Data volumes continue to grow despite efforts to reduce digital footprints across the organization. Wherever you look, every part of your organization stores data. Do you know where your EU personal data resides? Can you easily find it, correct it, provide a copy of it to a data subject, or even delete it? As discussed in BDO’s GDPR Checklist, the first step is to identify relevant business processes, systems, and data sets likely to contain personal data. The second step is to determine which data sets contain EU personal data belonging to EU “data subjects”.
As part of the initial step of identifying relevant data sets, consider where data might be hiding by assessing individual departments and locations. In this article, we identify two buckets for you to consider: “suspected culprits” and “the ones who almost got away”. As we have been working through our clients’ readiness and implementation steps, we have identified certain departments that consistently store large amounts of data that may be impacted by GDPR that were not effectively considered in the first or second evaluations of the organizations’ data.
The Ones Who Almost Got Away
Third Party Vendors: Digital proliferation has driven companies to use third party vendors to store, process, and manage data for a number of functions throughout the organization. It will benefit your organization to understand data that is accessible by your third parties, how they protect it, if they have physical copies of personal data, and how they will comply with your GDPR obligations. They may be a processor or sub-processor for you so you should also consider contractual obligations that may require modification. Take steps to clean up your third party vendor ecosystem as you embark toward GDPR compliance.
While initiatives surrounding GDPR are normally lead by your organization’s Chief Privacy Officer, Chief Information Security Officer, the legal department, or a combination thereof, it is important that every stakeholder have a seat at the table and be part of the conversation. Open and detailed dialogue will help to mitigate risk and enable effective policies and procedures for your organization’s systems.