On Thursday May 16th 2019, TechGDPR hosted it’s first open GDPR Canvas workshop: ‘Starting GDPR compliance with the GDPR Canvas’, for members of Factory Berlin. The GDPR Canvas Workshop is a workshop that is normally delivered within a team or organisation, but for this workshop we wanted to gain experience with the open format with participants of different projects and companies.
This open workshop, based on the GDPR Canvas was ran by Silvan Jongerius and Alex Carroll of TechGDPR. It provided a starting point for understanding data flows which are required as a first step to understand more about your GDPR compliance and define the purposes, means and other key properties that you will need to make known to your data subjects.
The GDPR and the GDPR Canvas
The GDPR came into force almost a year ago and has enhanced awareness about the data we process of others and the measures needed to protect that data. This was clear from the questions participants raised during the session. Protecting our own data is, for most of us a difficult task. But what about protecting data that does not belong to us?
The GDPR Canvas is a methodology developed by TechGDPR, made available for free under a creative commons license, and helps the discovery of one’s processing activities. Participants can visualise what key pieces of information are needed to identify problems, assess the data processing risks and start writing their privacy policy.
The GDPR Canvas Workshop
After an introduction about the key element of the GDPR, participants were guided through exploring their own data processing activities using the GDPR Canvas.
Going through this structured approach encouraged participants to develop a high-level overview of how data are treated within their own company or organisation and make a solid starting point for the compliance of their startup, department, product or even future product.
Participants were asked to define the main data flow, data subjects, data processing activities and data processor, and purposes of data collection. They also had to think about Technical and Organisational Measures (TOMs) in place to mitigate the risk of a data breach. Those who took part in the workshop showed a solid interest in gaining insight on how they might avoid pitfalls and start or improve their GDPR compliance. Attendants sentiment revealed that this workshop was really valuable as we had an enthusiastic and interesting team with participants coming from very different backgrounds, private or public sectors, freelancers as well as employees of larger companies.
After sharing their observations and taking part in the discussion of other cases, one participant mentioned, “It was also good to hear other people’s experience” and “the interactive format allows attendees to think through their specific issues but also to hear about issues other were facing and they possibly may need to address”.
As last part of the GDPR Canvas workshop, Alex of TechGDPR guided the participants through the risk-based approach of data protection and information security. Giving some first pointers on how to treat risk by identifying, evaluating, and prioritising their efforts on data security. After assessing their own company risks, participants were also given some foo for thought about practical solutions to secure their data, and some ideas on how to continue the work on GDPR compliance after the GDPR Canvas workshop.