It’s easy to pull together a superficial or even cosmetic Personal Data Inventory, but harder to produce one that is thorough enough to truly support GDPR compliance and add value. For many, there is a tendency to see data solely as a digital asset and to miss unstructured, non-centralised and physical data that may exist outside of the obvious systems. Our 4-step guide is here to help.
Why do I need to be concerned?
The problem with the GDPR’s Article 30 requirement to maintain a documented record of all your organisation’s processing activities, is where to start and how to make sure it is a true reflection of your organisation’s landscape. Whether you call it a PDI, Data Audit or any one of a dozen other terms, any organisation subject to the GDPR must record: The categories of data they are processing and why; who the data belongs to; recipients of the data; details of transfers to third countries; retention schedules; and technical and organisational security measures in place to safeguard the data . Organisations will likely want to capture more than this to support compliance with other requirements of the GDPR.
An organisation will typically have significant personal data stored and processed in both structured and unstructured, and both digital and physical forms. Add into the mix the prolific use of personal devices, freelancers (paid or voluntary), the availability of online free software and storage, and it gets difficult to understand what data you have, where, why and how it is being managed. Furthermore, Data Protection Officers (DPOs) often emerge from a legal or technical security background, which is helpful in many respects, but may mean they don’t have the most appropriate skillset to be able to support discovery and make sense of your complete data landscape. In today’s digital world, there is a propensity to focus on structured data in core systems managed by a central IT function, which can result in four key areas being neglected:
- Unstructured data in emails, file servers, personal devices…
- Physical data stored on desks, in cabinets, in off-site storage…
- Data being transferred to third parties outside of core structured systems
- Externally hosted/ cloud systems which are not managed centrally, e.g. free online survey tools, online storage etc.
The risk of an incomplete PDI is that it leads to personal data being mismanaged, which could result in a breach, an inability to comply with a SAR, and / or a hefty fine. A PDI done well will support GDPR compliance and may add supplementary value by allowing you to spot opportunities for process / technology improvement.
How to procure a robust and effective Personal Data Inventory
1. Establish your PDI Strategy
- Consider what you want to use your PDI for – to be compliant with Article 30 you only need record minimal information about the personal data you are processing, but to facilitate compliance with other Articles and responding to SARs, you may want to extend the scope, e.g. lawful basis, data subject rights
- Ensure your PDI strategy helps you get to grips with all of your data from an operational perspective. This is key to help you be certain you are getting the best from it and that it still has a business purpose and benefit
- Define a template to ensure the PDI is recorded in a way that is consistent with your strategy and between business units
2. Align your people with your goals
- Provide a resource with the right skillset to oversee, support and validate production of the PDI, but consider leaving the actual production to the business units who know their data best
- Provide training and awareness so employees understand what ‘personal data’, ‘sensitive personal data’, and ‘processing’ mean in relation to GDPR, to contextualise the process
- Provide guidance on how to approach the personal data discovery process and the PDI strategy to enable employees to do a thorough job
3. Take a process led approach to discovery
- For a structured approach to identifying processing activities and related personal data, start by considering the high-level responsibilities and associated processes / activities of each business unit, don’t start with IT systems or abstract pieces of personal data
- Take each high-level theme identified and work through it to discover the associated ‘processing’ activities, and the personal data which is being handled in some way as part of that activity
- Consider the merits of working in common groups for the discovery process – discussion can result in more thorough results
- In larger organisations, digital data discovery tools may add value as an addition to the process led approach, to validate findings.
- To be compliant, records of processing activity must be kept up-to-date, so schedule regular reviews
- Make employees aware that any change to the processing/collection of personal data will need to be recorded in the PDI (and may require a DPIA)
While a PDI can feel like a huge burden, if done well, it can provide a strong foundation for GDPR compliance by helping you to: Identify, assess and mitigate data protection risks; form appropriate data privacy/protection policies and procedures; respond to SARs and understand the impact of a breach. A good PDI will also add value to life outside of GDPR – it may help you to spot opportunities for process / technology improvement or even missed opportunities to enhance your user and customer journey by streamlining your data usage.