Are you managing your privacy compliance with MS Office?
We too, have been managing privacy compliance with traditional office tools, excel spreadsheets, powerpoints and word documents. Unless you have tons of different templates and you are a guru of making excel macros, it is not going to work.
Back in 2015, there were not that many tools for privacy management so we kind of needed to use excels for PIA -questionnaires, Powerpoint to do data-flow charts and word documents to create reports. However, these traditional tools (that are not built for privacy management by the way) are the reason we decided to build a tool for our own work, for managing privacy programs, helping our staff to participate in creating documentation.
The vast majority are managing it with excels, shouldn’t we?
We hear this question quite often and we know organisations have been married with excel spreadsheets for a good twenty years to support business and run different operations. But believe me, excel is made for spreadsheets. Yes it has functions, but no it does not contain functions to manage different tasks of a privacy program.
Let me give you an example:
If you know what you are doing, excel might be good for tracking the status of different privacy projects or even privacy requirements. But if you think managing privacy means downloading “a 100 dollar checklist to get you compliant” and marking everything as “OK”, I am sorry mate, but you have been mislead.
If you ask any privacy consultant with a reasonable level of understanding, they will tell you that without fully understanding your personal data, you cannot manage privacy. This means that you have to understand (among many other things):
#1 What personal data are you collecting
#2 From which sources and from which persons you are getting it
#3 Why exactly are you collecting that information
#4 Where (in which systems, databases, usb sticks, drawers etc.) do. you store this information
#5 Who can access it and from which locations
#6 To whom is it disclosed to and for what reason
Now to the real example
Let’s take a simple website as an example for making data mapping. Like most of the websites, this one uses FB services to do remarketing, Google Analytics to analyse website traffic and some sort of a CRM system to store the contact details of people ordering a news letter.
I’ve seen a lot of website privacy notices telling that “all of the information will be stored in EU and there will be no transfers to ‘third countries’. But then, when I look the data-flows of that website I (quite often) notice, that such website contains trackers that send my information to servers located in the US, India or even Russia.
In this article I am not saying there is something bad with sending information to these countries (believe me, there are some issues, which I will be more than happy to share with you in the future). But seeing the above mentioned scenario makes me wonder that 1) When has USA, India or Russia joined the EU or 2) could it be that these guys just ‘don’t know their personal data’.
Anyways, data-flows of a simple website could look something like this:
At first, you identify the data subjects (the persons whose personal data are you collecting). In this example, we have a website visitor and registered user (we usually use multiple categories as it makes facilitating data subject requests a lot easier afterwards). Then you add IT-systems, data storages, 3rd party service providers and so on.
So having a nice picture will cover it?
No, I am not saying that but a nice picture will be a good starting point to assess the real compliance status of your website. We made our software visual, because when you show it to your staff, it is easier for them to see if something is missing, too much or something between. Imagine mapping that website example to an excel spreadsheet and showing that to your staff? Which one would they prefer?
From that image, you can already see 1) data subjects, 2) IT-systems, databases and other storages and 3rd parties. For example, Article 30 of the GDPR requires you to maintain so called records of processing activities. One mandatory thing to be included in such records is the “purposes of processing”, which should answer the question of “Why exactly are you collecting this information?”.
After you know that personal data is flowing to different places you can start asking your staff why exactly are you doing so? Ask your online marketing manager why on earth is data going to Google or Facebook? And voila, you have a good start for a list of ‘purposes of processing’.
Second thing you must include in the records of processing activities is the ‘transfers of personal data to third countries’. For example, this means all the situations where you 1) either store personal data on a server located outside European Union or European Economic Area or 2) give someone access to your personal data from a location that is outside EU or EEA.
Again, based on the image, you know that there are IT-systems, databases and third party organisations where personal data is flowing. Now you just need to ask your IT-managers, database administrators or even your 3rd party business partners “where on earth are these services located” and “who and from where can access these services”. And again, now you have a list of ‘transfers to third countries’.
There are several other things you should be documenting, so always make sure your excels or whatever method your are using, will cover all the parts for you to create mandatory records and have a robust documentation behind it.
Now imagine what other stuff you should be mapping
In real life, websites are not that simple. Usually they utilise 10’s or 100’s of third party services. You can even have multiple websites, a few for marketing campaigns, a few for showcasing your products etc. And in addition to websites, you have tons of business processes, a CRM and HRM systems, emails, employee messaging tools just to name a few. In all of these examples, you are processing personal data, thus you must know your data.
Imagine you are a large company documenting everything to excel spreadsheets. We have seen organisations that have thousands of files just to have backup information to create the Article 30 records of processing activities.
BUT the question we ask these companies is: how do you maintain everything up-to-date as your business is likely to conduct new business initiatives? Unless they have made cool excel macros that make those thousands of files communicate with each other, they will have some serious issues trying to keep everything up-to-date.
Just remember: data mapping is no rocket science but without a proper tool it can be a nightmare to manage!