Identifying what data your organisation stores, where it comes from and what you do with it is a crucial part of EU GDPR (General Data Protection Regulation) compliance.
This is more complex than it appears because information can be left on hard drives, appropriated by other departments or reproduced in different formats.
All personal data needs to be accounted for to comply with the GDPR, so organisations must audit and map their data flows.
To effectively map your data, you need to understand the information flow, describe it and identify its key elements. The data map will show how data moves from one location to another, such as from suppliers and sub-suppliers through to customers. It also covers the type of data being held, where the data resides, who ‘owns’ the data and who the data is shared with.
Key elements of a data map
- Data items (e.g. names, email addresses, records).
- Formats (e.g. hard copy, digital, database, mobile phones).
- Transfer methods (e.g. post, telephone, social media, internal/external).
- Locations (e.g. offices, the Cloud, third parties).
- Accountability (who is responsible for this personal data?).
- Access (who has access?)
Three key challenges of data mapping
- Identifying personal data. Personal data is often stored in multiple locations in a variety of different formats. You must decide what information you need to record and in what format.
- Identifying appropriate technical and organisational safeguards. Identify the appropriate technology to use, implement policies and procedures and decide who controls user access to the data.
- Understanding legal and regulatory obligations. Determine what your other legal obligations are in addition to the GDPR, e.g. the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001.
Need help creating data flow maps?
The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred. The data flow maps can be reviewed, revised and updated when needed.
As well as helping you identify those parts of your processes that may need additional measures to protect personal data, the tool will help you identify and eliminate any process inefficiencies.
Also available is our Data Flow Mapping Tool and Compliance Manager bundle, which allows you to map individual processes to specific legal, contractual and regulatory requirements, and the controls used to meet those requirements.