Your Personal Data Inventory Top Tips & Brexit Impact 161220
Summary
TLDRIn this engaging Privacy Kitchen session, experts Tash Whitaker and David Clarke join host Robert Bohr to dissect the complexities of data mapping for privacy governance. They explore the nuances of GDPR compliance, the impact of Brexit on data protection strategies, and share practical advice and war stories from the field. The conversation delves into the importance of understanding data maps, the challenges of maintaining accurate records of processing activities, and the implications of Brexit for cross-border data transfers and marketing practices.
Takeaways
- πΊοΈ The importance of a data map as a cornerstone of privacy governance was highlighted, emphasizing its role in understanding data flows and impacts on privacy.
- π€ Introductions of the panelists, Robert Bohr, Tash Whitaker, and David Clarke, who are experts in privacy management, consultancy, and cyber and data protection, set the stage for a deep-dive discussion.
- π The distinction between a data map and an asset register was explored, with the former being a broader concept that includes the latter, which is more about the security and inventory of data assets.
- π The GDPR's record of processing activities was discussed as a subset of a data map, which is crucial for understanding data processing activities and responding to data subject requests.
- π« The challenges of questionnaires for data mapping were noted, with panelists preferring interviews to get accurate insights into data processing activities.
- π The role of the Data Protection Officer (DPO) in maintaining the record of processing activities was emphasized, as they need a comprehensive understanding of the business to fulfill their role effectively.
- π The impact of Brexit on data maps was anticipated, with the potential need to revisit and adjust data transfer agreements and the possible requirement for UK companies to appoint EU representatives.
- π The potential increase in data subject rights requests due to the removal of PEC Regulation (ePrivacy Directive) was flagged, necessitating a detailed data map to manage these effectively.
- π The low adoption rate of ISO 27001 was mentioned, with GDPR and other privacy regulations driving a need for more comprehensive data governance practices.
- π The dynamic nature of data mapping was underscored, as it needs to evolve with the business and be part of ongoing risk management and compliance activities.
- π The complexity of managing large-scale data maps was discussed, with the need for robust systems and processes to maintain and update the data map in line with business operations.
Q & A
What is the main focus of the 'Privacy Kitchen Session on Data Maps'?
-The session focuses on understanding data maps as the foundation of privacy governance, discussing what constitutes a data map, the impacts of Brexit on data privacy, and sharing practical advice and war stories related to data privacy management.
Who are the hosts and guests of the Privacy Kitchen Session?
-The session is hosted by Robert Bohr, the founder and CEO of Keepable, and the guests are Tash Whitaker from Whitaker Solutions Limited and David Clarke, who has a background in cyber and data protection.
What is the importance of a data map in the context of GDPR?
-A data map is crucial for GDPR compliance as it helps in creating a personal data inventory, understanding data flows, and ensuring that organizations can fulfill data subject rights and manage data breaches effectively.
What is the difference between a data map and an asset register according to Tash Whitaker?
-Tash Whitaker explains that an asset register is like a map of the street with details of buildings, security, and contents, whereas a data map encompasses everything, including the asset register, record of processing, security measures, and business usage of data.
Why might a company start with an asset register for their data mapping?
-Companies might start with an asset register if they have previously pursued ISO 27001, as it helps them understand what assets they have, including databases and filing cabinets, which is a foundational step in data mapping.
What are some common pitfalls in creating a data map according to David Clarke?
-David Clarke mentions that a common pitfall is confusing a data process map with a business process map, and another is not specifying where the data lives, which is crucial for understanding data flows and security.
How does Brexit impact data maps and the need for a UK GDPR?
-Brexit necessitates the creation of a UK GDPR to replace the EU GDPR for data processing within the UK, and it may require companies to revisit their data maps to account for new data transfer rules and the potential need for EU representatives.
What is the significance of the number of entries in a record of processing activities (ROPA)?
-The number of entries in a ROPA should be substantial enough to provide a clear understanding of data processing activities, but not so overwhelming that it becomes unmanageable. The right balance helps in responding to data subject requests and managing data breaches.
What is the impact of Brexit on marketing practices and how should companies prepare?
-Brexit may require companies to adhere to local data protection laws in EU countries rather than relying on UK regulations. Companies should review their marketing databases to understand the geographic distribution of their data subjects and ensure compliance with local laws.
What are some top tips for managing a data map effectively?
-Some top tips include starting with a basic understanding of data processing activities, verifying information through interviews rather than relying solely on questionnaires, and ensuring that the data map is part of ongoing business as usual rather than a one-time exercise.
Outlines
π Introduction to Privacy Kitchen Session
The session begins with a warm welcome to a privacy-themed discussion led by Robert Bohr, the founder and CEO of Keepable, a privacy management platform. He introduces the guests, Tash Whitaker from Whitaker Solutions Limited, who specializes in data-related consultancy, and David Clarke, with a background in cyber and data protection. The session aims to explore data maps, a fundamental aspect of privacy governance, and to address the impacts of Brexit on data protection. Practical advice and war stories are promised to enrich the conversation.
π Understanding Data Maps and GDPR Compliance
David Clarke initiates a discussion on the concept of data mapping, emphasizing its importance in privacy governance and GDPR compliance. He explains that a comprehensive data map could involve various parallel journeys, including technical, privacy, data, business, and security aspects. The conversation highlights the complexity of creating a data map and the necessity of understanding the context and purpose of the mapping. Tash Whitaker adds that an asset register is like a street map, while a record of processing is akin to the activities happening within the buildings on that map.
