Step 1 – Write A List
Although we’ve cheekily suggested in the past that “the GDPR is too important to be left to the lawyers”, there are some things that really are best left in their hands, like contracts.
The GDPR and the ICO’s related guidance make it clear that whether you’re a Data Controller or Processor you will need contracts in place and that they will need to cover some specific, defined areas. We will come onto this in more detail in future weeks.
This week you just need to think about your personal data infrastructure; who supplies data to you, who do you supply data to and who processes, profiles, handles and enhances that data.
Get a sheet of flipchart paper and start writing a list. Pin it up and ask your colleagues to have a go, too. Keep returning to the list and see how many organisations you manage to list (ideally with a brief description of their role). Then in a couple of weeks’ time we’ll have a look at what to do with the list.