Working on a data map for GDPR.
As part of our build up to the GDPR workshop on the 21st of March, we are producing a series on how to produce a data map which will be covered in the upcoming session.
If you are the one who got lumbered with the task of GDPR
compliance, then maybe you are wondering what you have got yourself into. The boss just heard it must get done and here is the deadline of the 25th of May. So where to start?
Most guides will prompt you to begin with producing a data map, which is a schematic of the information flow throughout the whole organisation. If you are feeling a bit lost with the enormity of the task then a data map will help you visualise what is involved. This should look verly similar to the workflow that already exists in your organisation. If you shuffle through your old induction manuals, or annual report you just may find a diagram of how everything is supposed to operate. Sales> accounts> delivery> logistics these should all be common departments within most business structures. It is tracing the interdependencies between each section that makes each operation unique.
Data Map Ignore IT
For the moment, I would ignore what IT systems you have. It is easy to get lost in the technical details and miss the big picture. Software should be the tool that assists in getting things done, rather than an end in itself. If you understand the type of data you hold, and how it is used that helps defines its function. The intricacies of how it all works can wait till later.
A good place to begin with is sales. That is where most personal information will be collected and placed into existing groups. Leads may come from business cards, bought in lists, website enquiries, email marketing all will funnelled into some contact database. This is where prospects are categorised by sector, likelihood of a sale (warm cold) and timeline applied. The fact that this goes into CRM system (salesforce, excel, NetSuite, Mamut) is irrelevant at this stage. It’s more important to look how that information is used. If a prospect, takes an order, which becomes an invoice, then as far as GDPR is concerned, job done. You have proof of engagement and the details are kept for accounting purposes which legally, you should retain for 7 years, so there is no need for consent. But happens with lost leads? Is there a policy for what should happen with that information? Destroyed, held on to “just in case”, kept for a period to upsell later? if they don’t wish to be contacted is there a list for future sales reps to check prior to calling? This is a process of asking people the question of “why do we do the things we do”?
When you have got something together, then go onto the next logical step (e.g. quotations) and do the same analysis. Now you have two departments documented with their own distinctive characteristics and you can the track the flow of information between the two. It may be the same information, but it is processed in a different way depending on the context. Look for dependencies and interrelationships. Once complete now go on to the next department and so on till you have the overall picture. Once you have all the sections included you can then get a full appreciation of the significance of information path and its importance to the organisation.
Next in the series “It’s going to be awfully big map”.