Countdown to GDPR: How Will the GDPR Affect Information Management?


The European Union (EU) General Data Protection Regulation (GDPR) is far reaching – and fast approaching with the regulation going into effect on May 25, 2018.  Some businesses have been preparing for many months, while others are trying to catch up. 

In BDO Global’s whitepaper, “The Intrinsic Value of Ensuring Data Privacy," there are several key points to help businesses determine the impact of GDPR on their organizations.  A key point of discussion is around GDPR Article 32: security requirements, specifically the mandatory data inventory and record-keeping of all processing of EU personal data.  To meet this requirement businesses are creating or updating data maps, application inventories, and process flow diagrams to better understand their data landscape. Additionally, businesses are required to maintain a record of all processing activities, or data register, under Article 30.

A data map documents attributes related to data and information that is owned by the organization.  Data maps can have varying levels of technical details, depending on how they are used.  In addition to being valuable in preparation for the GDPR, data maps can also help businesses with overall information governance by better preparing the organization for litigation, e-discovery, or cybersecurity preparedness. While there are several tools available that will help accelerate data mapping activities, often times businesses start by gathering knowledgeable professionals in a conference room and documenting systems and their relationships on a whiteboard.  This information often ends up in a Microsoft Visio diagram, with details captured in a Microsoft Excel spreadsheet or Microsoft Access database if a commercial solution is not in scope.

Application inventories are also helpful to determine where sensitive data is stored within the organization.  Software Asset Management (SAM) solutions, help desk ticketing systems, contract management systems, and other applications can be used to accelerate the identification of applications within an organization.  Another Article 32 requirement outlined in the whitepaper is the mandatory data-breach notification to regulators and individuals whose information is compromised.  Having current and accurate data maps and application inventories can help businesses quickly identify the scope of a breach and frame potential notification requirements.
The right to be forgotten, which allows individuals to request that their personal data be removed from all systems, can be challenging for businesses to effectively implement.  Process flow diagrams are a key piece of documentation as it relates to the GDPR.  Not only does updated documentation help to operationalize the right to be forgotten, but will support the right to access and rectification.
If your business does not have current documentation, that is a great place to start your GDPR compliance journey to support Article 32 and to develop the required data register under Article 30.  By understanding where data resides, who has access to it and what data is eligible for defensible deletion, businesses can begin to use information governance as a competitive advantage.  Forward thinking organizations are breaking down internal barriers by sharing information, partnering vs. competing, and identifying synergies across multiple stakeholders in legal, risk & compliance, IT and line of business leaders to effectively address the GDPR requirements.  Businesses are using the GDPR as an opportunity to build or in some cases re-establish information governance programs.  The GDPR deadline is driving much of this activity with the expectation that this is not a one-time, “check the box” project, but a paradigm shift on how organizations view and manage their data. 

Download the PDF Version