Storing and processing personal data and the GDPR
Every company is responsible for keeping track of the personal data they store and process.
So says Article 30 of the General Data Protection Regulation (GDPR).
Article 30
Records of processing activities:
1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
That means, as a DPO or compliance manager, you must know exactly what personal data your business stores about clients, leads, employees, past employees, etc.
And in this case, personal data is everything from social security numbers, health records, phone numbers, or even if an old employee appears in a photo from the company Christmas party.
That’s a lot of data.
Let’s look at what the GDPR says about storing personal data.
What are you required to document according to article 30 of the GDPR?
Whenever your business collects, stores, and processes personal data, you are responsible for this process being compliant with the GDPR.
If we focus specifically on article 30 of the GDPR, we find that data controllers (like you) must keep record of what personal data they process and why.
It’s important that you can document the following:
- Your business’ name and contact information.
- Why you process personal data (purpose)
- What type of personal data you process (categories).
- Who you share the data with (third parties).
- Where you transfer the data to (third countries).
Therefore, it is important that you know where your business stores personal data so it can easily be found, categorized, and accessed.
Name and contact details are easy enough.
But how do you find all the personal data you store across many different systems and platforms?
And what constitutes personal data?
What is personal data under the GDPR?
Personal data can be any information that can lead to the identification of a person.
Or any piece of information that can lead to the identification of a person when linked with another piece of information.
From the obvious:
- Name
- Phone number
- Address
- Social security number
- Images
To more sensitive personal information:
- Health records
- Religious views
- Sexual orientation
- Political viewpoints
To the more abstract:
- IP address
- Device ID
- Cookie ID
- Geolocation
- Profiling data
That’s a lot of different data and data categories that you can potentially hold about someone.
And when a person has been in contact with your business – as a customer, a lead, a partner, or perhaps an employee, it leaves behind a trail of personal data.
But how do you ever find all that information? Where do you even start looking?
Introducing Data Discovery.
What is data discovery?
Data discovery is a process that aims to find and categorize personal information across different systems and platforms.
It enables your business to build and manage records of personal data, so you always know exactly what data you store, where you store it, and why.
Data Discovery is also an important step forward in your compliance process and is fundamental to comply with article 30 of the GDPR.
Why is data discovery important?
Your business may have grown over the years. More and more data has been collected and stored on various systems.
It may be scattered across your mail programs, HR platforms, payroll systems, website, and other places.
You may use this data or not. You may have forgotten all about it. Or you may have placed it where no one ever looks.
By finding and classifying personal data, Data Discovery helps you and your business understand what kind of data you hold and process.
Especially when required by the GDPR (article 30).
But also, if you get a Data Subject Request or must perform a DPIA.
If you don’t know where your data is, it can be virtually impossible to respond to a Data Subject Request.
So where do you start with Data Discovery?
How to approach Data Discovery in your company
1. Discover personal data
First you must identify personal data across your systems. This data may be scattered across several platforms and programs.
Outlook, HubSpot, Teams, Gmail or any other documents where personal data is stored.
Identifying all this data can be a real hassle requiring many working hours and countless co-workers to chip in.
2. Categorize Personal Data
Now, when you have found personal data in your systems, it’s time to categorize it.
It’s important that you know:
- What type of data it is (category).
- What format it comes in.
- Where it is stored.
- The sensitivity of data (e.g., health records)
- Where it comes from (source).
It is much easier to work with personal data when it is properly categorized.
And of course, by finding this data, you are also much better equipped to carry out a Data Subject Request.
3. Manage Personal Data
When all personal data is labeled by category, format, source, and sensitivity, you can now manage possible violations of your GDPR compliance.
And it is necessary to keep track of all the data about customers, leads, employees, etc. that can be classified as personal data.
Not only because of article 30 of the GDPR (record of personal data).
But also because of article 5.1(c) (data minimization) which states that the processing of data must be relevant and limited to what is necessary to fulfill the purpose of the processing.
But how do you ever find all that information? Where do you even start looking?
Are you prepared to manually go through thousands of files and folders?
Automated data discovery
There are 2 ways in which you can discover personal data across your systems:
- Manually
Search through tons of spreadsheets and documents, lists and emails to find any information that can be categorized as personal information. Meticulously label every single piece of information by what it is and who it is connected to. All collected in a spreadsheet or document.
- Automated
Automation takes the workload off your hands. AI data mapping ensures that your personal data is found, categorized, and labeled. All data is then displayed in one central platform, and relevant employees are automatically notified if they can solve violations concerning them or the data, they are responsible for.
Cookie Information’s Automated Data Discovery
Cookie Information’s Data Discovery automatically locates and classifies files with personal data in your systems.
It connects your systems and platforms with one click and instantly discovers non-compliant data.
All found personal data is classified within its respective category using AI data mapping.
Yes! We use machine learning and AI to find and categorize personal data.
And that’s how you simplify your compliance workflows. Fast, cost-efficiently and securely.
Here’s what you get:
A solution that carries out the hard work by mapping and classifying personal data (so you don’t have to).
A compliance process that is comprehensive enough to meet your business compliance goals.
Never look manually through old emails, forgotten files and folders again. Let the machine do the hard work.
Let’s discover your personal data, so you can stay compliant with the GDPR!
Get Data Discovery
And never look for a single file manually again. Your company’s personal data will be found, categorized and displayed in one single platform so you can act on risks and violations.
