Getting Started with GDPR Documentation
It can be intimidating to start a GDPR documentation and compliance project. Large organizations are composed of a huge number of interconnected systems and processes, and it’s rare for one person or department to understand them all.
Start with what you know
Our advice for where to start is simple: start with what you know. If you’re on the business side of the organization, start documenting your core processes. If you’re in legal, start with policies and principles.
Where you start documenting depends on your role and what information you have access to. When in doubt, start where you see the highest risk to the organization.
Collaborate to fill in the blanks
The GDPR templates are split up into domain-specific categories, and in general we recommend breaking your documentation up into topic or domain-specific workspaces. This modular approach makes it easier to focus on one thing at a time, and you can always open more workspaces to show a higher-level context and see references between different domains.
Another benefit of splitting up documentation is that it allows domain experts to manage workspaces that pertain to their expertise, and invite others to contribute when they need to.
5 questions to ask
As you start to document, you’ll need to answer these 5 questions:
1. What data do you have?
Identifying what personal data flows through your business is the core of GDPR documentation.
2. Where are you using/storing/duplicating personal data?
Understanding the amount of personal data and where it’s duplicated is key to compliance. Ardoq can help you identify opportunities for data minimization.
3. How is your data moving through the organization?
How many applications process a single piece of data? What sort of security guidelines are in place for data transfer?
4. Who has access to the data?
Limiting and having an overview of access to personal data is crucial for security and core to the regulation.
5. Why are you collecting this data?
What is the legal justification to collect and store this data? To legally justify the personal data you have, you must understand the business purpose for using and collecting it.
The justification for collecting data may differ from how it’s actually used—for example, if you requested a user’s email address for invoicing purposes, then used it for marketing services that the user didn’t consent to. If your usage of personal data isn’t legally justified as defined by the GDPR, you are not compliant.
Getting your data into Ardoq
While we can’t automate all aspects of documentation, we have several tools that make it easier to automate or streamline data collection.
- Excel importer – import a new workspace with components and references from an Excel file.
- Our API – set up a custom integration with your build server, CMDB tool, or other tools using our REST API. You can do a one-time import, or set up a process to trigger an Ardoq update whenever new data is available.
- Zapier integration (beta) – powered by our API, the Zapier integration lets you create triggered actions based on hundreds of other web apps in the Zapier platform.
We’ve also done our best to make sure it’s fast and easy to add components and references using the Ardoq interface. For creating and modifying components, the grid editor lets you quickly input data in a spreadsheet-like format.
We partner with a number of legal and consulting firms that can help you get started. Learn more about them on our partners page.