In this blog we intend to take you through the first part of the Inspector phase of our GDPR implementation process. Core to this phase is that it provides a first GDPR feeling of a client’s organisation. We will touch in more detail upon the ‘preliminary investigation’, on identifying relevant data protection laws and regulations, and most importantly on how to identify processings of personal data.
Having worked with hundreds of clients one of the key lessons learned is that it is very important to keep a professional distance from your clients.
To maintain this distance a Data Protection Officer or Privacy Officer should always first consult publicly available sources of client-related information. This allows for the creation of an independent frame of reference, to be invalidated or confirmed during subsequent meetings with the client’s privacy portfolio owner and other relevant stakeholders. The questions to be answered during these meetings include:
- What additional information is needed to complete the frame of reference and who can provide this information?
- Do the privacy portfolio owner and the other stakeholders have an understanding of what reaching GDPR accountability entails?
- Who is the top-ranking executive, i.e. the highest management level to report to in line with Art. 38(3) GDPR?
Having answered some or most of these questions results in a more thorough understanding of who your client is.
Laws and regulations
The next item on the list involves the identification of relevant data protection related laws and regulations (EU and national law) to establish the extent of the client’s legal exposure. A quick search in the Dutch jurisdiction reveals nearly 1,000 hits (laws, regulations, treaties etc.) referring to ‘personal data’. Consulting your client’s branch organisation and/or legal counsel is therefore advisable.
Record of processing activities
The last topic dealt with in this blog involves the discovery of the most important processings of personal data, resulting in an initial overview of processings, the beginning of a Record of processing activities.
Both topics require periodic reviewing, reason why in the Inspector phase they should be limited to obtaining a first insight. The identification of other EU and national laws is relatively easy since most (if not all) EU Member States have public databases containing these laws and regulations. The identification of processings however is more difficult, which triggered us to develop a three-step model for identifying processings.
In our experience, few organisations know what their processess are, but most know which applications they use. For this reason the model starts with the identification of the applications used per department and what these applications are used for. During the next step this usage is converted into more abstract descriptions. The third step is an exercise in concentrating these abstract descriptions into processings. An example would be the concentration of the abstract descriptions ‘verify incoming invoices’ and ‘paying incoming invoices’ into the processing ‘Creditor Management’.
In our next blog we will discuss in more detail how the Inspector role identifies a first understanding of the GDPR risks your client’s organisation is exposed to. We will especially cover the way in which using a survey can help to identify these potential risks.
The TPF team