How to Conduct GDPR Data Mapping for Privacy Compliance
GDPR compliance can be a time-consuming journey for large organizations and a scary process for small organizations that don’t have the resources to spend on software and consultants. Here is a quick guide on where to start to ease some of the burden for companies making the effort to improve their data privacy practices. Any business that is starting their GDPR journey can benefit from improving data mapping.
What is Data Mapping for Privacy?
Data maps ensure that the organization understand how data moves, or flows, through the organization. As organizations need to understand what data they are collecting, how they are using it, and who they are sharing it with in order to enhance their data privacy protections, disclosures and regulatory compliance, it can be an important early step in the journey as well as an important audit function.
There is often a visual component to the data map. Data visualization can help other employees quickly and easily follow the personal data flows around the organization. However, the quality of data maps varies greatly. Some use sophisticated programs to build the maps. Others use simple excel spreadsheets to organize the data.
Data mapping can be an important part of GDPR compliance with Articles 30 and 36. Article 30 requires documentation of certain organizations processing. Article 36 requires organizations to conduct Data Protection Impact Assessments before engaging in certain processing. Neither is expressly required by the rule, yet they are considered a best practice for them.
Manual vs. