(EN) DataMapper - Process Plan (template)

Download document

Process plan (template) – for “COMPANY NAME” GDPR 

DATAMAPPER 

Content

1)      Use of DPO office resources efficiently

2)     Qualitative GDPR reviews rather than “testing for everything”

3)     Actionable outcomes of the reviews

Use of DPO office resources efficiently

Preparation

1)      Identify BU and team – for instance:

a)     “Company Name” Healthcare

b)     Marketing and sales teams

c)     3 users from each team

2)     Identify risks to focus on (see below)

3)     Prepare the teams that are being reviewed:

a)     What’s the plan?

b)     What are they going to do?

c)     Technical questionnaire

4)     Perform interviews with users

5)     Send a questionnaire/quiz for the users to fill in

6)     Install DataMapper on user’s computer - DPO office are admins

a)     Choose locations (emails and files)

b)     Scan

7)     DPO office to review the results matched with the key risk areas

If for instance it is marketing, and customer data has been highlighted as something to focus, you would look at this.

a)     Compare the users’ responses in the questionnaire/quiz – are there red flags? 

b)     Compare interview notes

c)     Review the DataMapper results and test with a couple of customer names to see where data resides

8)     Make an action plan based on the result – again with a focus on the key risks

a)     The action plan should be a template document used every time. We would suggest a scoring system with points – then you can compare teams and follow-up reviews.

Follow-up

a)     After 1 month – do a follow-up check where you run DataMapper to check the customer data

Qualitative GDPR reviews rather than “testing for everything”

These are just our immediate thoughts on key risks within certain teams – there are plenty more.

HR

a)     Applicants (CVs and applications) – F/HR/CV .//onedrive/folder/CV

b)     Former employees

c)     Employment agreements

Sales

a)     Customer data

b)     Former customers

c)     Contracts

d)     Data that are not “necessary”

Managers

a)     Applicants from HR

b)     Former employees

c)     Employee evaluations

Call centres

a)     Data that are not “necessary”

b)     Use of systems

Project teams

a)     Closed projects (M&A, procurement, business dev., legal etc.)

b)     Focus on e-mails 

c)     Use of data processors for projects

Actionable outcomes of the reviews

Day 0

a)     Preparation phase should be done 2 weeks prior to the review itself to prepare the teams properly. 

Day 14

a)     The review should be done within 1-2 days. And the results should evaluated within 1 week from the review. The action plan should be ready here. 

Day 45

a)     Follow-up review is made in 2 days.