Data and Process Mapping
As part of our service model, when we assist clients in their GDPR compliance journey we focus on process mapping first, in order to flush out where the data exists in their businesses.
There’s a very good reason we do this: often we find that, by focusing on data, and usually digital data, there are a multitude of business processes that happen almost automatically that are completely overlooked.
It’s like when you drive a car – muscle memory and ingrained habit means that we operate a complex piece of machinery at speed on a road without consciously thinking about the majority of sequential actions we perform in order to do this; it’s simply an automatic process that we take for granted.
The same happens in businesses of every shape and size.
By focusing on all the different processes that happen on a daily basis in various parts and functions of a client’s company, we help ensure no process is left unaccounted for.
This means that it is less likely that personal data flows in the business fall between the cracks, only to surface further down the track and cause problems.
So, what does the mapping process look like?
Well, depending on our clients we can use a variety of methods, from using spreadsheets, project software, diagrams or post it notes and pens on a big blank wall.
Whatever works – ultimately, we aim to produce something that uses process flow diagrams, like this:
We then apply this all the different processes within the business, to produce maps for how the personal data flows through it, like this:
It’s fair to say that this is the first step to take for any business that wants to achieve compliance for the GDPR.
It is also the most painstaking and difficult part for many businesses, although once it’s underway there are many hidden benefits to mapping your business processes this way:
- Part and parcel of the whole ‘automatic’ way in which we operate everyday and mundane tasks is the fact that side processes and bypasses spring up;
- Discovering workarounds and non-compliant side processes helps weed out poor practices within the business;
- This also highlights areas for further training and awareness for our staff;
- Duplicate processes tend to show up, which can lead to immediate streamlining and increased productivity within the business;
- This has the added benefit of saving money – something every business likes to do!
- Conversely, it can also identify areas and tasks where new ways of working are needed to bring the business up to best practice levels.
All of these steps fall in line with the concept of best practice in how we collect and process people’s personal data under the new data protection laws.
No Time Like the Present
The deadline of 25th May 2018 is closer than you think! There aren’t many working days (not counting weekends and Bank Holidays) until the GDPR replaces the Data Protection Act 1998, and becomes enforceable.
If you are serious about ensuring your business is compliant with the new legislation – and you should be! – then we recommend you make a start on mapping your business processes today.