Assign topic to the user
Answer:
Based on the background provided it seems the information asset inventory is limited to IT assets only and performed from the perspective of an IT security manager. This approach most likely won't provide a full picture of the processing activities performed in your organization.
Using a data discovery tool, although useful in some instances, will only provide some information about where the personal data is being stored and how it transits through different systems. The information gathered this way would not be sufficient to build a record of processing activities as required by art. 30 of the EU GDPR.
Our advice would be to start the data mapping process by first identifying the data proce ssing activities based on the processes that are ongoing within your company, for example in an university this could be gathering information about students onboarding, students lifecycle, HR management, security (IT Security and Physical security), suppliers management etc.
After identifying the relevant processes and processing activities the record of processing activities can be filled in with the information required by art. 30 of the EU GDPR. The EU GDPR implementation Toolkit provides guidance on how to perform a the data mapping as well as a template containing all the fields needed to ensure compliance with the EU GDPR art. 30 requirements - see the details here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
Comment as guest or Sign in
Nov 21, 2017