SITUATION – The client was a magic circle global law firm with London HQ. Their GDPR readiness state was not fully understood with the May deadline fast approaching. The business had begun an enterprise-wide process mapping initiative to better understand all its functions but the approach was very detailed and time consuming.

SOLUTION – We suggested a high speed visual modelling method which we had developed to meet the needs of the GDPR. Its focus was on the business objects being transformed during day to day activities which might contain personal data, the media used, the people and systems that had access to or held the personal data, and any relevant business rules at each step. We trained one additional FTE in the method to support the effort.

We ran process discovery workshops with stakeholders across all business functions within the London HQ. These included Partners Tax and Finance, Staff Payroll, HR, Clearance re Know Your Client (KYC), all Internal Operations (inc Security & Resilience, Transport & Travel Management, Document Production & Record Management, Sales & Marketing, Bookings & Event Management, Health and Safety) and Facilities Management (inc health club and restaurant facilities).

Each information asset type used (form/ document/ report/ system) posed different risks which needed to be understood. These were then analysed in detail within c.50 Information Asset Registers with the GDPR risks highlighted, based on personal information processed, volume of records held and information sharing practices. We also confirmed the requirements and a data model for a GDPR compliance risk management tool before the vendor piloting phase.

OUTCOME – The team of two covered the entire enterprise within the allocated time. We were retained for an additional 6 weeks to support any detail investigations. The Compliance Team were very pleased with the detail of our deliverables consequently we only had one trivial query to answer before departing.