π Delving into Data Mapping Strategies and GDPR Record Keeping
The conversation continues with insights into the practicalities of data mapping. Tash Whitaker discusses the importance of starting with an ISO gap analysis or a basic GDPR record of processing activities. The speakers agree that questionnaires may not be the most effective method for data mapping, with face-to-face interviews being a more reliable approach to understand the actual data processing activities. They also touch upon the challenges of managing large volumes of data and the importance of keeping the data map updated and relevant.
π€ Navigating the Complexity of Data Mapping in Enterprises
The speakers discuss the challenges faced by large enterprises in creating and maintaining data maps. Tash Whitaker expresses skepticism about the feasibility of mapping for large companies, while David Clarke shares his experiences with big companies where even after significant efforts, the data mapping was far from complete. They agree that the task is daunting and requires a significant investment of time and resources.
π οΈ Crafting Effective Data Maps and Avoiding Common Pitfalls
The discussion shifts to tips for creating effective data maps and common errors to avoid. Tash Whitaker emphasizes the importance of granularity in data mapping to identify risks accurately. David Clarke points out that a data map should enable an organization to respond to data breaches and subject rights requests effectively. They both stress the need for a balanced approach that avoids excessive detail that could render the map unmanageable.
π The Impact of Brexit on Data Protection and Mapping
With Brexit on the horizon, the conversation turns to its implications for data protection. The UK GDPR is set to replace the EU GDPR, and the speakers discuss the potential need to revisit data maps to account for new geographic considerations in data transfers and the potential requirement for EU representatives. They anticipate increased complexity and the possibility of stricter enforcement by national regulators within the EU.
π« The Overlooked Aspects of Brexit in Data Protection
The final part of the conversation highlights the overlooked aspects of Brexit, particularly in relation to marketing and the ePrivacy Directive. The speakers predict that UK companies marketing to the EU will need to adhere to local laws, which may vary significantly from the UK's approach. They anticipate potential challenges in identifying the geographic locations of data subjects in marketing databases and the need to ensure compliance with diverse regulatory requirements post-Brexit.
Mindmap
Keywords
π‘Data Map
π‘Privacy Governance
π‘GDPR
π‘Brexit
π‘Data Protection Officer (DPO)
π‘ISO 27001
π‘Record of Processing Activities (ROPA)
π‘Data Subject Rights
π‘Data Controller
π‘Data Processor
π‘PECR
Highlights
Introduction to the privacy kitchen session on data maps, emphasizing the importance of data maps in privacy governance.
Robert Bohr introduces himself as the founder and CEO of Keepable, a privacy management SAS.
Tash Whitaker describes her role in providing consultancy on data-related matters, including data protection officer services.
David Clarke shares his background in cyber and data protection, highlighting the evolution of GDPR's impact on businesses.
Discussion on the different perspectives and components of a data map, including technical, privacy, data, business, and security journeys.
Clarification on the difference between a data map and an asset register, with an analogy to a map of streets and buildings.
Importance of starting with a basic GDPR record of processing to understand what data is being processed and why.
The challenge of managing large-scale data maps in big companies, with the suggestion that smaller companies may find it more manageable.
Tash Whitaker's approach to data mapping, emphasizing granularity to identify risks and the iterative process of verification.
David Clarke's insights on the complexity of data mapping in large organizations and the practical difficulties in keeping such maps updated.
The role of the Data Protection Officer (DPO) in maintaining records of processing activities, as clarified in recent guidance.
Discussion on the practicality of questionnaires for data mapping, with a preference for interviews and verification.
The impact of Brexit on data maps, with considerations for data transfers and the potential need for EU representatives.
The importance of data maps in responding to data subject requests and managing data breaches effectively.
Tash's method of linking data mapping to the creation of privacy notices, ensuring accuracy and compliance.
David's perspective on the balance between the level of detail in data maps and the practicality of managing them over time.
Final thoughts on the challenges of data mapping in the context of Brexit, with a focus on the upcoming changes and preparations needed.
