GDPR compliance step 1: data mapping
GDPR compliance step 1: data mapping
The GDPR is deliberately vague. This perceived complexity is there by design because the drafters understood it was impossible to draft a regulation that could be implemented uniformly across all entities. Each entity processes personal data differently and it’s difficult for most organisations to know where to start.
To understand how the regulation applies to your organisation you need to understand which data you’re processing. You can’t protect personal data if you don’t know what it is, where it is and how it’s currently managed. This means you need to create a data map. It’s an absolute must!
A data map will help you understand which data you’re processing, why it’s processed, when it’s collected, where it’s stored, who it’s shared with and how it’s protected. Given the number of departments that may be collecting and processing different data sets for different purposes it can be a bit tricky.
Cloud-based collaborative services can simplify this process by involving relevant individuals from different departments and giving oversight to the data protection officer (DPO) or data protection representative responsible for GDPR compliance.
To create a record of all the personal data held by your organisation you need to understand how personal data is defined under the GDPR.
Personal data is ‘any information relating to an identified or identifiable natural person (data subject)’. An identifiable person is a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an ID number, location data, an online identifier or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. So it’s extremely broad.
Processing is any operation (or set of operations) performed upon personal data (or sets of personal data) whether by automated means or not, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying. So this is even broader.
Now that you understand what personal data is and that a data subject is any identifiable natural person you hold personal data on, it should become clear what a data subject inventory is.
The first step in creating a map is to make a list of the different types of data subjects for which your organisation processes personal data. Broadly, some general data subject types would be clients, prospective clients, employees, prospective employees, consultants, contractors and suppliers.
Each organisation’s data subject definitions will be unique to them and should be defined by the organisation. It can be as detailed as you like, for example clients could be defined by product or service category.
For each data subject you’ll need to define the processing purpose, i.e. the why and how you’re processing their personal data. Under the GDPR, processing of personal data must be done lawfully, so for each processing purpose you’re required to provide a legal basis or justification. The legal bases are defined in Article 6 and Article 9 of the GDPR. One of the key principals of the GDPR is data retention so, as part of the data mapping process, when you consider the purpose for which you hold the information you should also decide whether and for how long to retain it.
The data mapping process needs to include an inventory of the types of personal data and sensitive personal data that you hold on each data subject type. It should contain an inventory of the processing locations and data transfers, as well as an inventory of where the personal data is collected. Good data mapping tools collect this information in a structured fashion and allow you to see a visualisation of the links.
The GDPR has specific clauses related to the security of processing (Articles 30 and 32) and data transfers (Articles 30 and 49). A thorough data mapping exercise will begin the process of complying with the requirements in these articles by identifying external processors and data transfers.
Your data map needs to detail any instances where there is a transfer of personal data to a country outside of the EU or to an international organisation. This includes transfer of personal data to a processing location in a third country. When there is such a transfer of personal data there needs to be an adequate legal basis for the transfer of the data to the third country and appropriate safeguards must be applied.
If your organisation has 250 or more employees then, under Article 30 of the GDPR, it’s required to keep a record of processing activities. However, it applies to smaller organisations if the processing is likely to result in a risk to the rights of employees, if the processing is not occasional or if the processing includes special categories (sensitive) of personal data (which are defined in Article 9) or data relating to criminal convictions and offenses (Article 10).
One of the benefits of the data mapping process is that it will provide your organisation with that record of processing activities.
The primary benefit of data mapping is that by completing the process you’re also creating a complete GDPR implementation plan. Data mapping will inform your GDPR compliance by making clear which articles are relevant to your organisation. It’ll help you draft your privacy notices. It’ll help you identify any gaps in your data security. It’ll help in responding to data subject access requests. And it’ll aid in data breach responses. These are all areas that need to be considered for your GDPR compliance.
Article 25 of the GDPR states that you’ll need to ‘implement appropriate technical and organisational measures’ to ensure compliance, but you can only achieve this if you know where the personal data is. Having the data map will help you identify all your risk areas, thereby assisting in the assessment and mitigation of these risks.
Your data map can benefit your organisation beyond the legal and regulatory requirements. It can:
For example, by understanding the data flows - which categories of data are held, who ‘owns’ the data, who has access to it and to which recipients it is disclosed - you can potentially reduce costs through consolidation or data minimisation. Once you've classified what you store and process, you might be able to identify and delete any non-essential personal data, thereby reducing your costs and your risks.
Data mapping is crucial to assessing whether and to what extent GDPR obligations will apply to your organisation. But it’s just the first step.
GDPR365 enables you to easily get your compliance documentation in place, train your employees and manage your direct marketing, HR and IT services. GDPR365 manages and stores all contract documents with your processors and for sharing agreements. GDPR365 provides full workflows to manage data subject access requests and breaches in the security of your personal data.