Depending on who consults you, you may be advised to start your GDPR compliance in any number of areas. Data mapping is a fairly common (and good) recommendation, because it helps an organisation understand exactly what personal data comes into the business, where (and how) it moves internally, where it is sent and when it leaves. In this guide, we discuss data mapping and its role in GDPR compliance.
It might surprise you to learn that very few organisations know exactly what personal data they collect and store as part of their core business activities. Usually through ignorance, some organisations operate for years collecting personal information they have absolutely no purpose for. Under the General Data Protection Regulation (GDPR), this is illegal, and so knowing what data you’re collecting is very important.
Although data mapping is not mandatory under the GDPR, it is an excellent way of gaining a true understanding of what personal data the organisation handles.
What is data mapping?
This is the process of discovering and classifying data. In doing this, an organisation can protect and manage data in a systematic way. Within the same process, you are also able to identify the legal basis of processing and apply retention periods to specific sets of data.
How does that relate to GDPR?
The GDPR requires your organisation to be able to demonstrate compliance in the management of personal data. To do this, your organisation must apply a taxonomy to identify what data is personal and what data is sensitive. Data mapping identifies what data is collected, so will help you apply such a taxonomy.
In what other ways is data mapping helpful?
Many organisations use data in the same way, again and again, repeatedly, which creates duplication in the business. By learning what processes you have and where, your business can improve the efficiency of its processing operations.
Data mapping offers clarity by revealing exactly what data gets collected, used and stored, allowing it to be categorised and managed. This process of “data discovery” as it is sometimes called is essential to comply with the GDPR because organisations are obligated to have a handle of the data they collect and process.
Why should I use data mapping in my GDPR strategy?
Article 30 of the GDPR (Records of processing activities) states that organisations must “maintain a record of processing activities under [their] responsibility” and, “That [the] record shall contain all of the following information:
a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
b) the purposes of the processing;
c) a description of the categories of data subjects and of the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation
f) where possible, the envisaged time limits for erasure of the different categories of data;
g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”
Article 30 does not provide a mandatory mechanism to meet these requirements, however the sheer fact organisations need to map their data and information flows to keep accurate records makes data mapping a sound method.
Under the GDPR, there are minimum requirements for recording data. These are:
· The Name and details of the controller
· The Purposes for processing the data
· The Description of the categories of individuals and personal data
· The Categories of recipients of personal data
· The Details of transfers to third countries (if appropriate)
· The Retention schedules
· The Description of security measures in place to protect data
Getting started with data mapping
There are software tools that simplify the data mapping process. No one creates this software in-house unless they unlimited IT budgets, so the solution is nearly always from a vendor and there’s plenty of good options out there.
Our preferred data mapping solution is DP Organiser, as the tool is comprehensive and easy to use. While there are other vendors on the market, we will always recommend this.
If your organisation’s core activities require the regular and systematic monitoring of individuals on a large scale, or your organisation's core activities involve processing on a large scale 'special categories' of personal data, you will need to appoint a DPO under the GDPR. If you already have one, they can help you roll out data mapping to comply with the GDPR, but only if they have experience with it. Since data mapping is not mandatory under the GDPR, you may have to look for a specialist to help.
What data mapping should be and do
Data mapping should be the primary method you use to record processing activities and stay informed about what data you collect and store.
A data map should identify data items, data formats, data transfer methods, the locations of the data (and server), the legal basis of processing and the designated retention period. The data map should categorise data accordingly, so that it is clearly described and can be found. For example, data such as medical records need to be categorised as sensitive and “high risk”. A subject’s name would be categorised as “low risk”.
Perhaps the most important thing to bear in mind with data mapping is it will be helpful to your organisation, no matter the scale of data you work with. Under the GDPR, Data Privacy Impact Assessments (DPIAs) form a key part of the accountability principle and data mapping can help simplify the creation of these by making data findable and by simplifying the process of allocating risk to specific data sets.
Remember - under the GDPR your obligations are ongoing, and so your data mapping activities should be too. It isn’t enough to ‘find’ your data and leave it. You may need to carry out data mapping on an automated basis depending on the type and scope of data you collect. This is also why we recommend using software, as a manual spreadsheet will not automatically alert you to processing that may be deemed as high risk.