Transcripts
hello everyone
and welcome to this fantastic privacy
kitchen session i'm i'm
really delighted to be joined by tash
whitaker and david clarke
and we'll do introductions just one
second so um this is a
privacy kitchen session on data maps
which is really the cornerstone the
foundation of your privacy governance so
it's a really key thing
we're looking at what is and what isn't
your data map we look at the impacts of
brexit the gift that keeps giving
and we've got some great war stories
we've got some great practical advice
so um straight into some introductions
got a lot to talk about so
i'm robert bohr i'm the founder and ceo
of keepable we're privacy management sas
at a policy pack giving you a framework
for gdpr and pekka
um well that's enough about me so so uh
tash do you want to introduce yourself
and
and your business sure i'm tash whitaker
i run whitaker solutions limited
we do consultancy to businesses on
anything data related to be honest
whether that be
iso gap analysis data management data
quality tqm
but most of the work that we do is
related to data protection and we offer
data
data protection officer as a service to
a number of clients as well
fantastic fantastic and david would you
do the same this
great yeah david clarke um yeah i've got
a background in cyber and data
protection
all sizes of companies i kind of figured
um
gdpr was going to kick off in 2014 i
think it was kind of two years too early
um but it's definitely come of age now
and yeah i i kind of work with companies
on cyber and data protection
and it's fantastic having both thank you
very much being guest chefs and i do
apologize for not having sent you your
privacy kitchen mug in advance but uh
i know david you got your gdpr on there
so um straight into the questions then
we've got
fantastic geographic we can get into
that one as well that's a fantastic
segue for later on as well so uh just
diving straight into the first questions
then so
um david can i ask you to enter in to
introduce
what a data map is and we can talk about
what the title of it is be it i mean
we've just been talking about that
before this call it'd be great as well
yeah
um i think that's kind of a good
question and and i think to some extent
it depends on who you're talking to
because quite often to kind of have a
full data map
you may need a number of journeys that
will run in parallel you may need the
technical journey the privacy journey
the data journey where it physically
goes
the business journey kind of what we're
using it for the security journey you
know
number of companies when you start
mapping out the security journey
you'll find you know easily 10 12
different security domains
which kind of means what do you do if
there's a bridge what do you do if
there's a problem
actually you don't really know who to
call what to do um
often that will need an overlay of kind
of visual descriptive so
it's sort of understandable and actually
kind of what your outcome is
so it it kind of really does depend on
the context
and who you're doing it for um
all around the gdpr sort of e-privacy
because it's not just gdpr is it it's
on a privacy data map so when i use sort
of data map in this sense i'm thinking
about the privacy governance
uh personal data inventory uh and so we
were talking about this so so
uh tax i was gonna ask how is that
different to say an asset register and
common parlance or
a security asset register so asset
register i
tend to think of the asset register
being a little bit like a map of the
street
it is the types of buildings that you
have
um how they are secured what they
contain or what they should contain what
their address is
that sort of thing the record of
processing
is what's actually happening inside so
if you think of it as a party invite the
party invite is your asset register
that's all the facts
and the regular processing is what goes
on facebook is what actually happened
in the real world now your data map to
me is
way bigger than all of that data map can
be a very overwhelming term
because it can be absolutely everything
it's your
asset register it's your record of
processing for article 30
it's your security it's everything and
it is very very overwhelming so i prefer
to think of it first as
you know start off with one and then
build it up and over time you will have
a holistic view of your data
and that's what you can call a data map
but it's not
a quick job to do and it's not the
first way of doing it i don't feel
that's interesting what do you think the
first way of doing it is
just start with one or the other a lot
of companies will have started with
their asset register
because they did iso 27001 before they
started thinking about privacy
um so for some that's their first step
for at least
knowing what assets they have what
databases they have what filing cabinets
they have
whose drawers they've got and so on you
know others will have started with just
the basic
um gdpr record processing um
you know the ico have done a nice
template that you can follow for these
particular data elements they go
slightly beyond what's in
the regulations um but if you start with
what's in the regulations of the things
that you need to track
about the data that you're processing so
what are you processing
why what's your lawful basis where's it
stored which then links into your asset
register if you've got one
you know who you're transferring it to
it's the it's the business side of what
are you doing with your data
you don't need to be technical to be
able to answer those questions
so for some yes register for others we
start with
the the basic you know process mapping
and i think so so before founding people
was uh general counsel of startups and
building sort of doing the the sort of
the role of cut
our respective customers now and then i
was a consultant when i was doing them
hypothesizing around keepable and one of
the bits on the data mapping exercise
and i think it's really interesting this
conversation
you know what does that actually mean as
a term so i went to one client and they
said well
we've done our data map and it was there
as you say the twenty seven thousand one
the security one
uh i'm not sure if they were 27 but
they've done a security asset register
and they said we know where
all our data is and then that's like
like you say i love the analogy of the
the street block and the buildings and
everything i said great so what's
actually
how do you process it what do you
process it for what about recruiting
they were like oh
uh no we know there's a server and we've
secured it i said yes but
what's that data used for and and so i
think the
the way i look at it is um i totally
agree a data map can be a very broad
term
and it can be a huge a huge area i like
the way that you sub
you've both talked about the subsets of
it i think the security map tends to
need to be
driven by the the requirement to find
your security assets your information
assets secure them
secure the more if it's sensitive data
and the risks to the enterprise
and then for gdpr you've got the
um what goes on facebook says what
happens with all that data
um the risks the individual gdpr doesn't
care about your enterprise it cares
about that individual so
often we start incapable with the
activities so
um you know hr recruiting finance
payroll and that might hit different
assets or different locations and what
have you and as you said david you walk
it through
i think that's a really that's a really
key thing could you actually on so david
on that bit were you talking about
building that map and having all those
different strands
when you have those conversations you're
walking it through from from a pricey
privacy point of view what are the some
of the sort of top tips on
and the typical errors on that part of
it of saying of focusing in
you might say go to marketing say i know
you do this or do you just send
marketing a questionnaire
um i've got to say i've never found
questionnaires really work that well
um they sound really good idea but
people kind of tend to reply
with what they think you want to hear or
help
i've never really found that work so
generally
it it kind of works better by at least
starting point is by interview
and then you need to verify what's going
on after face-to-face because otherwise
all you're doing is having a discussion
there's no real evidence there
and quite often most businesses are way
more complex than you know
a kind of normal record of processing
can manage in a data map you know if
you've kind of got the
the ofcom advertising awareness for you
know age-appropriate
design and so on so suddenly your your
data might be okay your security might
be alright but your messaging
might be wrong as well so you suddenly
got to build that layer into it as well
because now you're dealing with under
18s under 16s etc etc
