The EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. Potential fines for violating the GDPR include up to 4 percent of an organization's annual profits or €20 million ($23 million), whichever is greater. Despite the risks associated with failing to meet the GDPR standards, many companies are still working towards compliance.  

If you are among this group, it is critical to not give up but, rather, to focus on actively continuing efforts to achieve (and maintain) compliance.

In our next entry in a series of GDPR compliance action items, we look at data mapping.

Rights of Data Subjects to their Personal Data: GDPR expands the rights of data subjects to obtain information on whether and how their personal data is collected and processed. Data subjects also have the right to request copies of their data and the right to erasure (i.e., the “right to be forgotten”), meaning the deletion of their personal data from the data collector’s possession for any ongoing use.  

GDPR Impact: Under GDPR, you are responsible for knowing what personal data you collect or receive, the purposes for which the data is used, and where it resides (both within your organization and with third parties to whom you have transferred the data). Remember that GDPR applies to all data collection, including through websites and other channels, such as mobile applications and physical data collection. Data mapping is a critical step in compliance with these obligations.

What is Data Mapping?: Data mapping is the process of developing an inventory detailing all personal data collected and/or received by your organization, where this data comes from, where it goes (internally and externally), who has access to the data, how it is used, and where it is stored. Remember that data often flows in multiple directions and without conscious intent or realization. For example, a single email order from a customer might contain a host of personal information, from their name, phone number, personal address, etc. This email might be touched by the sales representative processing the order, a billing representative processing the credit card information, a support team member registering the account, and a data analyst processing survey data or website information that includes the customer’s account information. Each of these touch points involves different storage types, including paper form. Some of these touch points likely also involve data transfer to a third party processor, such as the shipper of goods to the customer.

Potential Actions:

• Review existing business operations and data collection needs and practices for GDPR applicability.
• Initiate a data collection inventory, including an internal survey of processes in all organization departments.  (You might also consider using an automated classification tool to facilitate this process.)
• Once complete, analyze your data collection practices to determine whether your inventory includes data collection or retention practices that are prohibited under GDPR.
• Consider whether your organization actually needs to collect and retain all of the data currently captured, which is required under GDPR’s data minimization requirement.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]