The client was a leading theatre group with 40 UK sites with 18 million customer records on their MS Dynamics CRM. They had around 40 ticket offices across the UK plus one national call centre. There were no management policies in place, nor an understanding of how sensitive client data was handled in the satellite offices and no specific procedures in place to secure their child client records. This was a major issue with around 55,000 children and learning disabled young adults attending life-skills training events in their theatres.
SOLUTION – During verification work we analysed processes and personal data usage across the various booking offices and national call centre. We gathered process intelligence to support preparation of the mandatory GDPR Record of Processing Document, and suggested solutions to identified compliance gaps and risks including the child data issues.
OUTCOME – The GDPR compliance budget was reduced after some push-backs from the theatrical creatives running this business. Internal politics also lead to my process analysis and information asset register oriented approach (which worked very well later on with Clifford Chance London law firm’s assignment) was abandoned.
