Knowing your data is widely recognised as one of the keystones of data protection.
I’m sure most of us recognise knowing what personal data your organisation is holding and what it’s being used for is crucial. This was reinforced by GDPR with the requirement to create and maintain an accurate records of processing activities.
However, in the real world where organisations process many types of data from various sources and for a wide range of different purposes, the practice of documenting your data flows can be far more tricky than grasping the principle.
Understanding where your data is located, across all your in-house systems and external solution providers, can prove quite a challenge. Especially when you consider that your data landscape evolves continuously as you start new activities or take on new solution providers.
But if you don’t keep effective records showing where all your personal data is held you may be hindered in your ability to prevent or react effectively to:
- a data breach, or
- to respond compliantly to individual rights requests
Without accurate & up-to-date records, you could leave your organisation exposed.
Record of Processing Activities
Many organisation have already created their required RoPAs, with varying degrees of success. But many recognise there will be gaps in their ability to keep them up-to-date. It’s often a priority for organisations to ‘up their game’ in this area.
Data Discovery & Mapping
There are a number of approaches to data discovery and mapping for you to choose from. Some use data discovery technology solutions, others prefer face-to-face workshops / interviews with key stakeholders, or a combination of both. Which approach is best for your organisation?
We teamed up with Exterro for a webinar on 19th March 2020 – ‘Where is my data? – 5 Ways to improve your data discovery, mapping & compliance.’
DPN Deputy Chair & Senior Associate, Opt-4
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.