GDPR Ghostbusters Need Containment Tools

Aug 25, 2017 3:56:39 AM

It has been a while since I announced here that we will document our internal GDPR journey in this blog, which is why you might have forgotten about the Ghostbusters reference (quick refresher here). As a conciliation for the long wait, we are offering a tangible freebie to everyone interested that will assist in your own GDPR journey (see below). 

The time that has passed – and this goes to all regulators out there who might read this – is not to be interpreted to mean that we have neglected our data compliance work. On the contrary. We were busy...really busy. First, we read GDPR, re-read GDPR and then also read everything about GDPR. At least it started to feel like everything. We participated in webinars, went through whitepapers and took a deep dive and long swim in the pool of more or less useful noise about GDPR on the Internet. 

The best article I found was in the Association of Corporate Counsel’s magazine “Docket”. It is an article by Axel Viaene, Group GC of GrandVision.[1]  One of his messages is that data protection is not a project to keep legal or IT busy but rather something that concerns everyone in the whole company. This is a point I couldn’t support more and which I am strongly advocating myself at Yerra and whenever I discuss GDPR with other legal professionals. I can draft the best policies and support procurement to select the most secure vendors, but if our own employees do not understand the delicacy and implications of their workflows in terms of data protection, I will soon be addressed in my function as Data Protection Officer (DPO) by management, data subjects or – maybe the worst – supervisory authorities.

However, we are not at that stage yet. Before our Ghostbusters can train the different business units within Yerra, we need to understand what it is they are actually doing with regard to data: Know your house -> Clean your house -> Invite the Queen. So, we stopped swimming, made some tea, unsubscribed from some newsletters and started acting. 

As we entered the assessment phase of our journey, we were looking for information from our internal process owners as well as our external service providers. We drafted and sent out questionnaires asking them to tell us:

  • what data they are processing;
  • how the data gets to them;
  • what they are doing with it;
  • why they are doing it;
  • where they keep it;
  • who has access; 
  • etc.

icon.png

These questionnaires are ready and we are happy to share them with those of you who are interested. For your own assessments, these questionnaires should give you a complete framework on what it is that you should ask internally and externally. As you become GDPR-Ghostbusters, these are your Containment Units to identify and contain your organization's data. Please feel free to download these documents here. As always, if you have any questions or comments, I am happy to discuss them, so please reach out! 

At Yerra, we sent it internally to Marketing, Recruitment, IT, Sales, Accounting, Human Resources and other business units, who all provided us with a lot of useful information. Externally, all our vendors’ account managers also received a questionnaire. This leaves us with two immediate challenges that I can already foresee at this point in time: 

  1. How do we organize this information in-flow from internal and external sources to make sense out of it and identify the gaps that we might have regarding GDPR?
  2. What will our vendors come back with? Will it be useful and what if they refuse to provide us answers to the questions we have posed? 

Certainly, us lawyers cannot answer these questions in isolation. Doing this efficiently will require input from people with more technical understanding and imagination than myself. Technical input will not only increase efficiency but also ensure completeness of the assessment. If I don't know what is technically possible, I am likely to miss an important follow-up question and with that potentially overlook a risk. Also, I might try and solve an identified risk in a very inefficient way if I haven't talked to the geeks from IT who might tell me that there is a simple shortcut to where I want to get.

However, I hope you find the Containment Unit useful and I look forward to share our conclusions from the next steps in my next blog post. 

[1] See Axel Viaene, How General Counsel Can Help the Company to be Successful in its Data Journey,  ACC Docket, June 2017, p. 55-62.