Data flow mapping under the EU GDPR
As part of a GDPR (General Data Protection Regulation) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a DPIA (data protection impact assessment), which is mandatory for certain types of processing.
For more information on data flow mapping under the GDPR, download our free green paper >>
The key elements of data mapping
To effectively map your data, you need to understand the information flow, describe it and identify its key elements.
A data flow is a data transfer from one location to another, for example:
- From inside to outside the European Economic Area; or
- From suppliers and sub-suppliers to customers.
- Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise the data that is collected.
- Make sure the people who will be using the information are consulted on the practical implications.
- Consider the potential future uses of the information collected, even if it is not immediately necessary.
- Data items
What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?
In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?
- Transfer method
How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?
What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.
Who has access to the data in question?
The key challenges of data mapping
Personal data can reside in a number of locations and be stored in a variety of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format. You should also avoid duplicated information where possible.
The second challenge is likely to be identifying and implementing appropriate measures – covering technology, policies and procedures, and staff training – to protect information while also determining who controls access to it.
Your final challenge is determining your organisation’s legal and contractual obligations. Besides the GDPR, this can include, for example, the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001.
Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your customers and other key stakeholders.
Data flow mapping
The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you full visibility over the flow of personal data through your organisation.
Read more about what the Data Flow Mapping Tool has to offer.
How IT Governance can help you
We have a selection of tools and software that can support your organisation’s GDPR compliance, no matter how far along your project is. Browse our range of GDPR products and services below to find out more, or get in touch with our GDPR team for advice and guidance about the support options.
Shop our data flow mapping products and services
Speak to an expert
Please contact our team for advice and guidance on our products and services.