Background
This matters because it affects fines, insurance, client contracts, and reputation. UK GDPR Article 30 requires most businesses to keep a Record of Processing Activities (ROPA) — a list of what personal data you process, why, and for how long. If you take card payments, PCI DSS applies on top of GDPR.
Questions to ask yourself
- Do we know what personal data we hold and where it lives?
- Are suppliers handling our data safely?
- Could we actually respond to a data breach if we had to?
- Could we answer a customer security questionnaire today?
- Would our insurance pay out if we hadn't followed basic controls?
What you can do today
Sketch your data map
Three things.
- 01Draw four boxes on paper: Customer, Employee, Financial, Supplier. For each: where it lives, who reads, who deletes.
- 02Look at three random staff laptops. Customer lists on a laptop are data leaving the building each evening.
- 03Look at your office Wi-Fi router. List every connected device.