Risk and Compliance

With GDPR Deadline Looming, the First Step Is Discovery

Jeffrey SanchezMichael WalterStephen Nation
April 4, 2018
4 min read

With the new EU General Data Protection Regulation (GDPR) scheduled to take effect on May 25, 2018, organizations with EU employees or customers need to be able to demonstrate compliance.

GDPR expands the scope of previous EU regulations to include any data processor or data controller that collects, stores, or processes the personal data of EU residents. It mandates data portability, imposes stricter conditions for consent and data retention, and dramatically increases fines and penalties for violations. Faced with this daunting reality, many companies have been dragging their feet, putting off the inevitable until the last possible second. That time has come.

We’ve covered the GDPR extensively in this blog and have dedicated a page on our website with links to additional references and thought leadership. To help spark action, however, I wanted, in this post, to provide a clear and unequivocal starting point. That starting point is Discovery.

Discovery is a two-phase process in which information flows are inventoried and mapped to produce a concise summary that will serve to comply with GDPR Article 30, “Record of Processing Activities,” or ROPA  the official reference for any inquiries pertaining to the company’s use of personal data.

Phase I: Inventory – Identifying the Elements

The first step of the discovery process is taking an inventory to figure out what personal data an organization collects, processes or stores that is in scope for GDPR purposes. This is accomplished through a top-down interview process that collects information from department heads and department managers to identify processing activities down to the individual system, with an eye toward discovering and documenting any workarounds and data leakage that might fly below the radar.

In this discovery process, special attention should be paid to third parties that are processing a company’s data (vendors or others) – they are considered to be within the scope of GDPR and must be held to the same standards as your organization. I caution organizations not to cut corners when inventorying third parties. Based on our experience, for every documented vendor relationship there are two more that may no longer be active but may still possess customer data. Article 28 of GDPR provides a good laundry list of third party compliance requirements for reference.

Phase II: Data Mapping – Connecting the Dots

Once the processes have been inventoried from the top-down, the next phase in the discovery is to determine which systems or vendors are involved with personal data associated with EU subjects, and identify a point of contact for each, to answer specific questions on how that personal data flows, how it is processed, how it is stored, and whether there are any subsequent transfers of that data.

That bottom-up survey information is then used to map how data flows through the organization. Although the GDPR does not specifically call for data flow charts or data mapping, we have found them to be highly effective as a resource for preparing the ROPA required by Article 30, as well as several additional compliance requirements, including:

  • Article 5 — identification of inaccurate personal data
  • Article 9 — identification of high risk processing activity which would require a Data Protection Impact Assessment (DPIA)
  • Article 16 — data rectification requests
  • Article 17 — erasure requests
  • Article 20 — data portability requests
  • Article 24 — data protection measures
  • Article 32 — processing security measures
  • Articles 33-34 — 72-hours to notify the supervisory authority of a data breach

As you can imagine, data maps could be incredibly detailed – chances are, organizations will discover data paths and data dead ends they never knew existed. But the process yields collateral benefits outside of GDPR – think business intelligence, automation or audit analytics. The larger benefit to the organization comes from the increased understanding of its data collection, processing and storage procedures, as well as other data-handling and security protocols, such as incident response. This knowledge is one of the fundamental goals of the GDPR, but is also critical to good data governance in the digital future.

Inventory and data mapping are both complex and time-consuming processes, which is why many organizations have retained outside assistance to meet the compliance deadline. Whatever avenue an organization chooses, we strongly urge companies to move forward with utmost speed. The deadline looms, and every indication suggests the authorities are ready to begin enforcement immediately.

Jeffrey Sanchez

Managing Director
Security and Privacy

View all posts

Michael Walter

Managing Director
Security and Privacy

View all posts

Stephen Nation

Senior Manager
Technology Consulting – Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s @KonstantHacker chats with guest @RichardBlech of @XsocCorp about a high-performance symmetric encryption solution that will provide in-depth defense against the threat of fault-tolerant #QuantumComputing. Listen now: https://ow.ly/9oVU50SJklj #ProtivitiTech

Reply on Twitter 1816504643360358712 Retweet on Twitter 1816504643360358712 1 Like on Twitter 1816504643360358712 1 Twitter 1816504643360358712
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s Joe Corrado will join a #Nintex panel for a July 30 webinar to discuss how document automation boosts #RevOps efficiency and sales. Register today to get access to expert tips and real-world success stories. https://ow.ly/LSsf50SJnaY #ProtivitiTech

Reply on Twitter 1816443898970898615 Retweet on Twitter 1816443898970898615 Like on Twitter 1816443898970898615 Twitter 1816443898970898615
protivititech Protiviti Technology @protivititech ·
24 Jul

The world was dealt a massive wakeup call after a #CrowdStrike software update caused global IT outages. In the aftermath, business leaders should take the opportunity to reboot tech resiliency. Learn more from the latest #VISIONbyProtiviti: In Focus: https://ow.ly/R2vU50SJrAT

Reply on Twitter 1816169832544432319 Retweet on Twitter 1816169832544432319 Like on Twitter 1816169832544432319 Twitter 1816169832544432319
protivititech Protiviti Technology @protivititech ·
24 Jul

#VISIONbyProtiviti: In Focus discusses a U.S. judge’s recent ruling that rejected #SEC oversight of #cybersecurity controls in the case against SolarWinds, the impact of the decision, and why it matters. https://ow.ly/Ph7j50SIbLH #ProtivitiTech

Reply on Twitter 1816111993767547294 Retweet on Twitter 1816111993767547294 Like on Twitter 1816111993767547294 Twitter 1816111993767547294
protivititech Protiviti Technology @protivititech ·
17 Jul

How can organizations tackle internal tech tickets when a team is remote? Protiviti’s Kim Bozzella recommends fully leveraging the features of their #IT service management software. Learn more: https://ow.ly/Yf3J50SEy7u #ProtivitiTech #Forbes

Reply on Twitter 1813635582964183412 Retweet on Twitter 1813635582964183412 Like on Twitter 1813635582964183412 Twitter 1813635582964183412
Load More