GDPR Data map. Now the software bit.
Once you have that net completed the flow of information, you can then assign the different databases, paper records and spreadsheets
to their respective function. You can then specify where the data resides and how the information changes is it moves along its life cycle. This should mirror the workflow you have completed previously, but now include the place and purpose of processing. Go to the download section to view the “HR data map with software”. The locations may vary from data on a server, stuff on the cloud (some else’s server), local drives or mobile devices. It’s at this stage you will find problematic situations. Contacts on mobiles, or that spreadsheet of personal information that kept on someone’s PC, all this highlights area of concern.
A data map will highlight issues with software.
You will also find areas of double handling as the same details are inputted into different systems. One of the aspects of GDPR is the accuracy of information across the organisation and that makes that task more difficult if there are increased opportunities for human errors when entering data.
You may also find that some legacy systems are not up to speed on privacy issues. They may also have passed their used by date for continued relevance to the organisation as it is no longer fit for purpose. This is why I separate the information flow from the software elements. It becomes easier to spot an incongruity between the tools deployed and the purpose which should be fulfilled. One of the reasons Carphone warehouse got done over for a data breach compromising 3 million customers credit cards was no-one bothered updating the WordPress site for over 7 years.
You may also see that different software was bought at different times for different purpose and they are simply not compatible. To comply with the “Right to be forgotten” this makes the task quite difficult as each “Subject Access Request” requires each database to be investigated. This has all been covered in a previous article but again. This may be a time when these separate systems should be upgraded to Enterprise level so that there is one set of data that is available in all the different modules. That makes it much easier be accessed for amend, freeze, or delete information if it is all in one place.
When the data-map with all it’s software links in place you can then go on to conduct a privacy impact assessment which put all the above to the test.
For those organisations that do not have compliant software please contact us to discover alternatives and methods for upgrades. See our Services page.