Understanding the boundaries of GDPR compliance needs organizations to take care of a list of private information.
Does your organization have to adjust to GDPR? If positive, making a list of your organization’s personal data, personal data collected by your company, supporting systems and processes ought to be the primary tread on your GDPR journey.
Everybody is aware of that meeting any compliance requirement ought to begin with “scoping.” All future compliance measures are applied on scoped locations, organization units, data, processes and systems. Over 10 articles within the European Union’s General data Protection Regulation (GDPR) contain phrases like “taking into consideration … scope, context and purpose of processing…”
Scoping limits the boundaries of the requirement—with lesser coverage leading to inadequate compliance and better coverage resulting in unneeded effort, time and value.
Inventorying company’s personal information collected can facilitate outline the scope of applicable GDPR articles. Moreover, Article 30 of GDPR mandates maintaining a record of process activities. As a part of the inventory, personal data must be mapped to the processes, applications and infrastructure concerned within the collecting, processing, distributing and storing of information.
Mapping helps to maintain and monitor GDPR compliance, as well as information subject rights, structure and technical security measures, applicable access controls, breach management procedures and information lifecycle management procedures.
Obviously, it’s the first step to GDPR compliance that your organization creates and maintains the subsequent inventory at a granular level:
- Details of the non-public information collected.
- A description of the classes of data subjects.
- A description of the class of private information.
- Controller and processor details, as well as name, strategic business unit, country, business unit, department, team name.
- A description of the class of recipients.
- The purpose of processing.
- Details of information transferred to other countries.
- Where the information is kept.
- Which applications/technology will access personal information.
- Details of supporting infrastructure.
- The data retention period.
- Organizational and technical measures.
A modification management method is required to stay your organization’s scope both current and relevant. as an example, changes in your processor and application/technology, and therefore the introduction of latest service lines/processes, would force an update to your inventory.
Whether you’re a small company utilizing spreadsheets to trace your compliance or a world enterprise, investing a compliance management platform, making or verifying a list of your organization’s personal information ought to be the primary tread on your GDPR journey.