and putting all that together and then
making it make sense and then getting
the client to understand it
uh i saw some of the kind of challenges
really that you know there's
an awful lot involved that you know i
guess no one really worried about to
you know till recently that's a
fantastic point i was talking to um
a consultant yesterday and it was around
you know when you go into a business
there's not necessarily the business
doesn't necessarily have a view of that
complexity
um you know they've been dealing with it
sometimes to a
more or less superficial level um but
often the gdpr when you guys go in and
you're talking to your customers is
often the first time they've really
brought it together it's one of those
aspects
a benefit of doing a gdpr uh i would say
gdpr is the privacy
program do you see that as a big benefit
when you talk to the clients and what
other sort of benefits do you see there
i see definitely so when i go in i
always start by just
having conversations i show them the
excel sheet that i'm
potentially filling in and after about
five minutes i just throw it away
it's like that you know roughly what i'm
going to be asking you know but let's
just
talk and i'd warn them i'm going to ask
you some really irritating questions
you're not going to like them because
i'm going to be
why what exactly are you doing so
you're not using it the way you just
said you where are you you're actually
doing this with it aren't you
i said it can be really annoying because
i've got to get down to exactly what
you're doing because only then
can i work out how this fits into record
processing
my next step after that is to write it
up in a word document i don't go near
the spreadsheet yet
i say this is what you told me about
what you do
written in plain english is this right
and from that
i will then retrofit it into irregular
processing and that's where i notice
i've got gaps
and then i go back to them with almost a
completed one and say i've got a gap
here what do you do
can you check this and fill it in and
that way i avoid questionnaires because
i'll never get the answer i want from a
questionnaire
but also they're sort of bought into it
because they've read it as a story it's
like yeah that is what we do or no
you've missed this
actually we do that you know so it's a
a multiple step process and i'm quite
glad as well there's been clarity around
the fact that the dpo
is really supposed to do the record of
processing
because that wasn't defined originally
um but in all the guidance since they've
suggested that that is a role that the
dpo should do because that's the only
way you fully understand the business
you know when someone starts telling us
like i'm using this to do that you're
like well well that's not in your record
of processing
back we go yeah yeah yeah
and whether there's an assessment needed
and all these sort of gaps as well so
it's and one of the things i think with
the you've both said about the
the the questionnaires and the surveys
sending them out i had there was a great
one uh someone said if you ask somebody
and you send a pro you send a question
there to say someone in marketing say do
you process personal data
no so like you know they won't go any
further but also we were talking just
earlier about
even you know and this is no there's no
judgement here at all it's like you know
i don't know
that much about about sort of the
technical aspects of of a system i'm
sort of on the
sort of legal and compliance side but so
i'm not expecting people to know that
much about my area either so
some you know very skilled security
people i.t people marketing people hr
people
you know they're very skilled in their
areas there's no reason they're going to
know
what a processor is or a controller is
under gdpr which is
you know you can't sort of reduce these
questions down
to plain english too much you've still
got to use some jargon do you find that
as one of the aspects and it also
depends on the context because they can
be both in certain circumstances
so depending on what angle you're
looking at they could be the processor
and the controller
or kind of change role for another part
of the journey
and that's you know to some extent some
of those concepts do kind of fall apart
especially on big companies you know
where they've got
huge amount of entities they own and
control and one company owns all the
employees the other company
kind of owns all the it assets and you
know which ones control which one's
processor
depends on the time of day and what's
going on
absolutely and that's an interesting
it's like scontage
so you do find yourself asking the
questions you know are you doing this
for yourself
or are you doing it because they told
you to you know that's the sort of
the leading question to try and get to
are you actually the processor in this
or are you the controller do you get any
benefit from doing this
other than you know you get paid to do
it
you know it's quite an interesting one
you start really delving in
and um and then discovering that yeah
the processor but they're also doing
stuff with the data they shouldn't be
doing and then you're like oh god
yeah we start off doing it for someone
else and then we go no stop stop
absolutely
and so what's in what's also come out
here is that we said we've talked about
for example 27
0001 and and we did some research at
keeper which is not capable
it's on our website that um the actual
adoption rate of 27
0001 is tiny it's amazingly tiny so i
was actually i've got a non-alcoholic
beer during lockdown and i was looking
at one that said
0.5 percent alcohol and it was like
non-alcoholic i thought okay
and he left so i got another one it said
point zero five percent alcohol and
point zero five percent
is actually um the adoption rate of
twenty seven thousand and one in the ea
30 and the uk combined wow
we're going up in the uk because the
i do a lot of work with health tech
startups and the data protection toolkit
has now got something in it that says
that suppliers should have
iso 27001 or equivalent or something to
that wording
which means suddenly a lot of these
startups which are really still very
very small
in order to get their tool kit are
having to do 27001 as well
so i'm seeing more demand for that
amongst smaller businesses than i was
before
yeah certainly in those i went in the
startups i was in as we were growing and
we were going
for larger and larger customers i got
the budget to do 27001 when sales got
fed up filling in a massive rfp
um another one was going into the nhs
and that was a real driver as well
but it's still the actual although it's
gone from 2400 certificates in the uk to
2800 last year
you know there's 2.78 million
active enterprises 5 million if you
include all the sort of smaller
businesses
in there so it's still at the uk we're
still at the point one percent
um one of only three european countries
with
reaching point one germany's at 0.5
percent too so
but it does it does sort of flow through
in in best practices for sure
um in term just before we move on to the
next bit so
this is a really interesting bit about
the size of companies so how do you see
the differences with a large company and
a small company with that process we
were talking about
so i tend to stick with the smaller
companies for exactly that reason
i can't even begin to imagine trying to
do
a full data map on a large organization
i mean i'm talking largely like a plc or
something like that
even when i look at some of the
solutions that are out there for large
companies i'm not going to name any
i'm currently undergoing a process to
set someone up on one of these
systems privacy systems they are a very
small company less than 250 employees
and i have the expert qualification in
doing this
so as my project manager between us
we're up to about 30 hours of work
just to get their data map into the
system
you know and it how on earth is a large
plc doing this
i i just can't imagine it i really can't
i'd like to think maybe they already had
a lot of it because
as everyone says it's a evolution not a
revolution
personally i haven't discovered that
really but you know i'd like
that some of these big companies were
already halfway there and maybe it's not
so bad but
i i just don't envy them at all
yeah david what's your thoughts on that
yeah i agree with tash
it's really really difficult um you know
i've done stuff for some really really
big companies
don't think you know after nine months
we even kind of scratched the surface in
reality of kind of what was going on
you know you can ask the questions how
many servers have you got
well we think we've got three and a half
thousand servers great
um they all get patched and everything
all the usual security questions
um well at least 750 are patched okay
which 750 are patched we don't know but
we know we've done 750.
