The Information Flow Modelling requirement for meeting GDPR, Article 30 – Records of Processing Activities, is an opportunity to fully understand how the data and information your business captures, stores, processes and uses, impacts your ability to deliver your business outcomes. If you get this right, you will be well on the way to generating your Data Impact Assessment, facilitating your DPO and having the content needed for the supervisory authority when they ask. Definitions of terms associated with GDPR can be found here.
What GDPR requires
Article 30 – Record of processing activities requires the Data Controller to maintain a record of processing activities under its responsibility. That record needs to contain the following information:
– The purpose for which the data is being processed
– A description of the categories of data subjects and of the categories of personal data
– A list of recipients to whom the personal data have been disclosed
– A list of transfers of personal data to 3rd parties, including countries and international organisations
– Time limits for erasure of the data
– A general description of the security measures associated with the data referred to in Article 32(1)
– The same content from the perspective of the Data Processor, or Processor’s representative
– The record must be in writing, in an electronic form and must be made available to the supervisory authority on request.
There are many ways that you can approach this exercise and there are lots of examples of tools on the web. Search for “GDPR Information Mapping tools” to see for yourself. I am sure that any of these approaches could work for you, but will they drive the best possible value from the effort that you will put in to gather the information you need to create this record?
An Opportunity to Add Value
Consider the opportunity that exists inside an organisation if the data mapping exercise could be done in such a way to ensure that future consideration of the regulation against on-going change in your business, was simple to do. Let’s be clear – Article 30 is not a one-time thing – you have to be ready from the 25th May 2018 to provide this information when asked by the supervisory authority. That means your record of processing activities has to be aligned to the current state of your business. Being able to update and communicate your record as your business evolves should be a significant part of your decision making process for any tool you are going to procure in response to GDPR. Whether you plan to outsource your Data Protection Officer to a consultancy, or hire one yourself, your choice of tool will significantly impact your ability for that role to perform efficiently and keep you safe.
The financial impact of failing GDPR could be a big deal. UK-based telecom company, TalkTalk was fined a record £400,000 by the UK Information Commissioner’s Office (ICO) in 2016 for security failings that allowed cyber attackers to access customer data. Under GDPR, those fines could have shot up to more than £50 million. In total, UK company fines would have been £69m rather than £880,500. [Ref: https://www.theregister.co.uk/2017/04/28/ico_fines_post_gdpr_analysis/]
The Five Ws
The 5 W’s are a great way to understand how ready you are.
If you can’t answer those questions, or don’t know where to go to collate the information you need to be able to answer them, view GDPR Article 30 as an opportunity. If you consider other conversations that are going on at the moment, such as Infonomics, or the need for digital reinvention to prevent corporate collapse, GDPR represents the opportunity to do drive fundamental change within the business, for the very nature of answering the 5 W’s and documenting your data and information processing is the content you need to drive that change.
The requirement to meet Article 30 could be seen as the driver to start your GDPR compliance work. If understanding the data that you have so you can adequately understand where your Personal and Special Information resides in the business to ensure that you have the processes in place to manage it correctly, then answering the 5 W’s is a good start point. View this as simple approach to your Data Impact Assessment, from which the rest of your GDPR work will become evident.
The Value of LINQ
LINQ is an Information Flow Modelling tool first and foremost. It has been designed for this specific purpose and it does it well. It also allows you to value your data assets which in turn, values the areas of your business where activity takes place that drives your business outcomes. In other words, it allows you to document and value your data processes.
LINQ capture can be done at any level of detail. It can get you started quickly as you generalise data storage or the data you capture to make your business work. It is equally good at getting into the detail, allowing you to model the flow of specific data entities, or even records within data that hold personal or special information.
LINQ is visual, so you can see what you have. LINQ contextualises everything, so you see where it fits in the business. Most importantly, LINQ is easy to use so the task of staying up to date as your business evolves is painless.
We’ve put together a sketch here, using the LINQ Viewer to help visualise the journey towards gathering the content needed to answer the 5 W’s and how this enables Article 30 to be delivered for your business.
The LINQ language connects the Information in your business required to enable Actions to happen. People and Systems enable the flow of data and information through the business as business outcomes are delivered.
As we add GDPR specific context into our sketch, for example Consent (an Action performed by a Person), identifying Legitimate Use (an internal Action taken by the Marketing team perhaps), where Personal Information or Special Information is captured (Information captured, stored in a System and used in the business), Purpose, etc. we can pivot around any of this content to answer the questions required through Article 30. As the business changes as a result of any influence, the new operating model can be captured and assessed against the requirements of the regulation.
Our experience is offering proof that the LINQ visulaisation adds significant value over other methods of capturing this data such as Excel, using Visio sketches, digital or paper post-it notes. On our LINQ in Action page, you will find a sketch which shows how the LINQ language can be applied to the outcome required from Article 30. The natural extension of the language combined with the visualisation, dashboards and insights can provide you with a foot-up to GDPR and offer value in terms of Article 30 at the same time.
If you’re keen to understand more, you can book a demo of LINQ here and the team will be pleased to take you through the platform.