The client was a construction company that builds annually 1000+ new homes for private sale and social housing projects and manages 37,000 tenanted properties, carrying potential GDPR compliance risks. They had produced an information asset register with c. 320k cells and needed it verified to feed in to the production of various mandatory GDPR related documents.
SOLUTION – During verification work we analysed data, systems & processes across 100+ business systems holding personal data. These included MS Dynamics CRM database & email marketing tools (Click Dimensions). We worked with management across the business gathering process intelligence to support preparation of the mandatory GDPR Record of Processing Document, and identifying compliance gaps and risks.
OUTCOME – We defined the Data Processors and Joint Controllers, the Data Subject categories (x18), Personal Data categories (x8) and Recipient categories (x18), the Purposes of Processing, the Lawful Basis for processing across all systems & business activities and collation of all Technical and Organisational measures deployed to secure personal data both in-house and by third-party processors, as required in the GDPR Controller Document.
More detail…..
We also produced a set of new process documents, inc those supporting Data Subject Rights related requests, and mapped GDPR related requirements to a comprehensive set of functional requirements (EPICS & User Stories) for various proposed new systems.
