For privacy law compliance, it’s vital to have a clear view of the personal data under your control. This involves understanding what data you hold, what it’s for, where it’s located, where it goes, how long you keep it for and what you do with it once you no longer need it. Done in the right way, data mapping gives you precisely the information you need to create such an understanding.
Data mapping has always been good practice for data compliance. However, as we’ll see, the arrival of The General Data Protection Regulation (GDPR) makes it even more of a priority to take data mapping seriously.
For a start, the new law requires that you identify those areas where “the rights and freedoms of data subjects” could be at risk – and to take appropriate measures to manage those risks. Likewise, to reduce the likelihood of a breach, GDPR carries a range of data governance obligations; especially on impact assessments and record keeping. Once your data estate is thoroughly and accurately mapped, it becomes so much easier to stay on top of these obligations.
Here, we’ll outline the essential elements of data mapping, how it fits in with the GDPR – and how to get it right.
What is data mapping?
Data mapping tracks the flow of data to, through and from your organisation. More specifically, a data map (also known as a data flow) should give you the following information regarding the personal data under your control:
- Where it comes from (e.g. customers, staff and third parties)
- It’s purpose (e.g. order fulfilment or payroll)
- The entry point; i.e. how it enters your company (e.g. a telephone call, email or online form)
- Its format, such as Excel spreadsheet, simple Word doc or CRM customer account page
- Where it’s stored; such as a filing cabinet, in-house server or Cloud database
- The country it’s stored in
- Where it’s accessible from and who has access to it
From sales calls through to order dispatch and beyond, data tends to shift format, location and visibility. This type of data flow is all part and parcel of doing business. To be fit for purpose, your data map should be able to describe your organisation’s “data story” accurately. It may also be that your data map is actually a number of data maps, or data flows.
What should I include in my data map?
The data map for a multinational consultancy will obviously look different to that of a small online retailer. But while there’s no universal blueprint, all good data maps tend to share the following characteristics.
It covers all data processing activities
A map is only truly reliable if it covers your entire “data world”. This involves looking at all areas of the business, identifying each and every instance where data is being processed, the purposes of processing and the individual activities that are involved in that processing.
It’s highly visual
If it’s only your IT manager who can make sense of it all, the data map isn’t doing its job properly. Everyone, from the tech-sceptic CEO through to on-the-ground account managers, should be able to refer to that map and see what happens with the personal data your company controls and handles. Diagrams, charts and infographics are all useful visual tools.
How does a data map help me with GDPR?
Here are some of the key ways in which data mapping helps you get GDPR compliance right.
Your record of processing activities
Under GDPR, apart from a limited exception for small and medium sized organisations, businesses are under a duty to keep an up-to-date record of all data processing activities. Data mapping enables you to cover this in a thorough, systematic way. It means that you can identify and visualise the complete flow of data through your business – so it’s much less likely that any processing activities are overlooked.
Protecting data subjects’ rights and transparency
The GDPR introduces new rights for individuals and enhances existing rights (all of which you can read about here). Allied to this is the principle of transparency – the duty on businesses to be upfront and explain in the clearest possible way to individuals what is happening with their personal information. Having an accurate and clear map at your fingertips can make it easier to convey the required information to data subjects in the most appropriate way.
New data processing activities and privacy impact assessments (PIAs)
A PIA is a process of identifying, assessing and reducing privacy risks. Once the GDPR is in force, you’ll need to carry out a PIA for all new processing activities where there’s a high risk to the rights and freedoms of individuals affected. This could include the introduction of new products, or changes to your data management systems.
As part of your PIA, and using your existing data map, you can track how the proposed new activity alters the flow of data in, out and through your organisation, identifying any data protection issues along the way.
What should I do first?
Here are some tips to help you get started with data mapping.
Talk about your data flows
This is not a job for IT, it’s a job for all of your functions. Get representatives from all departments in a room, ideally people who have been at the business some time so they understand where everything is kept (and perhaps where it used to be kept), and from across all offices and locations. Ask each person to talk about how they use personal data in their function, why they use that data, how much of it they have, what media they keep that personal data on and how they move it around. Talk too about who is responsible for that data and who else outside of the organisation touches it.
Then you have to go deeper. Ask each representative to list every category of personal data (eg, name, email address, IP address, etc), where they get it from (eg web forms), how they use it (eg for a marketing list), what applications they use it with (eg Mailchimp) and where it is stored (eg Google Drive). Write it up on a whiteboard so everyone can see it.
Make it collaborative
Now ask questions and give feedback. Is there anything you don’t understand or you think has been missed? Once everyone has had their turn, agree a list of different data flows (eg online advertising data flow, customer sign up data flow, invoicing data flow, recruitment data flow, product data flow, etc) and agree a responsible person for each one. That person will draw the data flow in anticipation of the next meeting, where you’ll talk about those data flows some more.
On a detailed level, this process is enabling you to map your data flows. It enables you to do other things in your data protection compliance programme such as create your Article 30 Record, create your Record of Vendors and Partners, or draft your privacy notices. On a higher level it is getting the people in your organisation to understand personal information. It is persuading them to care. And it is getting them all involved in doing a compliance programme properly.
Look for GDPR-focused mapping tools
The principle of accountability is one of the cornerstones of the GDPR. As well as being compliant, firms need to have the processes in place to actually show the regulator that they are getting things right.
Making data flows pretty can be done in Google Slides, Photoshop or using other more specialist infographic packages. But it’s a good idea for all of the data flows to adopt the same format. Keep those data flows somewhere safe and revisit them regularly to keep them up to date. As you develop new products and processes, and take on different suppliers, your data flows will change. You need a process in place to capture these changes and record them, amending your notices as necessary.
When it comes to tools to help you with data mapping, it’s worth honing in on those that are built specifically with GDPR compliance in mind. In other words, look for ones which not only help you map your estate, but also refer directly to your specific GDPR obligations and reporting requirements.
The Privacy Compliance Hub has a clear templates for data mapping, record keeping and privacy impact assessments that leave nothing out and ensure that everyone in an organisation understands their responsibilities effectively. To discover more, check out our demo.