If your organisation collects EU residents’ personal data, the EU General Data Protection Regulation (GDPR) applies to you. The GDPR takes effect in just a few months, so if you’re not already nearing compliance, you need to work quickly. A significant part of the process will involve managing your databases, as this is probably where you keep most of your personal data.
Database auditors need a strong knowledge of the GDPR. Our previous blogs have covered much of what you need to know, including the lawful grounds for processing data (including consent), data subject access requests and conducting data protection impact assessments. In this blog, we will focus on a requirement that should form the foundation of database auditors’ compliance projects: the privacy-by-design approach to data security.
Privacy by design means it’s not enough to simply bolt on features to your databases to meet regulatory requirements. Instead, you need to build from the ground up, designing your systems with privacy as your primary concern. So, how is this done?
Locate your data
You probably store data in a number of places, be it multiple databases or stashed away in various other locations. You might have data stored on legacy systems, or backups that you’re not even aware of. This all needs to be accounted for, so the first thing you need to do is map your data with a data flow audit.
Data mapping allows you to identify the information that your organisation keeps and how it moves from one location to another, such as from suppliers and sub-suppliers to customers.
By mapping the flow of data, you’ll be able to review the most effective way of processing data and identify any unforeseen or unintended uses.
A data map should identify the following key elements:
- Data items (e.g. names, email addresses, records)
- Formats (e.g. hard copy forms, online data entry, database)
- Transfer methods (e.g. post, telephone, internal/external)
- Locations (e.g. offices, Cloud, third parties)
It should also show who has access to the data at any given time and who is accountable for it.
Data mapping might sound complicated, but it doesn’t have to be. With the right tools and a little bit of preparation, the process can be relatively simple.
Limit who has access to your data
To mitigate the risk of data breaches (which include not just theft, but also the accidental or unauthorised destruction, loss, alteration, disclosure of, or access to, personal data), you should set up access controls to make sure personal information can only be viewed by relevant employees.
Limiting personal data access to as few people as possible lowers the chances of something bad happening to it. Access controls allow you to manage who has access to what data, making sure no one can view, modify or delete data that isn’t relevant to their job role.
You should also protect your personal data by pseudonymising and/or encrypting it.
Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to data protection – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits. This is why the GDPR also recommends encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
Data flow mapping under the EU GDPR
Download our free guide, Conducting a Data Flow Mapping Exercise Under the GDPR, and discover:
- Why data flow mapping is important for the new GDPR;
- The key elements of a data flow map;
- Data flow mapping techniques;
- The challenges of data flow mapping; and
- The steps in a data flow audit.