Since developing my WordPress plugin, All-in-One GDPR, it has become increasingly clear to me that many clients do not know what data they are currently in possession of and if that data has been collected legally under GDPR. At present businesses do not have a structured method to understand what data falls under GDPR and how to handle it appropriately. To address this, I have created the GDPR Data Map, this self-assessment template tool will allow you to get a clear understanding of exactly what data your organisation is in possession of and how that data is moving through your organisation.

DOWNLOAD HERE

Since GDPR does not come into full effect until May 25th your organisation’s GDPR transformation can be iterative. This template has been specifically designed so that you can use it multiple times as you make incremental changes to your business (see the version field); this will minimize disruption and allow you to test different processes. For example, you may want to A/B test different designs of permission request pages if your clients personal data is mission critical. I also highly recommend that you take photos or scan this document each time you use this template. This will constitute documented decision making as advised by the GDPR.

Read more: ico.org.uk

See Article 30

Source

In the first column titled ‘Source’ write the source of personal data into your organisation. This could be a contact form on your website or this could be an email marketing list from an extremal 3rd party. Remember if the source is not directly from the data subject (for example an email marketing list), you must ensure that this list was collected legally. Always refer to the 3rd-party’s T&C’s and privacy policy when in doubt.

Personal Data

The personal data column is for describing exactly what types of personal data you are collecting. It’s important to go into as much detail as possible. PII could be any of the following; physical address, phone number, email address, IP address, health information, criminal records, place of work etc.

Read more: ico.org.uk

See Article 4

Reason

In the reason column justify your reasons for collecting this data. Explain exactly how and why the collection of this data is necessary for the organisation. For the avoidance of doubt, everything in this column should start with “We need this data because… ”.

Handling

In the handling column, explain where the data will be stored. Data storage can be physical (printed documents), local (computer owned by organisation) or remote (on the cloud; Google Drive, AWS S3, CRM). Explain who this data will be exposed to both inside and outside of your organisation. If you are a data processor detail how and what processing you will be doing. Also list all security measures you have to protect the data.

Disposal

The Disposal column is for explaining how and when your organisation will dispose of the PII. All personal data should be deleted after a specified period of time but also special situations and events like a user deleting their account may result in the disposal of that user’s data.