3 April 2018
GDPR Data Mapping: a practical step to process data safely at every stage
Are you GDPR ready? Most businesses by now have a plan in place for processing data when the GDPR is enacted, but the essential step of data mapping might be getting missed by your business.
Let’s focus on how you can use a data map to ensure that a data subject’s rights are upheld, as the GDPR requires organisations to comply with the GDPR Principles, and this is an ideal way to ensure that happens.
Compliance with Data Protection and the GDPR is not only essential; it makes business sense too. It can however be difficult to achieve compliance if you don’t actually know what data you have, what you need to keep; or what you need to dispose of.
Depending on the size of your organisation and the sensitivity of the personal data you process, the GDPR now requires that ‘Controllers’ and ‘Processors’ have a personal data ‘Information Asset Register’ (as per Article 30 of the GDPR).
There is a requirement to determine who the data controller is, as well as determining the types of data, sources, transfers and disclosures, retention periods, international transfers and security controls.
A good general practice, which also aids with overall compliance, is an information audit. The benefit of this is that it will result in detailed data flow maps, as well as outlining the personal data processed by each department. From here, you can identify compliance and any other risks that need to be considered. This can feed into an overall gap analysis, which in turn will lead to the creation of actions for a risk log or project plan.
Too sum this up, a plan needs to be created (the data flow map), which can then be assessed using a process called gap analysis; which will be covered in more detail later.
Data Flow Maps
A data flow map is a method for categorising data and understanding how personal data is processed within a particular system, and how it is transferred from one system to another; which can either be internal transfers within your business, or between other organisations you partner with. Data flow maps can vary in their design, but a typical example of how one might look, would be the following tri-sectional system of categorisation, which contains different data sources under each section:
- Sources, including Data Collection / Creation – This would include several different sources, such as the data subject themselves, people like customer service or sales staff who process the data when the subject provides it, and also any equivalent handler like a data / cloud storage company. The data at this stage can come from the subject in several formats, like telephone or email.
- Processing – At this next stage, the subject’s data will appear on your organisation’s own servers. Additional departments or even other companies may be given access to the data, which depends on the purposes for which it is going to be processed. Some obvious examples of these would be a larger cloud-storage provider, an email marketing company or an analytics company.
- Data Use / Transfer – Beyond the storage of data on the various servers, further processing is likely to occur in order to make use of the data. Analytics companies might send the data to their account managers or other workers within their organisation for various reasons, such as auditing. Marketing companies are likely to share the data with their other departments, or even third-party marketing companies that they work in collaboration with, or are owned by.
With all these data processors involved, it is likely that a data subject’s personal information will move around between many employees or departments, and there may be a need (or assumed need) to print data out – all these steps should be included in any good GDPR data map and this is not the gold-standard, it is the bare-minimum.
While this grouping shows the ‘what’ of the data map, how the data is categorised, checked and which questions you should ask, all need serious examination too. There are a number of ways to go about this. Once again, it is worth remembering to check ‘Article 30’ and its associated recitals. This will help you work out exactly how you are going to get down to the business of carrying out the mapping.
Once you have established your data flows and are starting to put the maps together, it is (in some cases) worth observing your employees while they process data, using questionnaires to check their opinions and how in-depth their current knowledge is, as well as arranging meetings to discuss the data mapping process with departmental representatives, as a wider group.
Facilitation workshops may be useful for doing this – creating freeform diagrams on the whiteboard or mind maps and other methods, to get the relevant information down so you can come up with some useful ideas as a group. This will allow you to identify and analyse your gaps, identify any risks and in turn allow you to focus on the most crucial areas where you need to improve.
Which Questions to Ask
As part of the mapping process you should be able to draw up a list of questions to ascertain how personal data will be processed at each step of the specific process, which (as well as the specific Article 30 requirements) could include:
- How the data is collected for processing?
- Who is accountable for personal data?
- Where is the data being contained, and by whom?
- Who has authorisation to process the data? (including internal and external staff members)
- Is the information shared with anyone outside of your organisation or not, and how should they be using this?
- Do any of your systems transfer information to other systems automatically?
What You Need to Consider
It is really important to start by identifying the type of personal data being processed (including the format), and how it is being transferred. Once transferred, the location and who has access to it are the most important things to work out, as those individuals need to keep it secure and be accountable for any mistakes.
Initially, you will have to invest quite a lot of your time into asking the right questions and creating a data map based on the answers. But as long as these points are covered in the correct way (and to your company guidelines), the requirements of the GDPR will benefit your organisation, which is a great reason to make data mapping part of your compliance procedures post GDPR. There’s a lot of interest in the GDPR at the moment which is likely to decrease after the legislation comes in, but this is not a one-time exercise; everything produced at this stage needs to be maintained in future, and should stand up to scrutiny.
Who Benefits?
Everybody benefits from data mapping. The data subject can rest assured that their data is being kept safe, your business will benefit from a reduced likelihood of data breaches and non-compliance, and legislators have an easier job as they can view what they need quickly for audits or complaints; this in turn makes it easier to prove you are compliant.
Essentially, staying compliant is this simple: Have a plan, support your Data Protection Officer and make sure the rest of your staff know where they fit in.
Gap Analysis
The process you go through during data mapping (and feeding that into the information asset register) allows you to look for and identify risks, which should be an obvious benefit.
Some of these ‘risks’ will be mitigated by new policies and processes, whereas some will need to be removed altogether. This process, which is generally known as a ‘gap analysis’, will allow you to assess your level of GDPR compliance. You might need to get this carried out by a specialist company, or it can be done in-house if you have the right staff and level of knowledge.
As a final note, it is worth bearing in mind that many organisations have been found to be non-compliant with the current Data Protection Act already, so it is likely that most organisations will need to improve on their current data handling strategies in readiness for the GDPR. With the gap analysis complete, you can improve these strategies by creating a suitable risk register and action plan. By doing this, you can raise compliance levels to where they need to be and develop systems for the future, making sure that you check adherence at every single stage of processing.
Remember too, that gaps in compliance can occur between you and third parties, or within various areas of your own organisation, and so these should be immediately located and filled. This can be through approvals and sign-offs at various stages of data processing, and by working out which good practices you already have in order to work out which areas are not as good as you can make them. By having a map with all the locations and movements clearly marked, you cannot get lost in the complex world of data processing.
We offer a GDPR self-assessment questionnaire, covering the key areas that you need to consider to ensure you will be compliant by 25 May 2018. If you answer ‘no’ to any of the questions, you will be provided with information to guide you through necessary steps.