so yeah that's kind of where you get
stuck
because the volume of stuff and what
goes on
is just too complicated and of course
the next problem you have is even when
you have done
i think we got to um well over a million
data points
to to kind of put the maps together how
do you manage that how do you keep it
going yeah you know you need an army of
people to actually keep you updated keep
the changes going
etc etc is a phenomenal
task very very difficult i think this is
also
really a subject for another privacy
kitchen but it's
about the the actual compliance of
people because when what you're saying
i totally agree when i'm looking to do
sort of sales into large large
enterprises
very few have have their data map done
their article 30s or the rope or
whatever
whatever we call it they're like you
know and these are the guys who will
have 5 000 rows because
all they've done is they've got each
company to do something and then put it
all into one big sheet
how do you manage a 5 000 row sheet um
uh and we won't go into the nhs debacle
of the the
track and trace excel spreadsheet but so
it's um
yeah it's a tough one but let's um on
while we're sort of we've touched on the
next bit which i think is really
people are really interested in which is
the processing what is a processing
activity how do you define what a row is
um so so tash could you sort of you know
in
in whatever we call it this this list of
the
um the inventory the personal data
processing
um what how do you determine what a row
is what a processing activity is
i tend to split it down by it's a
processing activity
for a unique group of data subjects
for a unique purpose with one lawful
basis
that tends to be my guiding thing so if
they start talking about direct
marketing
i'm like okay well potentially there's
direct marketing b2b there's also direct
marketing b2c i would split those out
for example
so i do go i mean i'm constantly
criticized on slack and linkedin because
i do go very very granular
because i think it's the only way that
you can really identify the risks
there are some solutions out there which
will actually then bucket stuff up which
can be useful
you know depending on how you're then
trying to display it but i think you do
have to go to that
degree to know the business inside out
um which
like we said it's not scalable it's not
scalable and it's not sustainable
but it works for the size of the
companies that i work with
absolutely david what do you what what
do you think yeah
i i think one of the things is you know
what what actually is the kind of
purpose of gonna
part of it has got to be is can you
deliver the day of subject rights and
can you manage data breach
with that kind of information and if
there's too much in one line
it might be very very difficult to come
to any real conclusion
you know said you know if you've got
multiple legal basis which is
quite possible on one journey um how do
you separate it how do you make sure you
can deliver data subject rights
um let alone kind of you know any any
breach issues
so it's kind of breaking it down so it
does help you
but then you come across you know i've
come across small companies and they've
done amazingly well you know they've had
thousands and thousands of record you
know ropers
actually it's unmanageable you know
you're never gonna
find the right the right area yes you've
done it you've done a good job but
actually
you can't do anything with it it's it's
very good point it's got to be something
that's usable and i think that's where
a lot of people are they've done
something in the past and they're
looking they're look they're coming back
to renew it and they're going
you know gdpr is about two and a half
years old now and people are coming back
and they're renewing their article 30s
or their ropers or what have you their
data and they're going actually this
isn't there's got to be a better way and
i think
i totally agree on that there's a
there's a belgian it's quite hard to
find
specific on this but there's a belgian
example of an article 30 record
and it separates out the you have a
different purpose
or a different legal basis that's their
trigger to say right so i totally agree
that marketing b2b marketing b2c and
whether that's emails or whether it's
phone calls
because it also comes back to helping
you and we'll talk later about pekka
and eprivacy about about complying with
it so i think that's a really good one
and i do think that you can still be
strategic at that so when you have
marketing b2c well let's put it this way
trade shows is the example i always give
if you always treat trade shows in the
same way and it's b2b you can go
marketing b2b trade shows
handling leads and as long as you deal
with them in the same way and store it
all in the same place you can have one
line
and i know some people have put every
single trade show they put a new line in
their opera and that can just
you know i think um what david said is
key
i'm seeing people starting to finally
depend on the ropers because before it
did feel like a bit of a tick box
exercise because no one ever referred
back to the roper
but i'm seeing i don't know whether
you're getting this as well we are
getting a ridiculous number of
sars coming in from a company called
privacy b which are basic
fishing exercises but you know at least
when it comes in we can say okay so
this would have been this type of data
subject therefore if we look at the rope
up
this is where we've had the data these
are the rights that apply
you know this is what what we can do
with them and it's a lot quicker
so as much as i hate these fishing
experts
i get the words out much as i hate them
no i am seeing that it's finally showing
its worth on the roper because they know
where to go and look
you know so and i think that's you're
the benefit of the approach of going to
that sort of you know different
and it's the right way the different
legal basis different purpose and the
data subjects et cetera is
it enables you like you both said to
react to a breach to react to a data
subject request but also it leads to
that different um
uh benefits of you know reducing the
amount of you know
data deduplication those 3 000 servers
maybe they only needed 750 servers so
it flushes out a lot of that that too um
