The GDPR requires controllers to keep a record of their processing activities (handling personal data).  Before the GDPR we were already aware of this concept in which a register had to be submitted to the CPP (Commission for the Protection of Privacy). However, let’s say it was a principle that was not always followed by many companies, or maybe at one point these processing activities were published but not kept up-to-date.  With the GDPR, you are no longer required to publish this register.

For those of you who are already cheering because you think you have found a way out… wait for it…

Because as of now you’re accountable. This is one of the most important words of the GDPR. Accountability means that while you no longer need to submit your register, you do need to have your own register, keep it up-to-date yourself – and it also needs to be available at any time. So don’t throw any previous versions into the recycling bin yet…

However, instead of seeing this is an administrative burden or a checkbox for your DPO to tick, let me try to explain why this is actually a good starting point for your data-driven strategy.

I will not go into full detail about all the elements that you need to record in your register of processing activities, so let’s start with the basics.  At the very least you need to be able to document which personal data is processed in your company, where it is stored, how it is secured or, where applicable, to whom the data is being transferred.  In short, you need to be able to answer the WHO, WHERE, WHAT, WHEN, WHY for all the personal data you store.

So, to all of you out there who have been dreaming of having a 360° view of your data, or those of you who keep saying that you don’t know what data is available where, or who say that they can’t see the wood for the trees… have you already made the link? The GDPR requires you to have this information at your fingertips! So why not have a talk with your DPO and ask him or her about how your company is dealing with this issue. And if your DPO has no answer, maybe this is the time to join forces and to view this request as a real business opportunity.

Some companies might already be more mature in this matter than others; but for anyone who runs away screaming when you ask them what data they own and where it is stored, don’t think this question is never going to be answered.

Start at the beginning: map your processes!  Once you have done that, for each step in the process, create a map to see whether you collect personal data and then track the data lifecycle throughout your processes.

Going one step further, if you take this map to your IT department you will be surprised to find them happy and willing to help you to fill the last gaps.  They will also be able to help you to identify where data is stored for each of your processes and how these data flows run through your back-end operations.

And in the end, you have the mapping that you need. OK, I will be honest: for large companies where data is embedded in the day-to-day business, this is not an exercise that is easily done.  But think about what you can also do with this documentation.

Within the GDPR roadmap it may provide the base for checking which processes are compliant and which need expanding further.  In addition, it will show you which data is transferred outside Europe and might require some additional attention. It also allows you to check for the rights of the data subjects if you do not have an automated solution, and it maps your processors in full.

But even beyond GDPR, have you thought about how this mapping could help your second line of defence in detecting all of the other kinds of issues that need to be mapped? Or, on the more business-driven side of things, what about using it as a platform for your data-driven strategy, or your MDM solution?

So, as you can see, there are plenty of reasons why this could be a beneficial step for many of your internal projects. And, honestly, don’t be afraid to start the exercise, it looks more complicated than it is in reality.