoft

How are you protecting your data? Join us on February 3rd to see how #Microsoft Information Protection can help your organization protect sensitive data throughout its entire lifecycle. Register now: http://bit.ly/3b9udsz

@Microsoft #MIP #DataProtection

What does #resilience mean for your organization? A key first step is understanding the attributes of a #BCM or Operational Resilience program. Learn more at http://ow.ly/1r9250CShAt
#businesscontinuity #businesscontinuityplanning #operationalresilience #bankingindustry

Load More...