SITUATION 1 – The client was a construction company that builds annually 1000+ new homes for private sale and social housing projects and manages 37,000 tenanted properties, carrying potential GDPR compliance risks. They had produced an information asset register with c. 320k cells and needed it verified to feed in to the production of various mandatory GDPR related documents.

SOLUTION 1 – During verification work we analysed data, systems & processes across 100+ business systems holding personal data. These included MS Dynamics CRM database & email marketing tools (Click Dimensions). We worked with management across the business gathering process intelligence to support preparation of the mandatory GDPR Record of Processing Document, and identifying compliance gaps and risks.

OUTCOME 1 – We defined the Data Processors and Joint Controllers, the Data Subject categories (x18), Personal Data categories (x8) and Recipient categories (x18), the Purposes of Processing, the Lawful Basis for processing across all systems & business activities and collation of all Technical and Organisational measures deployed to secure personal data both in-house and by third-party processors, as required in the GDPR Controller Document.

More detail…..

We also produced a set of new process documents, inc those supporting Data Subject Rights related requests, and mapped GDPR related requirements to a comprehensive set of functional requirements (EPICS & User Stories) for various proposed new systems.

SITUATION 2 – The client was a leading theatre group with 40 UK sites with 18 million customer records on their MS Dynamics CRM. They had around 40 ticket offices across the UK plus one national call centre. There were no management policies in place, nor an understanding of how sensitive client data was handled in the satellite offices and no specific procedures in place to secure their child client records. This was a major issue with around 55,000 children and learning disabled young adults attending life-skills training events in their theatres.

SOLUTION 2 – During verification work we analysed processes and personal data usage across the various booking offices and national call centre. We gathered process intelligence to support preparation of the mandatory GDPR Record of Processing Document, and suggested solutions to identified compliance gaps and risks including the child data issues.

OUTCOME 2 – The GDPR compliance budget was reduced after some push-backs from the theatrical creatives running this business. Internal politics also lead to the departure of the GDPR Project Manager, and my process analysis and information asset register oriented approach (which worked very well later on with Clifford Chance London law firm’s assignment) was abandoned.