so just before we move on
um to the next book this is a really
great great part what's what do you
think then
i'll just throw it over to both of you
um we've talked about some numbers what
do you think is
like too low someone's not had a proper
go a decent number of
entries an average number a totally
ridiculous
high number and how that reflects in
different sizes of the companies
well i think something sorry yeah i
think something is better than nothing
for sure so i'm not sure there's kind of
uh
a minimum but uh you know i think there
should be at least a kind of high level
robo because you can always kind of put
that together reasonably quickly it
may not be that useful but you've got
something you've got an idea of what's
going on otherwise you have absolutely
no idea
i mean i think kind of as tash said you
know i've been into companies and you go
and talk to their accounts department
and say
you know the usual question do you have
any personal data and they go no no no
we just deal with figures and whatever
and
when you do payroll yeah yeah we do
payroll uh then you do kind of
reconciliation with each other yeah we
do that yeah
don't you kind of do the tests yeah yeah
so after you've been through all that
actually you do deal with a lot of
personal data it's it's really you know
dragging that out and that can just take
time because
we've not had to do that and i think the
other downside is rit systems have not
been designed for data protection
we're still kind of using it systems
that would although they're very slick
and smooth they're
kind of still designed on concepts in
the 1970s
and really they haven't really jumped
ahead and you know what do we need to do
to manage
kind of data going forward in the 21st
century it's it's it's way too difficult
way to do very true and so
tash what do you think on the sort of on
i think i'll throw out some numbers um
that i've sort of come across in
different different see what you think
so
um i think if someone's got say five
rows in their inventory they've not done
enough to sort of really think about
the activities if they've got say 50
they're
in the right to the ballpark if they've
got say
200 that's potentially getting a bit
hard to pick on size of business and how
they're treating it
but it's perfectly doable um as you say
that gets
manageability is a different thing come
across people with 2 000
5000 rows which to me is just ridiculous
it's just too many
and they've all gone actually this is
because we've amalgamated all this and
it's duplication
and it's so so what do you think to
those sort of numbers
so mine tend to be between i'd say
50 and 250 lines
i my take on it is you have to have
enough in there to be able to write
an accurate privacy notice because you
can't write a pro
just unless you know what you do for
each type of data subject because all my
privacy notes
are written as the data subject so if
this is your relationship with us
this is what we hold this is why we hold
it and i can't do that unless
it's in the um the rope already so there
has to be enough in there
to be able to write the privacy notice
and that's always a good sanity check
for me because if i'm halfway through
writing it
and realize i don't know the answer is
because it's not in my roper
and i need to go back and and so as long
as those two
tally up it's generally going to be okay
it's good i like that it's good it's a
good rule of thumb as well fantastic no
those numbers so
those numbers all seem absolutely um
spot-on in what i'm hearing as well so
just on the on the timing um if we just
move forward onto
top tips and typical errors we've sort
of covered a fair few
but other things in in in sort of war
stories maybe a couple of war stories be
good fun about
some errors on the data map when someone
thinks they've got it right and they
haven't or or something
uh a top tip uh to head off those sort
of errors before we move on to the
wonderful topic of brexit
my biggest error i see on them when i
first come in and look at what they've
got is where it says data controller and
it's got the name of the department lead
in there
right no that's not what data controller
means at all
so that's the biggest error that i see
and the other one is is i tend to
think of it as being a little bit
evolutionary you know i've got one
client where i've been working
for a year and we still haven't finished
their their record of processing
but we're working through it and we're
getting there you know so i i think we
have to
understand that this does have to run
alongside business as usual
you know you haven't all got loads and
loads of money to throw at this
it's got to just be done alongside the
business and within your own risk as
well
your own risk criteria so they're my two
yeah david yeah i think the the one that
i come across is you know
a data process map is not a business
process map quite often
they get mixed up and people go oh you
know when we've done it we'll have a
whole map of all our business processes
no you won't they don't really align
they might be similar they might be
overlap but it's certainly not the same
thing
and the other kind of favorite that i
kind of see is that i see the record
processing but it doesn't actually put
where the data lives
so actually you don't know where your
data lives you don't know whether it's
cloud-based you don't know whether it's
in a system
that you've done a record of processing
you know to some extent that's of
not very much use other than the
starting point for a lot more work
but yeah the the the other side of the
coin is
to do the level of detail um you know
you where do you draw the line
because it can take weeks and weeks if
not months and months
to kind of get this right and by the
time you've done it it's probably
changed anyway
um how do you get that balance right
there's a there's a question about
putting the cattle
um the processing activities article 30
doesn't mention
processing activities it says but so if
i if i just go
um to article 39 i think one of the one
of the bits that
let's always have it on the screen
pretty well uh so it's each controller
and where applicable they're
representative shall maintain a record
of processing activities
uh so it's in article 31 and article 32.
