GDPR privacy program. Where to start?

First step 

Starting a GDPR compliance project from scratch is a daunting task. As a project champion, you must do a lot of things, keep them in mind, organise – and do everything simultaneously. And change management is exceedingly high: one day, you map the processes, and the other day your marketing team decides to launch a new event and creates new data processing activities to advertise and manage!  

However, with a little bit of help and readiness to work quickly, it can be done. But the main question remains: where to start? 

We’d suggest having an internal audit. Start with a simple customer journey. Then look at each data processing point and ask yourself: will this department share data with anyone? Which data and what for? Who else, in turn, may receive the data from them? 

Use our blueprint to start.

Model blueprint 

Typically, your “-tech” business model will include the following data processing points: 

1. Website: cookies, registration (log-in) forms, newsletter forms, chat widgets, etc.;
2. Application: SDKs, databases storing the information from the website and the application, APIs, etc.; 
3. Physical points of contact: CCTV, face control, paper forms, telephone conversations, wearable badges, etc.; 
4. Employment: offer, social security, insurance, disciplinary investigations, access control; 
5. Information security: access to clients’ profiles, use of clients’ personal data in out-of-office environments (e.g. pet projects), etc.; 
6. Marketing: social media, mailing lists, cookies and analytics used, physical marketing (sending gifts, vouchers and coupons), testimonials to be placed on the websites, etc.,; 
7. Sales: cold and hot calls, bought contact databases, data of potential and current clients, etc.; 
8. Software development: database settings (soft delete or hard delete), data request handling settings, privacy by design and by default settings, PETs embedded, etc.; 
9. Legal and Finance: KYC procedures, AML procedures, handling of contracts and invoices, use of data for lawsuits and administrative proceedings, etc.; 
10. Workplace: tools used to produce goods and provide services, cloud storage, messaging apps, tech support cards, AI tools, service providers and so on. 

Most of companies will have these points of contact with personal data. Try documenting all the information discovered: you never know where the data ends up being stored. You’ll be surprised how many places of storage you’ll find! 

Stakeholders and responsible persons 

You can raise the question with the top management to receive the authorisation and then go straight to the line managers and work from the bottom to the top and from the inside to the outside. 

Imagine that your business is an analysis lab. Usually, it is the lowest positions who know the most about the process of how data is collected. 

1. We start with the appointment of the visit. Who receives the information from the GP? How do they work with it and process it? 
2. Then the patient comes to the lab. Who is responsible for receiving the registration form from the patient? What do they do next with the form? Is the form stored or is it destroyed? When and how? What system is used to store the information from the form? Who has access to the system? 
3. The lab specialist works with the patient. Where does the lab employee type in the personal data? Do they know the name and other personal data? Do they use pseudonymisation of any kind? Can they take the printed patient profile with them at home? Can they send a copy of the profile to their personal email? Is any information about the access to the profile logged? 
4. The patient receives the result of the analysis. Where is the result stored? How can the patient securely access it? What is the identification procedure, and which personal data is it relying on? 

It is only a handful of steps and questions that will be asked. Once you see this “external” part of the processing (from the client’s point of view), you should go deeper: how are your colleagues processing the data? Do they use personal messaging apps for work? Do they delete the emails with client data often enough? 

Engage the managers (and managers of managers) eventually to pile up the levels and learn of each stop on the flow of data throughout your company. Be as curious as you can, and you will find the rarest and most exotic data handling procedures that can be hugely in need of intervention and compliance review. It is better to spot the risk and mitigate it way before it can be considered a data breach. 

Monitoring and review

Once you document all the processes and get rid of excessive data collection, you’ll need to work out a schedule of review and responsibilities to be assigned. Ensure that you monitor the data protection laws being adopted, changed and repealed and new state-provided guidelines issued. 

Once the certification schemes are available, think of obtaining one. If your review system is operating smoothly, you’ll be able to get certified sooner and with fewer expenses. 

You may think of designating a data protection officer. Then choose one having the necessary skills and experience to help keep track of the privacy program, documents, notices published on the website and handed to the clients, new approaches and best practices, and requests of data subjects. 

And do not forget about the risk assessments: data protection impact assessment, privacy impact assessment, transfer impact assessment, and legitimate interest assessment are only a few to name. When all your risks are documented and mitigation strategies finished, you’ll be able to work on polishing the processes in detail, but beware: your company is changing every day, and you must be able to recognise a possible data protection risk and work proactively to address it.