Why is Data Flow Mapping Important for GDPR Compliance?

Data mapping is considered an important component of GDPR compliance by many privacy professionals. It is also usually one of the first steps that is taken. However, there can be a lot of confusion about what privacy professionals mean by a data map and why it is important. We are going to tackle the latter question here.

Why is a data flow map important for organizations under the General Data Protection Regulation (GDPR)?

There are a number of reasons that organizations should create a data map as part of their GDPR journey.

1. Article 30

Having a written record of data processing activities is a requirement for many organizations under GDPR Article 30 and a best practice for even those that are not required to do it. A data map is one avenue by which organizations create the required written documentation. Additionally, the supervisory authorities may request records of the processing activities within an organization, and the production of a data map is one piece of information that would help fulfill their request.

2. Article 6

Data maps can be an important part of Article 6 as well. Every instance of processing personal data needs to have a lawful basis under GDPR. If organizations do not have a list, or “map”, of all of their processing, then they may not have identified which basis for processing applies, disclosed it to consumers as part of their privacy policy or other disclosures, and ensured that appropriate documentation is generated. Once a list of processing has been compiled, it is easier for organizations to justify their processing or determine that it needs to be changed.

3. Article 25

Data mapping can also be evidence that an organization takes the privacy by design and default principles from GDPR Article 25 seriously. An organization that constructs a data flow map of a new technology or process is better prepared both to inject privacy protections into it at an early stage in the project as well as to demonstrate to the data protection authorities that the organization was thinking about the implications of it on data privacy. As an organization comes to understand what data is being collected, it can also use that information in order to figure out what personal data it truly needs to collect and where it should work through the process of data minimization.

4. Article 35

Data maps are also an important part of Data Protection Impact Assessments under Article 35. If an organization is going to assess the risk of a particular process, then it needs to understand where the data is collected, where it is stored, who gets the information and how long it is retained. These are critical ingredients that are often compiled as part of a data map.

5. Article 28

Data flow maps are also an important area for the identification of third party access to data falling within Article 28. Organizations that have a list of third-parties that are processing personal data on their behalf can conduct vendor assessments, review or enter into data processing agreements required by GDPR Article 28, and engage in pro-active risk management. If organizations have not mapped their data sharing with third-parties, they may not have all of the agreements that they need in place.

6. Other Required Information

Controllers are required to have records of the purposes of processing, the categories of personal data, the categories of recipients of the data, any transfers of personal data to a third country or international organization, the time period for retention of the different categories of data and, if possible, a general description of the technical and organizational security measures at work. Processors need to have records of the contact information for each controller, the categories of processing carried out for the processor, any transfers to a third country or international organization including documentation of the suitable safeguards in place, and a general description of the technical and organizational security measures used.

7. Transparent Disclosures and Process Improvements

Having a data map can also facilitate transparent disclosures to consumers, one of the core principles of GDPR. If an organization is not aware of all of its data collection, processing and sharing, then it is difficult to accurately disclose that to consumers and other data subjects through its privacy policy and other notices.

Data maps can also be used for a variety of other purposes, including to improve business processes, improve IT systems and IT controls, identify areas for risk mitigation, provide ideas for annual budget planning as well as training opportunities for staff.

Data mapping is also going to be an important component of the California Consumer Privacy Act of 2018 (CaCPA). Businesses will need to disclose the categories of information that they are collecting as well as the categories of information sold to third-parties. The creation of a data map will be an important means to identify the information collected and shared.

If you are looking for GDPR data mapping software to do automated data mapping, please call Clarip at 1-888-252-5653

Related Content

GDPR Data Mapping Requirement & Software Solutions
Data Mapping Software Tools
GDPR Article 30 ROPA Software
Data Inventory Software Tools
Tips for Organizations Undertaking Data Mapping for GDPR
GDPR Data Mapping Software Tool for Privacy Risk Assessments