Evaluating your Data Flows: A Guide to GDPR Compliance
On May 25, 2018, the set of European regulatory laws known as GDPR (General Data Protection Regulation) will go into effect, a change that will have a significant impact on businesses that operate within the European Union. Most elements of the law involve tighter and more careful controls placed over the handling and management of sensitive data, and even though the laws originate in the European Union, they apply to US companies that do business with European clients.
Operations managers and CEOs taking steps toward GDRP compliance now have about five months left on the timeline—plenty of time if actions are already underway. For those who have just started down the path and are still blocking out a step-by-step roadmap, there’s no need to panic. But it’s time to tackle step one: taking a close look at existing data flows and identifying loose links in the chain, accountability gaps, and points of potential exposure.
Under the GDPR’s new data protection model, the highest authority will be the European Data Protection Board, specifically the Information Commissioners Office, or ICO. This enforcing body will monitor all affected organizations (including US companies that conduct business within the EU) and will focus on the rights and responsibilities these companies grant to customers/users as well as their own internal data processors. The body will also monitor the rights, responsibilities, and access that companies provide to third parties and individuals who access privileged data in/from non-EU countries.
With that in mind, the first step toward compliance will involve mapping out these broad data flows. The moment sensitive data comes under a company’s purview, the rights, responsibilities, and requirements of the GDPR begin to take effect. From this point forward, GDPR compliance will require an examination of the integrity and availability of data AND the assets and processes that support its acquisition, storage, and disposal. A complete map will need to account for every corner of information flow, including but not limited to a company’s IT infrastructure. The map will need to show, for example, how the HR department structures and handles data flow, how the company is physically laid out (can the general public walk in through the lobby and look over the shoulders of those who handle sensitive data?) and even how accountability is traced from one person or role to the next.
Conducting a Data Mapping Exercise
Most companies can start with a general assessment based on size and scope. For example, if the entire organization consists of five employees, and each customer is handled separately and presented with highly customized services, the process will be much easier than it would be for a company at the opposite end of the spectrum. Organizations with thousands of moving parts and areas of potential data exposure per customer will face a far more complex data mapping process.
No matter how companies structure their Data Process Impact Assessment (DPIA), they’ll need to document and record the process, and then integrate the results of the assessment back into the project plan.
A comprehensive mapping process will include:
- The completion, documentation, and integration of the DPIA.
- The identification of appropriate organizational safeguards (even those that don’t yet exist with the company).
- A complete review and understanding of legal and regulatory requirements.
- The establishment of a clear goal: gaining the trust and confidence of users both inside and outside of the EU.
If you’re an operations manager or CEO and you haven’t yet started the DPIA process, estimate the complexity of your task based on the size and information infrastructure of your organization. Feeling overwhelmed? Don’t worry! Just reach out to our team of expert consultants who can help you put the process in motion. We’ll help you gain perspective and take action.