GDPR data cleansing. Should it stay or should it go?
In the last in our series, we looked at the requirements of GDPR to only keep data that is relevant to carry out a predefined task. For many businesses that will mean a clean up the data they already have before they can move forward.
The following is some suggested steps to get our house in order:
1. Conduct a data audit.
What have we got? What type of information is held and on what databases? It may be a time to upgrade to an overall ERP system so all information is one place (see previous article). What is held in Excel sheets, email Inboxes, etc.? Even if you hold your data on a cloud, that does not make you exempt. Include manual files and paper trails. At least at this point you will have an idea of the scale of the task ahead.
2. Technical aspects.
How does each of these systems operate? Can you export information from the back end of a database and does it include a unique identifier or timestamp? There are particular issues with Excel covered in a previous article. Do you have archive facilities for each email box? Even with paper records, where are they archived, accessed etc?
3. Why we do what we do.
This is a policy defined by management and should be aligned with a defined purpose for how the information is used. This may vary depending on each department. A legal department will have a different function to perform than a sales team. This exercise will provide terms of reference for what is to be purged.
4. Mark a line in the sands: what do we keep or throw away?
Draw a matrix now with that purpose in mind and define the parameters of identifying a rule on what should be kept. This may be by date (some regulations stipulate a standard 6-year period for example). For a sales team it may mean after the 5th attempt to contact with no response.
5. Mark as Actioned.
it may take an individual or a team to dedicate themselves to this task. (Some larger companies have a specific team of up to 8 people who have worked for over 2 years on this). Break each task into manageable chunks and assign them to teams or individuals with best expertise for the job. At each stage each result should be tested and then signed off when complete.
6. Keep under Constant review.
The policies that are now defined need to be maintained as records will need to be purged in a constant process of review. The result will be a much leaner information flow, which not only complies with the ICO guidelines, but also make the organisation operate at an optimum level with streamlined operations.
For more information on GDPR see out Services and FAQ pages.
Our GDPR Seminar will be held on the 9th of November 2017 near St Pauls London. £10 to book includes material, drinks and savouries. For more information Click here.
About the Author:
Malcolm Ford has worked for over 9 years in data migration services upgrading business to enterprise level software. He conducts data audits to work with the project management team in order to customise software solutions and dashboards suitable for the clients needs.