We all know that the GDPR deadline is just around the corner. Marketing teams should be well on their way to getting compliant by reconfirming opt-ins, updating conversion funnels and privacy policies. One area of the GDPR that somewhat gets overlooked is the need to document data processes. Here, a Data Processing Inventory can help.
What is a Data Processing Inventory?
Describing it simply, it’s an overview of your organisation’s data processes under the headings of the GDPR.
A data process is anything your organisation does with data. For marketing and sales, some examples are:
- Lead data entering the business via an online form
- Upsell campaigns to existing customers via email
- Business development utilising LinkedIn
- Network building at events (receiving business cards)
Other processes in the business include:
- Handling of employee data for payroll
- Procurement processes and handling of supplier data
- New hire interview / CV processes
A data process inventory allows you to list each process individually in order to examine it for GDPR compliance.
Why do I need a Data Processing Inventory?
Article 30 of the GDPR speaks about the requirement for data controllers (that’s you controlling your lead, customer, employee, etc. data) to keep a record of all processing activity. Article 30 states that organisations with fewer than 250 employees might be exempt from this requirement unless processing might result in risks to their data subjects or when the processing is not occasional. There are no strict guidelines for what constitutes as occasional so it’s worth reviewing your processing in any case. In my opinion, there are very few businesses today who only process personal data occasionally. This means you likely need a format to list each data process which you can share with the Data Protection Authority in case of an audit or data breach.
A Data Processing Inventory should list each activity and outline for each:
- The name and contact details of the controller, representatives and the DPO if applicable
- The name and contact details of any processors or joint controllers
- The purpose of processing
- The legitimate basis for processing
- The category and type of data you are processing
- The members of your organisation who will have access to the data and their location
- Any data transfers to third countries
- The time limit that you will hold the data
- The security measures put in place to safeguard the data
You can read the full Article 30 here.
Why should sales & marketing do this?
Many still feel that managing and listing data processes should be handled by legal or IT. There are two reasons why sales & marketing teams need to document their activities themselves:
1. No other department understands your processes as well as you do
This actually is true for any department in your organisation. Just as sales & marketing might not be 100% clear on server locations or how CVs are stored, neither legal nor IT will fully understand your marketing funnels including lead generation, email nurture, customer marketing activity, business development actions, what tools you use for execution or monitoring, etc.
Organisations have to be clear on every single data process in order to be compliant. Vague statements or incomplete processes are not an option.
2. New marketing ideas
We’ve ran a number of data processing inventory projects with clients. A nice side-effect for any marketer is getting a clear overview of dataflows and connections. This sparks new ideas for campaigns, content and nurture flows.
Why should a Data Processing Inventory be top of my to do list?
Working on a data processing inventory should be top of your to do list. By tackling this task today, you will get a “state of now” view. This allows you to fully understand how data enters, flows through and leaves your organisation.
The “state of now” will also show up any of the GDPR requirements that you might not be able to answer at this point or areas that you need to take action on before May 25th. In BusinessBrew, we use the data processing inventory to complete a full Gap and Risk Analysis on data processes to ensure our clients are fully compliant. You should be doing the same for your business.
In addition to the “state of now”, it is more than likely that you are required to document your processing activities. The format is up to you, however, you should adhere to Article 30 of the GDPR to be compliant.