so the record of processing activities
under its control but i think one of the
one of the bits that's
really interesting for me what you said
there is and it goes back to the earlier
conversation is
this is all part of business as usual
it's also part of all those other risk
management programs even though the risk
is about the individual's risk
for gdpr there's a risk for the entity
in terms of fines there's a risk of lost
business
and and pr this sort of thing so it has
to sit along so obviously security is a
big one next to it
um but you've mentioned other things
like fca or the nhs or
they've got a whole range of things to
think well what how do we do this
um what can be separate what needs to be
joined up and how do we join it up and
it is
it is it is a big ask it is a big ask on
businesses so
um let's let's just go in sorry so in
the ico accountability framework that's
just come out there's a section in there
under the record of processing where it
actually says they expect the record
processing activities document to have
links to
the breach log links to the legitimate
interest assessment
all these different things they expect
but none of it is in here
none i mean they're all separate but it
doesn't say that has to be part of your
record of processing
so i think there are so there is so many
mixed messages of how things should be
set out
yeah i just don't envy anyone trying to
do it as part of business as usual it's
like
what do i do you know which is why i was
saying at the beginning always just
start with the basics
yes and then we can fill it up
you know i totally agree go to the
source you know it's um
one of my one of my things on it is
regulators have been
massively overstepping the mark i mean
the regulators have had
their moments in the sun and some of
them have got a little bit of sun stroke
in certain areas
and you so for example um the edpb when
they put out the territorial guidelines
saying the article 27 rap
was the europea rep was as liable as the
processor a controller
well it's ridiculous i mean it that was
in the early days it was taken out
it's not in the law there's a sentence
in the recycles which
is not law it's interpretive but you can
only find a controller a processor for
certain things and it was
it was removed after the consultation
period thankfully after the outcry but
i think there's a lot of regulators
going i want it to be like this
but actually as you know from my sort of
gc bit i would always say with
regulators
you get the minimum of what it is that i
have to give you that you're asking for
and then anything on top of that i'm
going to determine from our own purpose
is that a justifiable request um are you
entitled to that
um you know it's and so i can see why
the ico would like it all linked but
it's
it's there's enough already for people
to do it's like let's focus on
on that print absolutely matters to the
data subject let's focus on that first
because that's
ultimately that the data subjects at the
heart of this not
an excel sheet not a solution you know
it's
can we exactly say can we do the rights
of the data subject
and that's what the record processing is
all about it's knowing where stuff is
and knowing which rights apply for each
process
yeah absolutely which talking of data
subject rights they're about
to double and we were talking about this
a bit earlier in in in our pre-session
it's um
with brexit now we can open up brexit so
um
from the date will take us the first of
january 2021
um the uk gdpr will come in the
transition period will finish
unless we get an extension of the
transition period but the
first of jan 2021 uk gdpr comes in
eu gdpr is is obviously for the eea
30 not not for the uk apart from legacy
european data and you can just unwrap it
as far as you want to go but
on the terms of this data map records of
processing this inventory
what are your thoughts on the on
brexit's impact
in terms of do you have to how far do
you have to go back and redo everything
how far is it a massive impact is it a
small impact
where do you see the key impact
um i think it shows the difference
between having taken the time to do
extra detail in the rope at the not
because you know obviously when shrems
came in it was really easy to say okay
so where are all our processors outside
the eea which ones do we need to worry
about
now we're starting to get okay where are
our processors
who are based in the eu who we're going
to have to get data back from
and you know what that's not in my roper
you know or something like that because
we didn't need to put it in the rope
because i've got it on some and i can
you know i've done my process of due
diligence i can get it from somewhere
but not necessarily in the roper
so i think that forward planning of the
ones where we did put it in because we
knew this was going to come
it's going to save so much time next
year now and we have to go back and
start looking at re-papering
um so that for me is the big one in the
roper
yeah david um
i think if your companies are
effectively then kind of selling outside
the uk
there's a whole tranche of legislation
you know distance selling
um you know how is that going to affect
uh potential kind of that issues if
you're
you're selling in europe do you need to
be registered in
28 different countries um
representatives might need to kind of
kick in um
i don't know you know each case has to
kind of be looked at in
its own an area really
to me for example pick on a sony year
again
um and i'm being kind of a little bit
loose with the figures here i think they
have a criteria that you need a dpo if
you have over 10 000 records or 15 000
records it's
quite a low amount in the uk it's if
you're a big
as big as a social media company you
definitely need a dpo
so you could be in the uk selling to
estonia and actually find you need a dpo
whereas you didn't before
to comply with local regulation um
so i think there there's there's i don't
know you know we don't know what's going
to happen yet but it could be
could be quite complex and i don't think
i kind of want to
have to do that was it 27 european
countries and what would the other six
norway liechtenstein
the privacy kitchen yesterday on uh the
eu representative that video is coming
out since
just in terms of date this is the 16th
of december so when uh if anyone's
watching the recording later this is
why we're talking about brexit in this
manner at this point um
so the 16th of december 2020 and the
transition period finishes at the end of
december
you know the eu representative uk
companies we didn't care about the eu
representative because we were in the eu
and we were doing all of this so that
you know it won't even be a consider
wouldn't have been considered and the 25
million
active enterprises in europe won't have
thought about a uk one either so that's
something extra on to the
the transfers bit i think transfers to
the
sorry sorry europa comes in again
because you only need
the eu rep if you don't already have a
little
location or establishment and
you're i'm gonna get this right you're
