.In the Watergate investigation, Howard H. Baker Jr famously asked "What did the President know and when did he know it?"
We all know what the answers to that questions led to and ultimately sealed the fate of Richard Nixon.
Companies under a GDPR compliance audit, especially in the case where the Data Protection Authority is involved, can be sure that "What" and "When" will be asked, related to personal data, but rest assured: not just that.
Organizations shall follow the six data protection principles of the GDPR and answer the 5W+2H questions, two of which are the Watergate ones. In essence, being GDPR compliance can be achieved by two main mantras for the compliant company: honor the six principles and answer accordingly the 5W+2H questions.
The six principles:
1. Lawfulness, fairness, and transparency
2. Purpose limitations
3. Data minimization
5. Storage limitations
6. Integrity and confidentiality
Being able at all times to document your answers to "What", "When", "Why", "Where", "Who", "How", "How much" time, in the context of the six GDPR principles can well be your strategic pillar to always know there you're going, and how far you have gone.