IAPP CIPM – Step by Step Customer Personal Data Analysis

1. Customer Scenario Description

Hi guys. In this lesson, I will describe one of my real customer scenarios, and during several lessons, I will present the way I have approached the first part of a GDPR project. You can find all the templates we will use in lesson number three as a downloadable resource in the introductory section. So, let me briefly describe the company and their goals. Sure, sure. Due to the confidentiality of the information, there is no real name involved here.

The company operates in the telecommunications industry and has headquarters in one European country as well as three subsidiaries in other European countries. I will analyse the example of the French subsidiary because it is the most interesting one. Why interesting? Because a lot of tools and processes are managed by the headquarters, So the data flows between these two countries. The subsidiary mostly has salespeople, engineers, and top management—in total, around 20 people—that try to replicate the business done at the headquarters at a lower scale using the company’s tools and intellectual property. Salespeople have regular meetings with clients and exchange business cards, but in terms of IT tools, they are quite ridiculous. The HR process is handled at headquarters. They do the first interviews online with an HR representative that works from the headquarters, and then finally, interviews are done on premises at the subsidiaries. They also collaborate with a number of third-party providers, including a company that generates pay stubs, which people can also visit at the subsidiary.

And there is a contract with a physical security company that includes video surveillance in the reception area. Interesting, right? If you remember, video surveillance is extremely sensitive in terms of GDPR. They lack specific IT security processes, do not use a datacenter, and have a very basic server room. Also, they have heard about GDPR, and they were wondering what they needed to do to be in compliance and also to better understand what data they processed, how, and why. So, what are your thoughts on GDPR gap assessments? I think there is no such thing now because the company is not doing anything in this direction. They are definitely not compliant. So what I first did was conduct interviews with all top managers and lines of business in order to understand their day-to-day work and then sketch their personal data analysis and processing forms with Excel sheets, Visio diagrams, and reports.

One of the most important things to do before starting work on any project is to set the correct expectations for what you will deliver. It’s not about GDPR, legal, or anything else. It’s about putting in writing and validating through both parties’ signatures what you will be paid for. People usually forget what they discussed months or weeks ago. As a result, you should always create documents with a solid foundation for what you will offer. So, returning to our scenario, the discussion was held with top management, and all simple details about location, network, and infrastructure are included in the project scope document. We will analyse what organisational units, processes, and services there are. In the beginning, you can see that from a legal standpoint, GDPR will take care of not only GDPR, but also country specific legislation. In this example, it is also France and the specifications delivered by the supervisory authority, the CNIL in this case, or labour regulations. Let’s see how we need to continue in the next lesson. That’s all for now.

2. Personal Data Analysis Form

Hi guys. In this lesson, I will explain how I failed the Personal Data Analysis Form. I have started the project by interviewing top management and operational executives, trying to understand how they do their jobs and how they may interact with personal data. I am not using a specific questionnaire; I am building the questions based on their answers. You have to listen a lot in this part of the project. Do not provide any information; just try to listen. Nothing they do is good or bad in this moment before you do the proper analysis. As a result, make no recommendations at this time. Coming back to the document, it is important to decide which business processes can process personal data. Also, if the same business process handles multiple personal data items, if there is any change in the columns related to the purpose, sensitivity, or consent, then this should be treated separately. It’s not only those three columns; it can be any column. So, if you have a change, treat it separately in a new row. If there is the same content that you will fill in for multiple personal data sets, it can be one, two, or three. Then bundle them in a single row.

You may see in rows number ten and eleven that the HR contracts signed between the company and the existing employees include name and salary as personal data. I have treated them separately because the name is actually obtained from the data subject itself through the personal ID. There is no consent needed for HR contracts, but processing clauses should be added to the contract. The first business process related to the sales or partnership relationship means that business cards exchanged and gathered from customers or prospective customers include personal data that will be kept and also used for different purposes by the sales team, including marketing or different announcements. This is not considered business data because if there is a contract between the two parties, the contract includes the CEO’s data, probably, or any person with signature power. Each and every employee’s data is considered personal data, even in the business environment. So care should be taken here, like where do you keep it? Is there any CRM in place? Is the CRM managed internationally? Where is the database, et cetera?