not doing occasional transfers yeah
so you it's only really i mean yes
someone in their gut knows roughly how
much they're doing but it's through the
rope you look at us okay so where
where do we have non-uk data subjects
what is the processing we're doing is
that occasional is that high risk
therefore we do know so if you've
documented it properly
it should be an easy decision to make if
you haven't documented it yet then it's
going to have to be right get back to
the business
let's try and work this out and again
it's a little bit more work now
things we hadn't considered before
representatives and try to tell
everybody in the world they need one
which is totally untrue you know and
it it's scaring companies to think that
they have to have them when they don't
yeah well i think there's a there's been
you know gdpr has always been a bit of
project fear in some ways
some people's marketing and and um
you know people like your good selves
have always sort of
not not done project fair which is
fantastic but there's been a lot of
people on project fear and selling it's
been a wild west on gdpr
and it's very hard to get people who
really really get it and you can even
see you know
i mean it's difficult even privacy
professionals on linkedin we have all
these sort of discussions about whether
someone's a controller or a processor or
not it's one of the most fundamental
things
to the whole lot so how are people meant
to do it so i do have a bit of sympathy
a lot of sympathy for businesses on this
i think that interest
that's a really interesting comment from
youtash about the data subjects as well
and
the rep because on transfers it's also
sort of thinking more around the
transfers but the trends too
do we know where those are now transfers
is outside the uk and if you're covered
by the eu gdpr it's transfers that so
you've got two different
geographic locations for transfers
you've then also got
where the data subjects are themselves
so it's you know separate to transfers
that geographical
footprint um which may not well have
been uh captured in that initial data
mapping
so that's that's that's a fantastic uh
fantastic comment
so um we're into the sort of the q a
part here and i'll just i'll just um
i'll just check on the the questions in
here
that's why you're looking for trying to
just mention marketing
and pekka and brexit because i think
it's been
very overlooked unless that's been asked
as well so so let's do that so
we were trying to lead us off yeah sure
because it's something we were talking
about right before this because it is
definitely something that's been
overlooked so
right now if we are marketing to people
in europe
we have been able to pretty much
slightly dodgy rely
on the rules of pekka in the uk to say
that we can use soft
opt-in here we can market b2b and
companies like germany
and austria i think it is who are
particularly strict uh where they
like double opt-in consent we've been
able to say you know what we're part of
the eu
we've implemented pekka therefore we're
okay well when we brexit
we're not going to do that anymore we're
going to have to go with the local laws
and i am starting to think how on earth
do i know who is in my marketing
database because that's not part of my
roper
you know i just know that i do marketing
for newsletters i do marketing for this
i've done b2b
marketing you know but do does that
cross border
where are those data subjects based i
probably don't even know right now
you know if they've got a a business
domain that's dot com
they could be anywhere so this is
something we're all going to have to
look at and i don't know that
it's ever been part of anyone's rope to
go down to that level of detail but as
we've added all this new complexity to
our lives through brexit we're going to
have to start adding complexity
to make sure that we can adhere to the
local rules because my gut feel
is that those various countries are
going to come down hard on us in the uk
because it serves us right you know so
why wouldn't they
um and i think we we could potentially
be in for a bit of a pasting
there maybe i think you're right david
what what do you think on that
um yeah i i think i think that sounds
about right really i mean i was amazed
that we kind of got away with it so far
even kind of pre-pre-brexit
and of course you know the cookie
battles are kind of warming up it was
only
october wasn't it where the canal and uh
island have kind of said you know the
grace period's over we're going to start
enforcing
you know good cookie behavior we see a
lot of it in europe very little in the
uk
so does that mean that you know
companies trading abroad may get hit
more on the
the cookies component a lot more i think
yeah
over 200 cases in the pipeline when it
was
pecker and the old directive it we could
sort of get away with
the pekka jurisdiction aspect but now
that the director has been replaced by
gdpr that's got a bit washer and now
that we're going to be out of
out of europe at the end of the
transition period you know national
regulators are want to want to protect
their own
their own citizens i mean france's 7th
of december came out with two
big enforcements on google and amazon i
think definitely you'll
i agree with you that national
regulators are going to take this on and
and we've made our own bed on that on
that side so that would be a very
interesting bit
um and in terms of in terms of the the
privacy director singer on that there's
a nice one about
how your data map a lot of people you
know we all talk about gdpr and i always
give the example of an elephant that
gdpr is most of the elephant of data
protection law
and like one big back leg is the privacy
directive and the trunk is the national
law
uh but you know so but a lot of people
just focus on the gdpr
and and these data maps um do need to be
broader
uh even within the privacy area so
that's a really good a really good point
so we're coming up to to the 12 to 12 15
so i'd just like to
say thank you very much indeed um both
tash
and david this has been a really um
really fun
uh rapid run through data protection we
covered so much ground
uh and this this will be up on the
privacy kitchen channel
um everybody please share it and they
can come back and look at it later on as
well we'll see what happens after
31st december we'll find out soon and
thank you very much guys
thanks guys bye
cheers
Browse More Related Video
![](https://i.ytimg.com/vi/mDMqrhlnJBA/hq720.jpg?v=627a527a)
Data inventarization according to GDPR
![](https://i.ytimg.com/vi/3IDnuvs0kNs/hq720.jpg?v=65e1ef52)
How to Implement GDPR Part 2 :Roadmap for Implementation
![](https://i.ytimg.com/vi/G7KUSYEOqUk/hq720.jpg)
How to create a ROPA (Record of processing activity), GDPR Article 30
![](https://i.ytimg.com/vi/ReqahB92hjA/hq720.jpg)
How to Build a GDPR Implementation Plan
![](https://i.ytimg.com/vi/o8-058VyUOI/hq720.jpg)
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
![](https://i.ytimg.com/vi/-S-DbVoXpd4/hq720.jpg)
Keynote: Are You Ready for GDPR? - Michele Appello
5.0 / 5 (0 votes)