In our previous post on GDPR we touched upon the impact it has on your quality management system. We also gave some examples of important topics you should take into consideration. Last week we had a great consulting session with our trusted partner on GDPR and which areas are best to focus on. In this post we will give you some of the useful tips and tricks that came out of that meeting.
The process approach is a good way to find out when and where your company touches personal data. This can easily be done by walking through the processes that are followed within the company. For example, start with sales and go all the way through to the point where the invoice is sent to the customer. When the primary processes have been checked, the secondary processes such as HR and IT can then be checked. This exercise will show you exactly where personal data is touched. Make a list of all the points where this data is handled by your suppliers.
When you are aware of which data is in the company, think about who is handling the data and different ways that it can be handled. You can classify the data as described in our previous post. Make sure you clearly describe who is the processor of the data. When the data is classified and you describe why you need it, you put an expiration date on it and you are good to go.
An important part to think about is sub processors. Sometimes you are not the one that has the power to change the data, but you give that right to someone else, your sub processor. A good example where you see this often is salary slips. A lot of the time it is accounting firms that are the ones managing the salary slips. However, the majority of companies don’t do this themselves, but they also outsource this to a dedicated supplier. When this is the case make sure you have an agreement in place between you and your accounting firm, because they have the ability to alter the data. In this setup the accounting firm needs to have a data processing agreement with the company that processes the data. And remember, don’t forget to ask your supplier for a data processing agreement.