The Customer
Laude is a distributor from southern France with 6 branches, 111 employees, which generates a revenue of over € 40m in products for roofs and façades. VM Building Solutions, distributor of VMZINC, is the leading manufacturer and supplier of zinc applications for the construction industry in Europe, North America, Australia and in a number of Asian countries and is present in 22 countries, possesses 7 production sites and employs 950 people. MCP Defrancq is a network of 12 branches in France, specialized in roofs and façades. The group produces a revenue of €40m and employes 148 employees.
Fedrus International realizes a total revenue of about € 650m and provides employment to over 1550 employees. Fedrus International fully commits to further growth and international expansion and has ambitious growth plans in West Europe to this end.
The Challenges
Fedrus International has grown very fast through mergers and acquisitions. This implies that data is spread over different applications, systems and processes. These challenges translate in multiple interviews with business owners, old and new systems and changing IT landscape. People are very busy and also located in multiple locations (Puurs, Deinze and Kampenhout).
- Plan meetings / interviews with all these Subject Matter Expert’s (SME);
- CRM, ERP, Sales, Logistics, Finance
- Marketing
- HR, Health and Security
- IT, DWH and BI
- …
- Explain General Data Protection Regulation (GDPR), our way of working and show the deliverables.
Solution
As transparency about "data" is a key driver of the regulation, an important step will be to understand how your business is "processing" personal data and what personal data you record, store and process in the first place. This requires a deep dive in all your "processes" and "systems" to get a better understanding of all data flows with special focus and attention on the "personal" data flows.
A phased approach towards GDPR compliance requires a proper methodology and a skilled team (consisting of lawyer, data architect, process owners, application owners, IT architect, …).
Typical steps in this phased approach are:
- Knowledge & Awareness
- GDPR Readiness Scan
- GDPR Assessment (this phase will focus on data mapping and data flows within your organization and application landscape)
- Roadmap to Compliance
We have developed a methodology that will facilitate the creation of key deliverables to enable your organization to prepare for "Roadmap to Compliance".
These deliverables consist of:
- Data mapping document (5Ws)
- Data flow diagram
element61 responsibilities
element61 was asked to perform the GDPR Assessment part with a focus on the Data Mapping and the Data Flows.
Data mapping document – 5Ws
Data mapping allows you to identify the information that your organization keeps and how it moves from one location to another, such as from suppliers and sub-suppliers through to customers. By mapping the flow of data, you’ll be able to review the most effective way of processing data and identify any unforeseen or unintended uses.
The 5Ws document will help you to cover the details of personal data by working around 5 ‘W’ questions:
Why … is personal data processed?
Whose … personal data is processed?
What … personal data is processed?
When … is personal data processed?
Where … is personal data processed?
Data flow diagram
The data flow diagrams, which are a high-level graphical representation of the flow, are typically created by process. They will help to understand the information lifecycle and represent all in- and cross application flows.
Conclusion
This exercise is typically executed by a data architect together with both functional and technical application and process owners within your organization and facilitated by interviews and workshops.
With these deliverables the Fedrus International Data Protection Officer (DPO) and legal advisor can facilitate the next steps which typically consist of the creation of “Register of Processing Activities” (RoPA) and “Technical and Organisational Measures” (TOMs).