Going further, an interesting thing to mention related to the recruiting activities was the fact that the HR representative working at the headquarters receives resumes from an external agency and schedules interviews with candidates. Those CVs will always stay on an email server that is hosted in a different country at its headquarters than the country people are applying to, which in this case is France. As a general rule, I am always trying to point out where legitimate interest could be taken into account, and I leave that responsibility to the customer because I tend to refuse to recommend something like that due to different laws, mismatches, or particularities in different countries. If you do not have a legal guide who is familiar with country-specific legislation, Keep it as a point to be considered. Be aware of the video surveillance cameras and review the contract with the physical security company. This is considered sensitive information by GDPR, and you need to be aware about storage and retention. Period. That’s all for this file. Examine all of the fields in here and here. If there is any question, do not hesitate to write in the Q and A area. See you in the following lesson.

3. Personal Data Flow Mapping and Diagrams

Hi guys. In this lesson, I will explain how I filled out the Personal Data Flow Mapping template. The business reason for this file is to immediately identify which flows are internal and which external in order to analyse the respective controls applied or that need to be applied. As you can see, I have treated the same personal data items identified in the last lesson, grouping them in eight different categories. There are two columns, C and E, that may look similar, but their meaning is different. Column C, related to inflow and outflow, tries to understand if the data is going somewhere else, coming into the business area, or both. Column E decides whether the destination is within the organisation or is represented by an external third party.

Going further into the source destination area, we are looking for the exact location and system that is going to process the data, and care should be taken. As in our case, if the database that powers the tool is hosted in a different country than the controls, the assessment is aware of what the company is already doing and makes various improvement recommendations. These are minimal requirements for GDPR compliance, but usually a standard like ISO 27001 will look for more than that. The file looks simple enough, but it is one of the key components of a GDPR assessment that a DPO will use to improve company posture related to GDPR and cybersecurity in general. For larger companies, the file will be much more complex, treating all kinds of personal data involved in each and every business process available. Check out the two data flow and data mapping video diagrams as well. That’s all for now; see you in the next lesson.

4. 3rd party processing providers

Hi guys. In this lesson, I will explain how I filled out the third-party processing provider form. This document is important because it sets out all the contracts, agreements, and legal requirements. You will then know what contracts need to include data privacy clauses because those companies will have subprocessor status. Every company that you at least send the name of your employee to will become a subprocessor automatically and needs to have proper control mechanisms in place to secure this data. You need to analyse how you actually send data, how you receive it, and what is happening in the meantime—where it is stored, why, and for how long. For all of these processes to occur in accordance with GDPR, working contracts should typically require user consent when employment is made. To give you an example, for this subsidiary, the operations manager had a simple Excel sheet with old people and the timeline of their work, vacation days, consultancy work, and ETCA. Their business involved different payment methods based on the hours billed to their customers monthly.

Excel was prepared and sent to the Payslip Company, which is a third party, by email. They never thought of sending this email encrypted in the first place, but they have requested that the pay slip company send the pay slip to employees in an encrypted form. still by email. Funny, right? Why not? Protecting the first initial communication involving the Excel sheet, which was practically the real basis of calculation for the pay slips, They were also allowing a “bring your own device” policy, leaving employees to actually use their phones for corporate data. That’s totally fine, but there was no procedure specifying how to protect that data and no investment in a simple MDM solution (mobile device management) that could provide a separation between corporate and personal data. What will happen when an employee leaves? They will leave with all customer details. That, by the way, is considered personal data that should have been protected by the company, right? These are all interesting scenarios that they have never thought about, and such a file identifying all the third parties will probably give you some ideas about how to better secure your process. Personal data.

5. GDPR implementation project plan

Hi guys. In this lesson, I will explain how I have created the project implementation plan that will point out to the company what will be done in the next step in order to continue with the GDPR adoption. As some of you may notice, the policies and procedures proposed will be aligned with ISO/IEC 27001, one of the most important standards in relation to an information security management system. The document also includes a short presentation of what has already been done, what documents were created and delivered, what laws were taken into consideration, including local laws in France, and what we expect as results from this project.

In order to solve the nonconformities identified during the assessment performance against the GDPR requirements and ensure efficient project planning and implementation, the company will use the corrective actions recommended in the assessment report document. As a result, the necessary technical and organisational measures will be implemented to eliminate the identified nonconformities in the areas of employment, recruiting, new personnel, third-party compliance, regulatory and contractual obligations toward clients, relationship with the mother company, incident management and bridge notification, personal data security, and accountability. Now you can see why all the technical aspects presented in more detail through all my courses really make sense and will help you understand how a company can perform better and what recommendations to include in the reports. It is critical to set deadlines for team members, who will lead the project, and what the impact will be in terms of data, subject rights, relationship with the parent company, data security, incident management, and accountability. I will let you take a closer look at the document and how this can be applied to your existing projects. See you in the following lesson.