GDPR is the new data protection legislation which comes into effect across the EU on 25 May 2018. Most of the recent discussion around this event centres on the potential downsides for organisations, including the much-touted maximum fines of 4% of global annual turnover or 20m Euros for non-compliance.
This series of blog posts takes a different view and looks at the benefits to be gained by businesses which approach GDPR as an opportunity to review their business processes and enhance their relationships with their most important customers.
In this post we will look at the first stage of your GDPR journey: the data audit.
The data audit is the first step recommended by the ICO in the UK (after raising awareness within your organisation). From the data protection perspective, the objective is to understand what personal data you hold, where it came from and who you share it with. But there are so many opportunities to get more value for your business from the audit.
The audit will need to look at data held in all forms (including paper records) across all departments in your organisation. You might well find that some data is duplicated in multiple places, leading to the possibility of inconsistency and contradiction. This gives you an opportunity to improve the quality of the data used across the organisation by:
- Merging data from multiple sources into a single location
- Resolving inconsistencies
- Making the merged data available to all relevant users.
You don’t need to limit the audit to only personal data (data which identifies an individual). It is often natural and beneficial to include related data about organisations such as media (websites, social media), contractual, technical, and legal information.
As you review and consolidate data, you can give each item of data a business value score to guide later decisions on how to deal with it. Factors which might feed into the score include:
- When did you last hear from this customer?
- How many purchases did they make?
- What was the total value of purchases?
- Over what time period?
Dependent Business Processes
As you review how personal data is used in your business processes, you can question whether the personal data is truly essential to the process. There may be opportunities to amend processes to remove the need for some personal data. Ultimately, you may be able to remove the need for some data completely, thereby reducing the data protection compliance cost.
In our next blog post, we will look at the various legal bases for processing personal data and how those can affect the cost of retaining that data.