The key to being successful at data privacy is awareness: of what you’ve got and what you do with it.
Much has been made of GPDR Article 30, which talks to the requirement to maintain a Written Record of Processing. This sounds grandiose, but in fact it can be simply described as “writing down what you do”.
The first thing to say is that for most* organisations under 250 people, it isn’t mandatory. However, life is made significantly easier if you have one. All the processes that go with data privacy and security can appear very onerous on the surface. In reality as an SME, the work involved isn’t necessarily that large, and that can be clearly seen once you have written out what goes on. There’re a couple of standard ways that this can be done: a Process Map and an Inventory.
“OK: er… what exactly is a Data Process Map, what is a Data Inventory, and how are they different?”
The Process Map is a full end-to-end view of what happens in your world. To follow the information through from start to finish, you map out the process, and how data flows from one department to another. Quite often you’ll see decisions boxes and conditions.
Something like a “Sales Process” may run from marketing, to ordering, to manufacturing, to stock control, to logistics, to finance & invoicing, and back into the world of management reporting and analytics. Each of these will be a process in itself. It is vitally important to the health of this retailer to understand how the ‘thing’ they are selling moves through the system. And in parallel with that is the data: How many? How much? How often? How long? Who? Why? Where? Etc.
By mapping out the processes, they can see where inefficiencies have crept in. And importantly for us, where are the risks to privacy and compliance?
“But I don’t have all that gubbins – I do the marketing, the sales, the logistics, the invoicing. I don’t need to map out that I pass information to myself!”
And this is where the short-cut comes in for SMEs. A Data Inventory is what comes out of a Process Map, but you don’t need the map if you can do it yourself. And it is simply a spreadsheet. What I collect. Why I collect it. Where I get it from. Where I store it. How I secure it. Who I share it with. When I delete it.
The column headers write themselves…
Let’s say like us, you are providing a consultancy service. So for our clients, I need their email address.
Why? So I can communicate with them
Where did I get it? They gave it to me
Where do I store it? On a cloud server (Salesforce as it happens)
How is it secured? Password protected in Salesforce
Who do I share it with? No-one
Why do I collect it? It is in my Legitimate Interest– without it I can’t send a quote, a final report or an invoice
When do I delete it? 6 months after the engagement completes.
Well, that was easy! And now when I write my privacy notice, it is just a ‘cut and paste’ straight in. Just add a couple of lines for the phone number and delivery address… Ah. I see I collect their date of birth. Why on earth do I do that? I have no reason to collect that, I think I’ll stop.
And thus I have a “Record of Processing” that gives all the information about the data without having to spend hours going through white boards, sticky notes and paying for ‘experts’, to create stuff I already know. And it’s written down, so that’s great!
A Process Map will result in a Data Inventory, and a Data Inventory MAY end up a bit like a Process Map. But we are talking ‘evolution not revolution’ Start with a Data Inventory, and you can make it more complex as and when it becomes necessary or useful.
*That ‘most’ is important, and may come back to bite if you are not ‘most people’ – that includes those handling sensitive data and processing personal data as a main line of business. A care-home for example. In this case, a Written Record of Processing is mandated. But hopefully you can see why we recommend everyone does the basics anyway.
Jim
Not sure how to comply? Need help cutting through the jargon, to make it quick, simple and easy? Call or mail us for a chat. We’re nice people. Really.
OCT
2018
About the Author:
With over 30 years’ experience in the IT sector, Jim is ideally placed to lead and support initiatives in data handling and data security. He is both a Certified DPO (IBITGQ 1000104) and qualified GDPR Practitioner (IBITGQ 982862). As well as data privacy, he is very happy to talk about travelling, cycling, skiing or basketball. But it's mainly privacy.