France’s data protection authority, the CNIL, has produced a helpful six-step methodology for organizations preparing to comply with the EU General Data Protection Regulation. At the top of the list is appointing a DPO.
Check.
The next item is “data mapping.” This is shorthand for fulfilling Article 30’s obligation that controllers “maintain a record of processing activities under its responsibility.”
Since this is the DPO Confessional, we might as well take a look at how the IAPP has approached the data inventory and mapping step toward GDPR compliance.
Building a data inventory tool
A data inventory and mapping exercise involves, first, determining which people, departments or entities within the organization collect, use, store or otherwise handle personal data and setting up meetings with them. It also involves creating — or finding — a tool to document what you learn in the meetings.
Software and service providers are rapidly developing useful tools for DPOs working on GDPR compliance. We decided, given our small size as an organization (just over 100 employees, most of whom work in the same location) and the relative simplicity of our operations, we could create our own process and system for documenting the IAPP’s data processing activities.
It turns out this is not uncommon. In a 2016 survey, the IAPP asked privacy professionals around the world how they conduct data mapping and inventory and found more than 66 percent of companies conduct data inventory and mapping informally with email and spreadsheets, while another 36 percent had developed an internal system.
[quote]Editor's Note: We can only get this great data if you fill out our governance survey, which is in the field now. Find it here.[/quote]
We settled on using a cloud-based project management tool. For our purposes, it works just like a spreadsheet, but its functions include sharing among multiple employees with read-only (or editing) privileges and the ability to attach documents to the project file.
We created fields designed to capture and record the following information: department interviewed; personal data collected/used; how the data is processed; vendors with whom the data is shared and for what purposes; lawful basis for processing under the GDPR under Article 6; whether data is transferred from the EU to the U.S. and the conditions for the transfer; whether a PIA or DPIA was conducted and, if so, documentation of it; a column for keeping track of how long data is stored; and a section for notes.
For vendor management, we developed a separate page in the tool representing which vendors the IAPP uses, which departments use them, and whether we have privacy and security agreements in place consistent with the requirements of Article 28. The tool also allows us to create a ticketing system for employees to generate an email to the DPO — and a record in the spreadsheet — when they want to engage a new processor that will handle personal data on the IAPP’s behalf. This will initiate a mini-DPIA and discussion, along with contract review, all of which can be documented in the tool.
Meeting the team
Making the rounds with department leadership can prove highly fruitful. Above all, it allowed me to meet them in my DPO role and explain the importance of documenting our personal data processing activities.
Anyone new to the DPO position will want to interact with the organization’s key players in the DPO capacity — even if they’ve already been working for the organization in another role. This helps fulfill Article 29 Working Party’s recommendation to “foster a data protection culture within the organization.”
One-on-one or small group meetings can also help the DPO better understand how the organization functions. As the WP29 recommends, the DPO should have “knowledge of the business sector and of the organisation of the controller” and “sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.”
Even though the DPO is expected to have GDPR expertise and advise the organization on DPIAs and data protection safeguards, data inventory and mapping meetings are much more about listening than advising. A thorough understanding of the organization’s mission, functions, key personnel, decision makers and data handlers is required in order to carry out the remaining tasks on the to-do list. These meetings are an opportunity to establish trust and encourage open communication about personal data practices within the firm.
To be sure, it can take a lot of time to conduct these meetings and that may create a backlog in other areas of responsibility. The discussions the meetings generate will invariably produce many new privacy questions that need answers. So DPOs should be prepared to come away not only with the basics of a data inventory and map (that will have to be updated routinely) but also a few new projects to add to the growing list.
Credit where due
In the spirit of a true confession, this DPO’s data inventory project was aided mightily by summer intern Daniel McCue, a rising 2L student at the University of Maine School of Law. Dan’s summer was spent building the data inventory and vendor management platform and attending the group meetings with me. He poured through the GDPR in search of answers to myriad questions and created a resource of his own in the process.
Dan will be sharing his GDPR resource and his experience as the IAPP’s summer intern and “assistant DPO” in the August DPO Confessional. And I am grateful to have had help building our in-house tool for GDPR compliance while training a new privacy pro.