GDPR Compliance Journey - 03 Data Mapping
Summary
TLDRIn this video, Mike Sowell discusses the importance of data mapping for GDPR compliance. He outlines the steps to create a basic data map, emphasizing the need to identify personal information, its storage, purpose, source, and legal basis for use. The script covers various types of information, including employee, customer, supplier, and lead data, and highlights the challenges of obtaining and verifying consent, especially for marketing purposes. Detailed data maps are also explored, using the example of a free trials process, to demonstrate the flow and storage of personal data across systems.
Takeaways
- 📝 Data Mapping is a crucial step in GDPR compliance, helping to identify and understand the flow of personal information within an organization.
- 🔍 A basic data map should answer key questions about the type of personal information held, where it's stored, why it's needed, its origin, and the legal basis for its use.
- 🏢 The script discusses various types of personal information such as employee details, customer interactions, and supplier contacts, all of which require careful data management.
- 📧 Email and phone systems are highlighted as common yet often overlooked places where personal information is stored, requiring attention in data mapping.
- 📑 Documents and spreadsheets are also mentioned as areas where personal data can proliferate, indicating the need for thorough data mapping to identify all data stores.
- 🤝 Contracts with employees, customers, and suppliers are the basis for permissions to use personal information, emphasizing the importance of clear terms and conditions.
- 📈 The script emphasizes the importance of understanding the purpose of data collection, such as for employment, service delivery, and marketing to prospects.
- 📲 The use of CRM systems for leads and prospects is highlighted, noting the complexity of obtaining and maintaining proper permissions for data usage, especially under GDPR.
- 🔑 Detailed data maps delve deeper into specific processes, such as free trials, to outline data flow, ownership, access, storage, and transfer locations.
- 🌐 Data transfer locations, such as data centers in Amsterdam and Dublin, are important to document for compliance, showing where data is geographically stored and accessed.
- 📋 The script concludes with a reminder of the importance of record-keeping for processing activities as part of the ongoing journey towards GDPR compliance.
Q & A
What is the main topic of the video script?
-The main topic of the video script is data mapping in the context of GDPR compliance.
Who is the speaker in the video script?
-The speaker in the video script is Mike Sowell.
What is the purpose of creating a basic data map?
-The purpose of creating a basic data map is to provide a simple picture of where the company stands with their information, including what personal information they have, where it is stored, why it is needed, where it came from, and why they believe they have permission to use it.
What are the key pieces of information a basic data map should include?
-A basic data map should include information about the type of personal data, where it is stored, the purpose of its use, its origin, and the legal basis for its use.
What types of personal information about employees does the company store?
-The company stores personal information such as names, emails, phone numbers, dates of birth, and bank details of employees.
How does the company store personal information of its employees?
-The company stores personal information of its employees in HR systems, finance and payroll systems, emails, and on phones, both personal and business.
What is the importance of knowing the source of personal information?
-Knowing the source of personal information is important to understand the legal basis for its use and to ensure compliance with GDPR, especially regarding data transfers and permissions.
What are the challenges in managing personal information about leads and prospects?
-The challenges include ensuring that the company has the right permissions to use the information, often relying on consent and legitimate interests, and managing the information from various sources such as online forms, events, referrals, and mailing lists.
What is the focus of the company's more detailed data maps?
-The focus of the company's more detailed data maps is primarily on leads and prospects, detailing how the information is used, where it comes from, and the reasons for its use.
What is the significance of mapping the flow of data in the company's processes?
-Mapping the flow of data helps the company identify all recipients of personal data, understand data transfers, and ensure compliance with GDPR requirements.
What is the next step in the company's journey towards GDPR compliance after data mapping?
-The next step is to talk about the record of processing activities and what needs to be done in that area.
Outlines
📊 Data Mapping for GDPR Compliance
In this segment, Mike Sowell introduces the third part of the GDPR compliance series, focusing on data mapping. He explains the importance of creating a simple data map to understand the flow of personal information within an organization. The basic data map aims to answer key questions regarding the storage, usage, necessity, origin, and legal basis for using personal data. The types of information discussed include employee details, customer interactions, and supplier relationships, all of which are stored across various systems. The emphasis is on identifying all the places where personal information is stored, including HR systems, finance, payroll, emails, and phones, to ensure GDPR compliance.
