Episode 2: What information do you hold?
In our previous article on the GDPR we discussed the need to ensure that decision makers and key people within a company were informed about the GDPR and the impact that it will have upon the company. In this next article, we move on to talk about the second step you should take on your road to becoming GDPR compliant.
The new General Data Protection Regulations have been written such that they are both mandatory and demonstrable. You must comply with the legislation and ensure that you can demonstrate compliance.
The controller shall be responsible for, and be able to, demonstrate compliance […] GDPR Article 5 paragraph
Both the European Union and the UK Information Commissioners office have stated that it will not be acceptable for companies to fain compliance and wait for the IC to audit them and point out areas of non-compliance.
This means that you should ensure that you maintain detailed documentation of each of the steps you undertake as you progress along the road to GDPR compliance. These documents will form the evidence of your compliance as such the documentation that you produce needs to be:
- Comprehensive and complete
- It should be in line with the GDPR and answer the various points within it
- It should be applicable to your organisation rather than a generic template
- Documents should be standardised, version controlled and include a version history
- Documentation should move through a lifecycle (draft, approved, superseded)
- Documentation should be structured and managed so as to avoid duplication and facilitate easier updating.
The initial ‘foundation’ document you will need to produce is your information audit. The GDPR regulation states that you should be aware of all the personal data that you hold, how it was gathered and for what purpose, where is it stored, and what it is used for. In order to gather that information there are some key questions you may want to ask:
- What personal data do you collect and how is it collected?
- Who is accountable for it after its collected?
- Where are the storage / filing systems that hold the data located?
- Who has access to the personal data?
- Is the personal data disclosed or shared with anyone and by what means?
- Does the system interface or transfer data to another system?
Companies that use SAP can use SAP Information Steward to produce this data audit. SAP Information Steward profiles and analyses data, identify data types and data quality issues. It also provides an end to end view of the flow of data across the whole system landscape, within both SAP and Non-SAP systems.
An alternative for those companies who do not possess Information Steward, is to create and populate a spreadsheet.
Regardless of the method you use for your audit you should also:
- Review any existing documentation / forms / IT architecture plans
- Facilitate data discovery workshops with departments
- Use brain storming white boards, post-it notes etc.
- Utilise questionnaires
In an SAP system, we should pay particular attention to our ECC, HCM, CRM, SRM and BI systems. We should also remember to analyse any Z tables as well as any standard SAP tables which have been enhanced.
The GDPR applies equally to all personal data regardless of the means of storage, processing or transmission. It is for this reason that your data audit needs to be rigorous, documented and evolving. As you progress on the road to compliance the foundation documentation you have produced will evolve and be updated.
The next episode (3) in our series will focus on how we communicate privacy information and the information we need to communicate.
PODCAST – Moving Towards GDPR Compliance with SAP Tools
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.