Part one – Mapping your data in preparation for the GDPR

13th December 2017Padlock image imposed on computer code.

The GDPR is but a mere few months away and you have a database full of prospects that you have collected over the years… can you still use it? Is it GDPR friendly? This is a hot question many businesses are asking… if you are one of them, then keep reading.

Mapping your data
You need to take a broad look at the data you hold, you need to map:

• What personal data you hold
• Where the data came from
• Who you share that data with
• What you currently do/intend to do with that data

This mapping should be documented to ensure that you comply with the GDPR’s accountability principle.

In order to comply with the GDPR, you should consider these 4 key areas when mapping your data:

1. Privacy
Don’t wait until it’s too late, the best time to review your privacy notices is right now. When you collect personal data after the 25th of May 2018, you must inform individuals of your identity and how you intend to use their information. But, post GDPR, you will also need to inform individuals of your lawful basis for processing, how long you intend to hold their data for, and you must inform them of their right to complain to the ICO if they do not agree with the data processing.

The GDPR stipulates that this information needs to be presented to all individuals in a clear, concise and easily understood way. Again, this data mapping process should also be documented to ensure you comply with GDPR’s accountability requirements.

2. Subject Access Requests
Instead of the 40 days that you currently have to reply to an access request, from the 25th May 2018, you will only have 1 month.

When mapping your current data, it is important to consider an individual’s right to access their data and their right to erasure. How easy will it be for you to fulfil these requests in the new time frame? If you process a lot of these requests, is there a way you can simplify your current procedures? (Such as developing a system to allow individuals to access their information easily online).

3. Data Breaches
GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to the individuals impacted by the breach.

When mapping your data, you should continuously risk assess and purge any data that you simply aren’t using or that isn’t useful to you.

4. Consent
How you seek, manage and record your data may change significantly after the GDPR comes into effect on the 25th May 2018. (Read a detailed guide on the ICO’s guidance for seeking consent post GDPR here…)

In short, consent must be given in the form of a positive opt in format, and individuals must be given a simple way to withdraw their consent in every communication thereon.

If you are at all unsure of whether the consent for your current database meets the GDPR’s consent requirements; i.e. that you have obtained an individual’s consent specifically and clearly using a prominent opt-in process that is properly documented and can be easily evidenced if requested. Then we strongly recommend that you either seek GDPR compliant consent before the GDPR comes into force on the 25th May 2018, or completely erase the data you hold on the individual.

Data Protection Officers (DPO)
Assigning a DPO to oversee your data protection practices, could be an invaluable addition to see your company through the GDPR transition and beyond. This could be a current member of staff, or you could hire somebody to exclusively ensure you are compliant.

The benefits of assigning a DPO:

  • A DPO can receive bespoke training to become your company’s Data Protection representative. Should you be investigated by the ICO, having someone who knows the ins and outs of your data protection policies could prove invaluable.
  • They can ensure your data is mapped before the GDPR comes into effect and guarantee that the necessary steps have been taken to bring your current and future data collection up to the new standards.

Under the new regulations, there are certain organisations that must have an assigned DPO (read more on Data Protection Office guidelines from the ICO here…).

The benefits of Data Mapping
The GDPR will bring some much-needed rights to individuals to ensure that the data protection laws are ‘keeping up’ with the rapidly advancing world of online technology today. But it’s also a fantastic opportunity to map and take back control of your data holding and processing.

If you find that a lot of the data you hold needs to be deleted, and are facing a large data purge, then stay tuned for part two coming in January… a guide to erasing data to ensure you meet the GDPR requirements.

Griffin House Consultancy offer bespoke GDPR and data protection training, so whether you are looking to train your own DPO, or simply expand your data knowledge then take a look at our training and workshop page or give us a call today 01673 88-55-33.


Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.