🔍 Detailed Data Mapping for Free Trials Process
This paragraph delves into a more detailed data mapping example, specifically for the free trials process of the guideline software. It outlines the steps taken to map the data flow, from individuals signing up for a free trial to the data being transferred to the CRM system and the guideline software. The focus is on the personal data collected, such as name, email, company, and job role, and the storage locations, which include the CRM system and the guideline software database. The security measures in place and the specific internal systems that handle the data are also discussed, highlighting the importance of understanding data transfer and storage for GDPR compliance.
🚀 Moving Towards GDPR Compliance with Data Mapping
In the final paragraph, Mike Sowell wraps up the discussion on data mapping by emphasizing its role in identifying recipients of personal data, which is a crucial step towards GDPR compliance. He mentions that the guideline software has helped identify necessary actions for compliance, and data mapping is one of them. The next topic to be covered will be the record of processing activities, indicating a continuous journey towards ensuring data protection and privacy standards are met.
Mindmap
Keywords
💡Data Mapping
💡GDPR
💡Personal Information
💡Legal Basis
💡Data Centers
💡Consent
💡Legitimate Interests
💡CRM System
💡Data Flow
💡Record of Processing Activities
Highlights
Introduction to the third part of the series on achieving compliance with the General Data Protection Regulation (GDPR).
Discussion on the importance of data mapping for GDPR compliance.
Explanation of creating a simple data map for GDPR.
Key questions to answer in a basic data map: What personal information is held, where it's stored, its purpose, origin, and legal basis for usage.
Types of personal information discussed: employee details, customer interactions, supplier relationships, and leads/prospects.
The necessity of identifying all locations where personal information is stored, including HR, finance, payroll, emails, and phones.
The use of personal information for employment, service delivery, and marketing purposes.
How personal information is obtained: from employees during recruitment, from customers directly, and from various sources for leads and prospects.
The reliance on contracts and terms and conditions as the legal basis for using personal information.
The complexity of permission and consent in the context of GDPR, especially for leads and prospects.
The process of creating a more detailed data map for specific processes, such as free trials.
Description of the data flow for free trials, from web form to CRM and then to the guideline software.
Identification of data owners, access rights, and security measures for the data mapping process.
Explanation of data storage locations and the importance of specifying these for data protection and transfer.
The significance of understanding data transfer methods between internal systems for GDPR compliance.
Highlighting the locations of data storage, such as data centers in Amsterdam and Dublin, and their accessibility.
The next steps in the GDPR journey, focusing on the record of processing activities.
Conclusion and a reminder of the importance of data mapping for achieving GDPR compliance.
Transcripts
[Music]
hi I'm Mike Sowell and welcome back
again to the guideline GDP our journey
this is the third in our series about
how we're getting ourselves compliant
and this time we're talking about data
mapping so we've completed our data
mapping and I'm going to take you
through a couple of steps that we've
been through firstly about creating any
simple data map and then we'll look at
it in some more detail so let's take a
look at our basic data map so when we
talk about basic data mapping we're
looking for a few key pieces of
information
now the basic data map I'm going to show
you is one that we use with all our
customers and it gives them a really
simple picture of where they are with
their information that they haven't they
use and we're looking to answer a few
key questions firstly what personal
information do you have
secondly where are you storing it where
are you putting that information when
you've got it thirdly why do you need it
what is it that you're using it for
number four is where from where did you
get it from
and then lastly why do you think you
have permission to use it and this
answers a number of things in the gdpr
around what is your legal basis who were
the recipients who are you transferring
it to and numbers of other things so
it's a good starting place on your GDP
our journey so if we look at the types
of information that the guideline you're
using firstly we have personal
information about our employees things
like name email phone date of birth bank
details things like that and that
information we store it in a number of
places and this needs some quite careful
thinking about yes we've got an HR
system where we store information about
people we've got their information on
our finance system and
payroll system which we use to pay them
and the payroll system is run and
accessed by our accountancy firm and
that might not be too unusual but as
well as those obvious systems there are
things like email
there are employee details on email and
phones and we've got a mixture of
personal and business phones and so
phone numbers names email addresses are
stored on those phones so have to be
very careful about identifying all the
places where this information is what we
typically see is that information is
also on documents and spreadsheets and
various others we're quite good in that
space in that we don't proliferate data
in that manner but lots of companies do
so why do we need that information well
we want to give them a job and we want
to pay them their money they want and we
won't need to be able to contact them
where did we get the information well we
got it from the employee as part of the
the recruitment process and and why do
we think we have permission to use that
information well we've got contracts
