GDPR – Identifying your Risks

As the GDPR enforcement date is upon us, many companies are shifting into panic mode trying to really understand not only what the GDPR means to their company operationally, but also where their true risk lies.  How do they evaluate that risk?  How do they understand the impact of those risk factors? And finally, where do they even start on the journey to compliance?

With the amount of ambiguity the GDPR presents, there are no easy answers to these questions, but there certainly is a clear-cut place to start – understanding where your EU data subject PII lives.

Whether you’re a data processor or data controller, most organizations realize they have EU data subject PII within their organization, but not necessarily where it resides. Most assume it’s an IT department issue, but few realize it’s an overall organizational issue.  How does your marketing department handle outbound communication? Do they capture consent?  How do your sales teams manage their customers within their CRM platform?  How does HR manage employee data for entities that operate in the EU?

As we move ever closer to the May 25^th enforcement date, the question needs to change from where does your EU data live to how does it flow throughout your organization.  Understanding the data flows will pinpoint what departments will need to get involved and help put you on the path to  GDPR compliance.