GDPR Readiness – The Right Start Three Simple Questions That Start Your Journey Towards GDPR Compliance

Reading Time: 2 minutes

Talking to business owners and executives about how they prepare their organizations for GDPR readiness I almost always get a similar picture. Compliance preparations are delegated to a Business Analyst, a Data Expert and an IT Information Security Officer. As a team they are tasked with identifying and implementing changes to gain compliance.

While it is laudable that organizations take action, they underestimate the scope of the new regulation. I am afraid that many of these businesses will be in for a rude awakening when GDPR comes into effect.

However, this approach concentrates on identifying documented stored data in various pools and matching them with processes. This can only work if you presume that all data within your organization is known. From my experience, this does not apply in the real world. Most organizations I have worked with, hold data of unknown origin, governance or purpose.

Just last year I got a call from a large global telecommunication company who stumbled upon a marketing database with 30,000 records by accident. Nobody knew anything about this database, as people who perhaps would have known have left the company. Imagine how many other instances of data might be lurking in your business without your knowledge.

Yet, GDPR requires you to be able to identify on request all instances of data about an individual. How can you do this, if you cannot be 100% certain about knowing the exact data landscape?

Data Discovery

The first step should be to take stock of your data. At the end you should have a comprehensive data inventory list. Regardless of your industry, your business or organization takes in data, stores data and data will leave your organization at some point. This brings us to the three questions you need to ask to get your GDPR readiness preparations started.

  1. Where do data come from?
    Think about all the different ways, data flow into your business. Some data will be given directly to you by individuals, other might come from external sources, e.g. rented marketing lists.
  2. Where are data stored?
    Most organizations concentrate on their various known databases, e.g. CRM, ERP, Accounting, etc. These are structured data and information held withing them is to identify. However, data is also stored in spreadsheets, files, emails, backups. These unstructured data are beneath the surface. Finding and handling instances of personally identifiable data in these often widely distributed data stores is far more complex and difficult. Yet, you have to be able to identify any personal information within these pools. Thus, these data pools need to go on your list.
  3. How do data leave the organisation?
    Data have a life span. The simplest form of data leaving your organization is to delete them. Yet there are many other reasons for data to permanently or temporarily leave your business. For instance, marketing agencies often require access to your customer data to execute campaigns. Some data will flow back into your organisation. This is the case with data quality or enrichment services. These providers ingest your data and deliver them back to you.

I have created an easy-to-use tool for you to get you started on identifying data pools, sources and destinations within your organization. You can download it free-of-charge. To use the tools, Xmind needs to be installed on your computer. This is a free mapping software tool, which is available for Windows. Mac and Linux.

Download Links

GDPR Quickstart Data Inventory (12 downloads)

Xmind: (Win) (Mac) (Linux)

Share this Post

Further Reading