Data flow mapping under the EU GDPR
To comply with the EU GDPR (General Data Protection Regulation), organisations need to map their data flows to assess privacy risks.
Data flow maps form part of your Article 30 documentation. They are also an essential first step in completing a DPIA (data protection impact assessment).
The key elements of data mapping
To effectively map your data, you need to understand the information flow, describe it and identify its key elements.
Understand the information flow
An information flow is a transfer of information from one location to another, for example:
- From inside to outside the European Economic Area; or
- From suppliers and sub-suppliers to customers.
Describe the information flow
- Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise the data that is collected.
- Identify the lawful basis and purpose for collecting data.
- Make sure the people who will be using the information are consulted on the practical implications.
- Consider the potential future uses of the information collected, even if it is not immediately necessary.
Identify its key elements
What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?
In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?
How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?
What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.
Who has access to the data in question?
Map your data and become GDPR compliant with IT Governance
We have a selection of tools and software that can support your organisations GDPR compliance, no matter how far along you are in your project.
To gain full visibility over the flow of personal data through your organisation and meet the requirement to maintain a record of processing activities under Article 30 of the GDPR, we recommend the Data Flow Mapping Tool.
This tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred. The Data Flow Mapping Tool is a Cloud-based application, licensed for up to five users and can be accessed via any compatible browser.