Congrats! You’ve gone through Step 1 in managing your GDPR project and have a good understanding about what you are doing.

You are going to be managing your GDPR project for all the right reasons, you have a budget and you have involved the right people.

Well done!

Now, you need to start the data mapping. You need to understand how and why you are processing personal data.

What do you need to figure out?

Here are examples of questions that you’ll need to answer:

• Who are you processing personal data about?
• What kind of data are you processing?
• Where does the data come from?
• Why are you processing the data?
• What gives you the right to process the data?
• Where do you process the data (any third country transfers)?
• For how long do you retain the data?
• How do you communicate with the data subjects?
• Who do you share the data with?
• Who have you outsourced data processing to, and do you have agreements in place?
• How do you safeguard the data?

The list goes on.

GDPR (article 30) explicitly requires that most businesses keep a record of processing activities. And regardless of Article 30, all companies that want to ensure compliance need to understand where they currently are.

Without understanding your current processes, you cannot identify breaches and challenges.

To find this information, your project group needs to talk to the right people.

This is where you involve the stakeholders identified in Step 1.

Guide them in the right direction by walking them through the basics of GDPR and the definitions of personal data processing.

Let them describe what personal data their department comes into contact with, how it is processed and what they do with it.

You should strive to reduce the number of risks and breaches you are not even aware of. These are your biggest problems in pursuit of compliance.

Unknown risks will also be your worst enemy in case of supervision.

In case of a breach, you do not want to have to answer “we had no idea we even did that”. You will stand much better prepared if you have identified any potential risks yourself. Even better, if there is a plan for how to remediate.

Read more about this in step 3.