GDPR Compliance Journey - 03 Data Mapping

Gydeline

19 Mar 201810:38

Summary

TLDRIn this video, Mike Sowell discusses the importance of data mapping for GDPR compliance. He outlines the steps to create a basic data map, emphasizing the need to identify personal information, its storage, purpose, source, and legal basis for use. The script covers various types of information, including employee, customer, supplier, and lead data, and highlights the challenges of obtaining and verifying consent, especially for marketing purposes. Detailed data maps are also explored, using the example of a free trials process, to demonstrate the flow and storage of personal data across systems.

Takeaways

📝 Data Mapping is a crucial step in GDPR compliance, helping to identify and understand the flow of personal information within an organization.
🔍 A basic data map should answer key questions about the type of personal information held, where it's stored, why it's needed, its origin, and the legal basis for its use.
🏢 The script discusses various types of personal information such as employee details, customer interactions, and supplier contacts, all of which require careful data management.
📧 Email and phone systems are highlighted as common yet often overlooked places where personal information is stored, requiring attention in data mapping.
📑 Documents and spreadsheets are also mentioned as areas where personal data can proliferate, indicating the need for thorough data mapping to identify all data stores.
🤝 Contracts with employees, customers, and suppliers are the basis for permissions to use personal information, emphasizing the importance of clear terms and conditions.
📈 The script emphasizes the importance of understanding the purpose of data collection, such as for employment, service delivery, and marketing to prospects.
📲 The use of CRM systems for leads and prospects is highlighted, noting the complexity of obtaining and maintaining proper permissions for data usage, especially under GDPR.
🔑 Detailed data maps delve deeper into specific processes, such as free trials, to outline data flow, ownership, access, storage, and transfer locations.
🌐 Data transfer locations, such as data centers in Amsterdam and Dublin, are important to document for compliance, showing where data is geographically stored and accessed.
📋 The script concludes with a reminder of the importance of record-keeping for processing activities as part of the ongoing journey towards GDPR compliance.

Q & A

What is the main topic of the video script?
-The main topic of the video script is data mapping in the context of GDPR compliance.
Who is the speaker in the video script?
-The speaker in the video script is Mike Sowell.
What is the purpose of creating a basic data map?
-The purpose of creating a basic data map is to provide a simple picture of where the company stands with their information, including what personal information they have, where it is stored, why it is needed, where it came from, and why they believe they have permission to use it.
What are the key pieces of information a basic data map should include?
-A basic data map should include information about the type of personal data, where it is stored, the purpose of its use, its origin, and the legal basis for its use.
What types of personal information about employees does the company store?
-The company stores personal information such as names, emails, phone numbers, dates of birth, and bank details of employees.
How does the company store personal information of its employees?
-The company stores personal information of its employees in HR systems, finance and payroll systems, emails, and on phones, both personal and business.
What is the importance of knowing the source of personal information?
-Knowing the source of personal information is important to understand the legal basis for its use and to ensure compliance with GDPR, especially regarding data transfers and permissions.
What are the challenges in managing personal information about leads and prospects?
-The challenges include ensuring that the company has the right permissions to use the information, often relying on consent and legitimate interests, and managing the information from various sources such as online forms, events, referrals, and mailing lists.
What is the focus of the company's more detailed data maps?
-The focus of the company's more detailed data maps is primarily on leads and prospects, detailing how the information is used, where it comes from, and the reasons for its use.
What is the significance of mapping the flow of data in the company's processes?
-Mapping the flow of data helps the company identify all recipients of personal data, understand data transfers, and ensure compliance with GDPR requirements.
What is the next step in the company's journey towards GDPR compliance after data mapping?
-The next step is to talk about the record of processing activities and what needs to be done in that area.