The Data Challenge: How Membership Organisations Can Drive Success
In today’s data-driven world, not-for-profits must be able to collect, manage, and analyse data effectively to achieve their goals and make the most of their...
It’s easy to pull together a superficial or even cosmetic Personal Data Inventory, but harder to produce one that is thorough enough to truly support GDPR compliance and add value. For many, there is a tendency to see data solely as a digital asset and to miss unstructured, non-centralised and physical data that may exist outside of the obvious systems. Our 4-step guide is here to help.
The problem with the GDPR’s Article 30 requirement to maintain a documented record of all your organisation’s processing activities, is where to start and how to make sure it is a true reflection of your organisation’s landscape. Whether you call it a PDI, Data Audit or any one of a dozen other terms, any organisation subject to the GDPR must record: The categories of data they are processing and why; who the data belongs to; recipients of the data; details of transfers to third countries; retention schedules; and technical and organisational security measures in place to safeguard the data . Organisations will likely want to capture more than this to support compliance with other requirements of the GDPR.
An organisation will typically have significant personal data stored and processed in both structured and unstructured, and both digital and physical forms. Add into the mix the prolific use of personal devices, freelancers (paid or voluntary), the availability of online free software and storage, and it gets difficult to understand what data you have, where, why and how it is being managed. Furthermore, Data Protection Officers (DPOs) often emerge from a legal or technical security background, which is helpful in many respects, but may mean they don’t have the most appropriate skillset to be able to support discovery and make sense of your complete data landscape. In today’s digital world, there is a propensity to focus on structured data in core systems managed by a central IT function, which can result in four key areas being neglected:
The risk of an incomplete PDI is that it leads to personal data being mismanaged, which could result in a breach, an inability to comply with a SAR, and / or a hefty fine. A PDI done well will support GDPR compliance and may add supplementary value by allowing you to spot opportunities for process / technology improvement.
1. Establish your PDI Strategy
2. Align your people with your goals
3. Take a process led approach to discovery
While a PDI can feel like a huge burden, if done well, it can provide a strong foundation for GDPR compliance by helping you to: Identify, assess and mitigate data protection risks; form appropriate data privacy/protection policies and procedures; respond to SARs and understand the impact of a breach. A good PDI will also add value to life outside of GDPR – it may help you to spot opportunities for process / technology improvement or even missed opportunities to enhance your user and customer journey by streamlining your data usage.
Share this article
Get in touch directly with a consultant - We’d love to discuss how we can help you achieve your project goals.Book a Chat