Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

Spirion

28 Aug 201756:37

Summary

TLDRThe webinar transcript focuses on the General Data Protection Regulation (GDPR), emphasizing the importance of data mapping and inventory for compliance. It discusses the challenges of record-keeping under the Data Protection Directive and the benefits of GDPR, such as reduced registration requirements. The script highlights the necessity of maintaining detailed records of data processing activities, including data subject rights, third-party vendor management, and information security. It also underscores the importance of appointing Data Protection Officers (DPOs) and leveraging data inventories for GDPR compliance, including breach notifications and data subject access requests.

Takeaways

📊 Data mapping and classification are crucial for meeting GDPR requirements and replacing manual processes with automated ones for efficiency.
🔄 Under the Data Protection Directive, controllers had to register with each member state, a process that was tedious, time-consuming, and costly.
🆕 GDPR has streamlined the process by eliminating the need for controllers to register with individual member states, centralizing the requirements.
📋 Controllers and processors are now required to maintain records of processing activities, as outlined in Article 30 of the GDPR.
🔍 Data inventory involves identifying specific data fields, data subjects, recipients, data transfers outside the EU, and the mechanisms for data transfer.
🏢 The data inventory should include the application owner, technical and business aspects, and relevant security measures to ensure data protection.
🤔 Challenges in building a data inventory include defining the scope of personal data, which can be broader than initially thought, including online identifiers.
🔑 Special categories of personal data, such as health information or religious beliefs, require extra attention and protection under GDPR.
🛡 Data discovery and classification tools can assist in identifying and managing personal data across an organization, supporting compliance with GDPR.
📝 Data inventory serves as a foundation for responding to data subject access requests (DSARs), managing third-party vendors, ensuring information security, and facilitating breach notifications.
⏱ GDPR enforces a 72-hour deadline for breach notifications, emphasizing the importance of having up-to-date and accessible data inventories.

Q & A

What is the main focus of the webinar presented by Scott Giordano?
-The webinar focuses on the General Data Protection Regulation (GDPR) requirements around data mapping and how data discovery and classification can help organizations meet these requirements more efficiently than manual processes.
What was the previous process for data controllers under the Data Protection Directive?
-Under the Data Protection Directive, data controllers were required to register with every member state's Data Protection Authority (DPA), which involved answering numerous questions about data processing, and this process was described as tedious, time-consuming, and expensive.
How does GDPR change the registration requirements for data controllers?
-GDPR eliminates the need for data controllers to register with individual DPAs. Instead, it requires controllers and processors to maintain records of processing activities, as outlined in Article 30 of the regulation.
What are some examples of applications that might be included in a data inventory?
-Examples of applications that might be included in a data inventory are HR systems like 'Employee Central', CRM systems like 'Sell Me Stuff', and expense report systems like 'Reimburse Me'.
What are the challenges in building a data inventory for GDPR compliance?
-Challenges in building a data inventory include identifying what data is in scope, understanding the wide definition of personal data under GDPR, including online identifiers, and finding all the data fields that are being captured by various applications and processes.
What is considered as 'personal data' under GDPR?
-Under GDPR, 'personal data' is broadly defined and includes any information relating to an identified or identifiable natural person. This can range from obvious data like names and addresses to more nebulous identifiers like IP addresses, cookies, and other online identifiers.
What is the importance of maintaining a data inventory for GDPR compliance?
-Maintaining a data inventory is crucial for GDPR compliance as it helps organizations understand what personal data they hold, where it comes from, who has access to it, how it is protected, and how it is shared or transferred, which is essential for responding to data subject requests and potential data breaches.
What are the implications of GDPR for third-party vendors or processors of data?
-GDPR holds third-party vendors or processors to the same standards as data controllers. They must maintain their own records of data processing activities, delete or return all personal data after processing, and provide information necessary to demonstrate compliance with GDPR obligations.
What is the 'Right to be Forgotten' under GDPR?
-The 'Right to be Forgotten' under GDPR allows data subjects to request the erasure of their personal data when it is no longer necessary for the purpose for which it was collected or processed. Organizations must comply with this right, considering the reasonableness of the request.
How does GDPR affect data breach notification requirements?
-GDPR requires organizations to notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it. This is a significant change from previous regulations and highlights the importance of having a robust data inventory for quick identification of affected data.
What role does a Data Protection Officer (DPO) play in an organization's GDPR compliance?
-A Data Protection Officer (DPO) plays a critical role in an organization's GDPR compliance by overseeing and informing the organization's data protection strategy and measures, interacting with supervisory authorities, and ensuring that the organization's data privacy program is effectively managed.