Podcast: Play in new window | Download
FULL EPISODE TRANSCRIPT
Hey, there and welcome. I am Rocio Baeza the founder of GDPR Stand Up. Today we are going to be doing something I think is pretty fun. We’re going to be doing an implementation case study. I’m basically going to allow you to look behind … Look over my shoulder as I am helping an organization become GDPR compliant.
So let’s start with just providing you with more information on the organization that this case study is for. So this is for my own organization. It’s called GDPRstandup.com. So just basically what it is … Think of it as an online virtual community where it’s a subscription model where if you’re someone that needs help with GDPR compliance. You’re looking for practical information, you can become a member. You can join the community. The idea is that we provide you with just step by step road map that you need to follow so that you can become GDPR compliant quicker.
So, I think that the standard path here is hey find someone that your organization that is already doing data security or data privacy work. Assign this initiative to them. If basically this person is handed off with something new. Something that they probably don’t have a background in. Again GDPR just went to [inaudible 00:01:47] May of this year. I think that as professionals we’re also trying to get a better grasp as what this actually means and where do I start? What’s my first step? Where and what is my second step and so on?
So for the case study that we’re going to be doing now is I’m going to help you … I’m going to let you listen in on my thinking process as I’m looking to make my own organization GDPR compliant. So, I gave you a brief over review of what GDPR Stand Up is all about. So now let’s walk through … Alright. I want to know what my GDPR obligations are. What step … That first step. So, if you listened to a previous … In a previous episode, we went through just a quick what is GDPR? In that session I was talking about the three questions that I put together that would help any organization just to quickly determine if GDPR is likely to impact your organization or not.
So, if you missed that episode, just go through the history and search it. But just for now … These are the questions. These are the three questions that we’re referring to. Let me just bring them up here. Alright. So the three questions are is your organization located in the EU? By EU I’m referring to the European Union. Question number two. Do you service the EU market? Question number three is do you hold information about a living person that is from or living in the EU? So, those are the three questions where if you answered yes to any of these three questions, it makes sense for you to proceed to do due diligence because it’s very likely that GDPR applies to your organization.
So going back to my GDPR Stand UP virtual community so I answered to yes to the second and the third questions. So yes, my virtual community is looking to service the EU market. I’m based here in the U.S. I’m located in Chicago. But I’m not closing the door to anyone if … regardless of in what corner of the world you are. If you need help with GDPR compliance my virtual community is available to you. I also said yes to the second question. Again, the second question is does your organization hold information about a living person that is from or living in the EU? So, again the … When I ask this question about my community, the answer is yes. So in order to provide my audience … my members with the resources I do need basic pieces of information about people so the answer is yes I am holding information or I could potentially hold information about a living person that is either from the EU or that is living in the EU.
Alright. So I did my quick due diligence there. Now I’m ready to move on to step number one. So step number one of any GDPR compliance program is to put together a GDPR data inventory. So I think that many organizations … It’s been my observation that many organizations are skipping through this very important step. They just wanna get quickly in on doing all the things that they think they need to be doing based on what they heard on a broad post or on a webinar. I think that … I would caution that you just start running in all directions because something that is not obvious is that … So yes GDPR has a number of requirements. The text of the regulations is fairly long. It’s very specific. But you should know that not all requirements apply to all organizations. Some organizations will have to comply with all of the requirements. But there are other organizations that just have to worry about specific things.
Many ways that you can determine what are the specific things that apply to my organization is by doing that first step and putting together a data inventory. So let me walk you through how would you do that for my GDPR Stand Up community. So the first step is to download the template. I have a free course available. You can find this on GDPRstandup.com. So one is I would just download the template. Then I would ask a series of questions. So the first question is … Alright. So just thinking of the different people that my organization serves, just start to identify alright what types of people can potentially be EU citizens or residents that I should be paying special attention to. Again, GDPR focuses on personal data about people that are living in the EU or that are citizens of the EU. So you don’t have to include all the data points that your organization holds at this time. It’s specifically any data that relates to a person that is from or may be living in the EU.
So, I’m gonna start with my audience. I gonna target in on my customers. So, that’s basically anyone that is interested in becoming a member of my virtual community. So, yes it’s likely that EU residents or EU citizens will want to be part of my community. So I’m want to start there. As I putting together the data inventory for my organization, I am going to start with the members that I am looking to serve. So, there are three questions. There are three types of information that the data inventory needs to capture. The first one is I need to make a list of all the data point that I hold about my customers. So there’s no way for you to see my screen at the moment. But just so that you know, what is information that my membership community is holding about people?
So, just off the top of my head so we are collecting email addresses. I believe that is it. So, when someone opts in and signs up for our free course, we do ask you for … to provide us with your email so we can provide you with a link to the free course. So, that is [inaudible 00:10:02]. Now for those members of the audience that move forward and decide to become members of the community, we will collect additional information about you. So we will collect information such as your full name. We are looking for billing information. We are looking for credit card information. So basically if you wanna sign up … If you raise your hand and if you wanna sign up for our community … Because we would want to … Because we would need to process a payment … Again this is a subscription model, we are collecting information about your credit …The credit card that you’re looking to use to pay for this subscription.
