Data mapping and the GDPR

(A version of this blog was originally published on June 8.)

Knowing the who, what, where, why, and when of data collection and processing is essential in complying with the EU General Data Protection Regulation (GDPR). Who is accountable for personal data, what data is collected, where is it stored, why is it being stored, and when must it be removed? To answer those questions, it’s important for organizations to review their data flows and produce data maps.

Data flows and data mapping

A data flow is the transfer of information from one location to another. Reviewing this flow means auditing the type of data being held, where the data resides, who ‘owns’ the data, who has access to the data, and who the data is shared with.

However, organizations often aren’t fully aware of the extent of their data flows, simply because they don’t understand what data is being collected and processed or why this is happening.

That’s where data mapping comes in. This is the process of identifying, understanding, and mapping data flows. A good data map will provide a comprehensive view of the data flows within, to, and from an organization.

The key elements of any data map are:

  • The information itself (names, card data, biometrics, etc.)
  • The formats in which information is stored (hard copy, digital, etc.)
  • Transfer methods (the way it’s communicated, such as by email or telephone, and whether it’s transferred internally or externally)
  • Locations (offices, the Cloud, third parties, etc.)

Data mapping is an essential part of most robust data protection programs. In terms of the GDPR, it will help controllers achieve compliance with a number of the Regulation’s requirements, including:

  • Article 6: Lawfulness of processing, which requires controllers to be able to demonstrate that their processing activities are performed in compliance with the Regulation
  • Article 25: Data protection by design, which requires the controller to ensure that, by default, the only personal data that’s processed is that which is necessary for each specific purpose of processing
  • Article 30: Records of processing activities, which requires organizations to maintain detailed records of their data processing activities and to make those records available to their supervisory authority on request

Get help with data flow mapping

The Data Flow Mapping Tool simplifies the process of data mapping, helping you understand the flow of personal data through your organization.

With this tool, you can create consistent visual representations of the flow of personal data through all your business processes without having to resort to more time-consuming drawing methods, such as pen and paper or vector graphics. You can also generate a version-controlled data flow report that compiles information from your data flow map in an easy-to-read format to share with stakeholders.

It’s ideal for all organizations that need to bring their practices in line with the GDPR.

Find out more about the Data Flow Mapping Tool >>