GDPR data mapping for Roof Construction Distributor

The Customer
 
Fedrus International is an independent Belgian group, active in the distribution of roof and façade materials for the European market. The group consists of five operational business units: APOK, I.R.S-Btech, Laude, VM Building Solutions and, new to the group, MCP Defrancq.
 
I.R.S-Btech promotes and distributes EPDM and other roof materials to the construction and roof materials dealer in West Europe. Additionally, APOK distributes roof and façade materials to the professional roofer and contractor. Both business units together realize a revenue of around € 200m and provide employment to over 350 employees in Belgium.

Laude is a distributor from southern France with 6 branches, 111 employees, which generates a revenue of over € 40m in products for roofs and façades. VM Building Solutions, distributor of VMZINC, is the leading manufacturer and supplier of zinc applications for the construction industry in Europe, North America, Australia and in a number of Asian countries and is present in 22 countries, possesses 7 production sites and employs 950 people. MCP Defrancq is a network of 12 branches in France, specialized in roofs and façades. The group produces a revenue of €40m and employes 148 employees.

Fedrus International realizes a total revenue of about € 650m and provides employment to over 1550 employees. Fedrus International fully commits to further growth and international expansion and has ambitious growth plans in West Europe to this end.

The Challenges

Fedrus International has grown very fast through mergers and acquisitions. This implies that data is spread over different applications, systems and processes.  These challenges translate in multiple interviews with business owners, old and new systems and changing IT landscape. People are very busy and also located in multiple locations (Puurs, Deinze and Kampenhout).

  • Plan meetings / interviews with all these Subject Matter Expert’s (SME);
    • CRM, ERP, Sales, Logistics, Finance
    • Marketing
    • HR, Health and Security
    • IT, DWH and BI
  • Explain General Data Protection Regulation (GDPR), our way of working and show the deliverables.

Solution

As transparency about "data" is a key driver of the regulation, an important step will be to understand how your business is "processing" personal data and what personal data you record, store and process in the first place. This requires a deep dive in all your "processes" and "systems" to get a better understanding of all data flows with special focus and attention on the "personal" data flows.

A phased approach towards GDPR compliance requires a proper methodology and a skilled team (consisting of lawyer, data architect, process owners, application owners, IT architect, …).

Typical steps in this phased approach are:

  • Knowledge & Awareness
  • GDPR Readiness Scan
  • GDPR Assessment (this phase will focus on data mapping and data flows within your organization and application landscape)
  • Roadmap to Compliance

We have developed a methodology that will facilitate the creation of key deliverables to enable your organization to prepare for "Roadmap to Compliance". 

These deliverables consist of:

  • Data mapping document (5Ws)
  • Data flow diagram

element61 responsibilities

element61 was asked to perform the GDPR Assessment part with a focus on the Data Mapping and the Data Flows.

Data mapping document – 5Ws

Data mapping allows you to identify the information that your organization keeps and how it moves from one location to another, such as from suppliers and sub-suppliers through to customers. By mapping the flow of data, you’ll be able to review the most effective way of processing data and identify any unforeseen or unintended uses.

The 5Ws document will help you to cover the details of personal data by working around 5 ‘W’ questions:

GDPR data mapping for Roof Construction Distributor

Why … is personal data processed?

      Whose … personal data is processed?

What … personal data is processed?

       When … is personal data processed?

             Where … is personal data processed?

Data flow diagram

The data flow diagrams, which are a high-level graphical representation of the flow, are typically created by process.  They will help to understand the information lifecycle and represent all in- and cross application flows.

Conclusion

This exercise is typically executed by a data architect together with both functional and technical application and process owners within your organization and facilitated by interviews and workshops.

With these deliverables the Fedrus International Data Protection Officer (DPO) and legal advisor can facilitate the next steps which typically consist of the creation of “Register of Processing Activities” (RoPA) and “Technical and Organisational Measures” (TOMs).

 

 

Related Technologies