This informal CPD article on process analysis was provided by Vox Securitas, experts in Cyber Security who enable businesses to be Cyber Essentials and IASME Governance Self Certified.
The GDPR has been law in the UK and EU for over a year now, and one of the key elements of maintaining compliance with this law has been missed by many organisations. This is possibly down to a lack of understanding or training on some of the lesser known requirements of the law and what they practically require organisations to do. One of these key aspects is that is not being followed is keeping a good record of the personal data being processed. A recent example of this is that the ICO audited the Legal Ombudsman and found they were not keeping accurate records of the information they were responsible for.
Conducting a Data Mapping Exercise and then using that to document your organisations flows of data using a Process Analysis Register and is a useful process used in data management and generating a record of the personal data that is processed and where it goes. It is not just another admin task to ‘fluff out’ the GDPR compliance process but an essential project to identify where there could be privacy risks and data leaks. There is now a clear responsibility on businesses to proactively protect the data they hold, this includes being aware of any potential risks.
What does the GDPR say about this?
In Article 30 of the GDPR it states that organisations must maintain a record of processing activities. The record must contain the following information such as the purposes for processing the data, description of the categories of data subject and categories of personal data, the categories of any recipients of that data, if its transferred to any other countries and if so where, how the data is kept secure and the length of time that data will be retained for.
This should all be recorded in an organisations Information Asset Register and Process Register, and this can be detailed by doing a data mapping exercise.
Where do you start?
You can’t protect personal data if you don’t know what it is, where is it and how it is managed. Furthermore, if you don’t know where to look for weaknesses in your data infrastructure, how will you find and deal with them?
A good place to start with your data mapping exercise is to gather key stakeholders and heads of department to identify what data they hold and how they process it. This could include:
- Data Protection Officer (if applicable)
- Members of the senior management team
- Information Security Officer
- HR Manager
- Operations Manager
- Finance Manager
It would be recommended that this is ultimately handled by someone or a team appointed to handle GDPR related projects, whether that is an internal appointment or external consultants as ultimately after conducting the exercise, they will then need to use their specific knowledge and expertise to analyse the information collected with eh regulation and make recommendations to improve compliance which is the end goal.
We hope this article was helpful. For more information from Vox Securitas, please visit their CPD Member Directory page. Alternatively please visit the CPD Industry Hubs for more CPD articles, courses and events relevant to your Continuing Professional Development requirements.