How to motivate your company to conduct a GDPR data mapping exercise

Over the past few years, most European companies have taken steps and made critical investments in response to the increased data protection compliance requirements, as part of which data inventory and GDPR data mapping are key milestones.

The requirements of GDPR data mapping

According to the requirements of GDPR Article 30, in order to create a data inventory, each controller, processor and, where applicable, and the representatives acting on their behalf, shall maintain records of the processing activities under their responsibility.

These records shall contain a description of the categories of the people whose data is being processed, the categories of personal data, the purposes of the processing, categories of recipients, recipients in third countries, data retention periods and a general overview of technical and organisational security measures that are in place to protect the personal data. In view of this requirement, what justifications can a data protection officer or a privacy project manager provide to encourage various stakeholders across different departments to participate actively and support this complex but important journey?

Encouraging stakeholders to carry out GDPR data mapping exercises

Data protection and information security professionals should always have a solid business case to support their ongoing activities when they recruit internal support. Here is a list of business justifications to privacy compliance, which you should communicate to internal stakeholders to encourage support of the internal GDPR data mapping exercise:

• Supports compliance with relevant laws and regulations, and reduces the risks of prosecution and fines. While regulatory compliance risk should be treated as any other risk on company’s risk register, in terms of analysis and evaluation, it’s hard to imagine that any reasonable management will be tolerant to the risk of up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the company, fines under the GDPR’s article 83.
• Protects the company’s reputation and promotes a competitive advantage. As numerous service providers compete over few business opportunities, the company’s reputation and goodwill serves as an important factor and many customers and partners are required to vet suppliers’ compliance as part of their own compliance exercises. Therefore, your compliance with data protection regulatory requirements, including a comprehensive GDPR data mapping register, may attract prospective customers, and business opportunities, and assist with gaining preferred supplier status, thereby gaining an advantage in tenders. This is achieved by showing appropriate business conduct, which in turn drives trust and credibility.

There are different trust demonstration strategies between large and small companies; larger players demonstrate credibility through a long legacy of business conduct and well established position in the market. Smaller organisations can generate trust by demonstrating compliance with data protection best practices and due care for customers’ natural rights and freedoms, as indicators of company’s business values and of a credible and fair business etiquette.

• Saves company’s valuable time and effort in handling customers’ requests. The GDPR sets forth a baseline for a data protection service level, including specific KPIs for organisations to follow, while addressing their customers’ requests for information. Considering the fact that clients’ awareness regarding their natural rights and freedoms, driven from the new laws and regulations, is on a rise, B2C organisations in particular should be prepared for rainy days, in which they may be flooded with numerous data subjects’ requests for information simultaneously. Therefore, it is recommended for companies to introduce a process in which customers’ data will be mapped and whenever customers will address the company with any request for information about data processing, these requests will be processed according to an easy to follow internal procedure.
• Saves costs through reduction of data assets and data loss incidents impacts. A GDPR data mapping exercise can save a great deal of cost, by gaining oversight and control over one of the company’s key assets – its data. Many companies have discovered unnecessary information assets redundancies, obsolete IT contractual agreements, poor data governance and more through the comprehensive data journey. These companies were then able to cut costs significantly. In addition, data inventory and mapping decreases potential risks of data loss in the event of a security breach, as they allow an easy detection of risks and immediate protection of the most valuable locations.