But also billing information because that is part of the card processing step. So that right there is the list of the data points that my organization holds about the people that I serve. Email, full name, billing address and card information. So those are the data points that would be added to my GDPR data inventory. So that’s step one. Step two is for anything on my list I want to add some detail. So we want to document where that data is coming from. So, in this case all the data that my organization holds about my members or my audience that is coming directly from the individuals themselves. I’m not receiving this data from a third party. I’m not receiving this data from lead provider. If you’re looking to sign up for that free course. If you’re looking to sign on for the membership, you are providing me … you are providing my organization with that information. So in the data inventory I would document that the source of the data is from the individuals themselves.
Alright. Then the third step is I would then need to classify each data point that is in my data inventory. So there are two classifications that we’re looking for. So for each of the data points that I just listed I want to classify if they would be considered as personal data. I would want to also document if that data point would be considered to be special categories of personal data. So, for the first one I would say that the majority of the data fields that my organization holds about members would be classified as personal information. So email would be classified as person information. Yes. Full name would be classified as person information. Yes. Address would also be classified as person information. Why? Because with an address and with a name and with an email I can pretty much pin point this information to a specific person. The way that GDPR is structured is any data point that can be tied to a person that should be classified as personal data.
So we talked about email. We talked about full name. We talked about billing address. As part of the membership members would also be required to provide their card information. Such things like the full card number, expiration date, and the security code. Now my organization is working with Stripe which is a credit card payment processor. They process the payment on the platform and I’m only provided with a subset of that information. My organization is not able to view the full credit number. My organization is not able to view your security code. I … Through Stripe I am able to see information about the card. Things like the card holder name, the billing address, if the security code match with the card processor records. So giving the card information that my organization has through Stripe, I would say that billing address would definitely be classified as personal data. But anything beyond that would probably not.
So. Okay. So that was basically it. So, those are the pieces of information that would allow … That would be important as you’re putting together the data inventory. Just through these last few minutes, I basically went through the thinking process of … Alright. What is the process I would follow as I’m flushing out the data inventory for my organization? Hopefully, this seems like a pretty straight forward exercise. This is not rocket science. I would say that the regulators and those that were involved in putting together GDPR, I think they did a pretty good job of making resources available. Now this is very straight forward for me because I have been in the data security and the data privacy space for about seven to eight years now. So I’ve done this for organizations that I’ve been involved with in the past. I’ve done this for consulting clients that I have. Hopefully by just walking you through my thinking process you can start to see that … Hey this actually not too hard. You can actually do it yourself as well.
So, we spent time walking you through … Alright. What are the pieces of information that a GDPR data inventory would hold given that my organization holds personal information from customers? So I think it is also important to point out that you wanna repeat this process for employees and contractors. So in my case, right now I do not have employees. I have not employed individuals to help me with the community. So I would not repeat the exercise to record or get what kind of personal data do I hold about employees that may be living or are from the EU. So, I’m going to skip that stuff. The third step or the third category would be contractors. So, as this point I have contracted out very small jobs in freelance websites to help me with building out GDPRstandup.com. But I would say that for what I have contracted out I have not been collecting personal data about these contractors. But as I’m talking through this it’s just a good mental note that if and as I am contracting out for additional help in the future, I need to add that in my data inventory.
If it’s possible, for me to contract an EU citizen or an EU resident I would need to document that in my GDPR data inventory. Okay. So, that basically sums it up for today’s session. So, I think the key points that I would like for you to take away are one: the data inventory is a first step our organization needs to take when getting started with a GDPR compliance efforts. It’s pretty straight forward for anyone to really do it. You don’t have be a data security professional. You don’t have to be a data security consultant. You can just download a template for data inventory course. I’m sorry for a GDPR data inventory. We have a couple available. If you sign up for our free GDPR data inventory course you can have access to that resource.
By just walking through the simple steps of documenting for information that my organization holds about people that may be living are or from the EU the three steps are basically making a list of the data points that your organization holds. Step number two is documenting alright where does that information come from. Step number three is determining if your could classify that data point as either personal information or special category of personal information. So if that [inaudible 00:20:06] for your organization congratulations. If that’s not something that you’ve completed, yet. But you are in the middle of a GDPR compliance implementation initiative, I would highly, highly, highly recommend that you go back. That you put the brakes on what you’re doing right now. You put together that data inventory because it’s possible that some of the things that you think you need to implement at your organization … That may not be required. Only way that you can determine that is by looking at your GDPR data inventory.
Just wanna say thank you very much for checking out the session. I’ll see you on a future one. Goodbye.
HELPFUL LINKS AND RESOURCES:
- GDPR Stand Up Website: gdprstandup.com
- The 10 GDPR Components
- The GDPR Implementation Blueprint
- Join the GDPR Stand Up Virtual Community
- Free GDPR Data Inventory Course: http://gdprstandup.com/free-course/