Contact us Today!

Tips for Organizations Undertaking Data Mapping for GDPR

Here are nine tips for organizations that are planning to undertake the process of creating a data map for GDPR in the European Union or the California Consumer Privacy Act.

1. Plan ahead.

Before starting out on data mapping, organizations should set forth the goals of the project and the staff / resources available to conduct it. Upfront planning can help ensure that your organization gets the value that it needs out of its data maps. Among the things to consider are how the information will be used, including whether it is needed to draft a privacy notice, provide the basis for finding personal data that is subject to a subject access request, to being creating a GDPR compliance program, or to serve as the basis for auditing current privacy efforts. If your organization is operating in Europe, having a firm grip on the GDPR data mapping requirement is also important.

2. Gain Buy-In From Key Employees

Gaining buy-in from relevant stakeholders is an important part of ensuring that the data mapping process goes well. Even if an automated data map is constructed, the key stakeholders should review the information within their purview to ensure that it is accurate. Because data maps often cross organizational lines, the assistance of multiple parties is needed as part of the process.

3. Set the Right Approach for Data Mapping

There are many possible approaches to data mapping, and it can be conducted in one or more stages. Organizations may decide to conduct a high level overview of their key processing activities before engaging in an analysis of the key areas identified. Or they may attempt to complete a comprehensive, global record of all processing activities. The viability of the latter approach may depend on the cost and resources available to the project, and the capabilities of the software selected for the project. If your organization has the resources, consider using GDPR data mapping software.


4. Remember Other Types of Personal Data!

It is important to remember that customer / user information is not the only personal data collected by an organization. Corporations may also collect information about their employees that fall within the scope of GDPR and other privacy laws.

5. Don’t Forget Data Sharing!

Most organizations share information with a variety of first and third-parties including group companies, suppliers, service providers, regulators and public officials. Data maps need to identify all of these organizations so that they can be disclosed to the public in the privacy policy or other notices.

6. Customize Your Map to Your Own Needs and Requirements.

Although the documentation of data flows is often referred to as a “map”, the look and feel can vary greatly between organizations. Some small businesses may rely on the answers to a single questionairre in order to store information about their data flows. Medium sized businesses and departments within large organizations may choose to go with a multi-sheet spreadsheet to store their data maps. Larger organizations may choose to develop a custom data visualization to provide the collected information to management and staff. Organizations may decide not to build their own data map and rely instead on third-party software like that developed by Clarip.

7. If Data Practices Change Frequently, Consider Automating Data Mapping.

One danger of a comprehensive approach is that data practices within an organization change frequently. If a map takes months for your company to complete and is thus out of data by the time that it is finished, then your organization needs to consider whether automation through data mapping software is needed.

8. Controllers Need to Understand Their Processing Too!

Both controllers and processors need to maintain records of their data processing. If controllers want specific documentation kept by their processors, they should specify that information as part of written instructions to the processor or in the Article 28 data processing agreement.

9. Plan for Updating your Data Map.

Data mapping efforts need to be revisited and updated on a regular basis. It is important to plan for keeping the data map accurate and up to date. Otherwise, your organization will not get the value out of it that it needs.

Need Help? Call Clarip at 1-888-252-5653

If you want additional information, read our article on how to create a GDPR data map.

Related Content

GDPR Data Mapping Requirement & Software Solutions
Data Mapping Software Tools
GDPR Article 30 ROPA Software
Data Inventory Software Tools
Why is Data Flow Mapping Important for GDPR Compliance?
GDPR Data Mapping Software Tool for Privacy Risk Assessments