with these people and there'll be terms
and conditions within those contracts
that mean we can use that information to
employ them we also have personal
information about our customers name
address email phone number but some
other information like the history of
what they've done with us the
interaction with us some social profiles
and that's important information to
capture because we might need to give
that information back to them at some
stage and again where are we storing it
well it's on our custom relationship
management system it's an email it's in
our filing system and it's in our phones
and why do we have it well we need to
deliver services to them we need to
fulfil our contracts we need to keep
them updated and we all know also need
to tell them about related products and
services where did we get the
information well it was direct from the
customer and
we have a contract with them and some
terms and conditions which is why we
think we have the permission to use that
information we have a relationship with
suppliers and we use that to receive
services from them to keep them updated
and they gave us that information and
again we have a contract in place with
those suppliers the interesting space
really is the last space which is around
leads and prospects like most other
businesses we are trying to grow and to
develop our business and we need to
record personal information about those
leads and prospects and we do that in
our CRM system but it's also an email
and phones what are we using it for well
we're using it for marketing to them
promoting our business to them and we
get this information from a number of
sources we get it from online forms from
events that we've been to in the past
we've used bought in mailing lists we
work on referral we get information from
free trials from face to face meetings
from a number of different spaces and
this is where the permission gets
slightly tricky because really a lot of
the effort and the gdpr is to make sure
you do have the right permission to use
this information and we're relying on
consent and legitimate interests and we
know that we need to tighten up to do
some work to make sure that we're doing
everything we need to do in those spaces
but by dint affine the information in
where we've got it from it enables us to
them focus in on those areas so in terms
of our more detailed data maps which
we'll come onto in a second we're doing
one for the employees we're doing one
for our payroll system because that goes
externally and there's a different set
of considerations we're doing them for
our customers it goes into the CRM and
we won't see how that works through
we're doing one for our suppliers but
principally our data maps are going to
be focused around our leads and
prospects how we use that information
where we get it from
and and the reasons we have to use it so
that's our basic setup and the
information that we use not too
dissimilar to many of our customers
we're going to take a look at the detail
mapping for one of those areas in a
second we have a system that we use but
it's very similar to the data mapping
template that we make available for free
on guideline comm so there's a link on
the screen please use that and go and
get the template for yourself but now
let's take a look at our system and one
of our more detailed data maps so this
is our more detailed mapping view and
I've chosen our free trials process to
do a map of the data that we receive and
we use there so some basic bits of
supporting data in terms of the date
that it was done and who did it and a
name for this data flow I've called it
free trials personal data and then I've
just given a description of the personal
data and really just says that people
can sign up for a free trial of
guideline and they enter some
information gets passed to our CRM
system and we generate an account in our
software the who owns the process we
describe who owns the process we then
describe who has access to the personal
data in this case is employees of
guideline only and a small bit of detail
about the security we've got on there
details about where the personal data
comes from and then which information we
collect so in this case is a very small
amount of data name email company and
job role next we give more detail about
where we're storing the data so in this
case we're storing it within our CRM
system it goes into an outgoing email
and within the guideline in turn
software database so we need to be quite
specific about where it is because that
can affect the recipients and the new
transfers of data I've given a very
brief description of the flow of data
and it talks about some of the systems
that data passes through so it goes from
the web form on the website to our
customer system it then goes via email
and then finally arrives in the
guidelines software and then because we
are moving data between the systems how
are we transferring it and really the
key piece where it comes from external
to us is it comes direct from the
individual into an online form from then
on it stays within our own internal
systems and those internal systems are
in various locations and that's the
final question of the data map which is
which locations are in so our CRM is in
data centers in Amsterdam and Dublin and
our software is in date sense in Dublin
and these are accessible via web
browsers so that's the detailed view of
one of areas and obviously we've
completed that data map across all the
areas of personal information that we're
processing if we remember the reason why
we're doing this is because the
guidelines software is identifying a
number of actions that we need to
complete and so for data mapping a key
one is having identified all the
recipients of personal data and that's
something we can now cross off our list
so a small step that we're moving
towards a compliance status so that's
data mapping next time we're going to
talk about our record of processing
activities and what we need to do in
that space so until then we hope you
find a compliant simple
Weitere verwandte Videos ansehen
5.0 / 5 (0 votes)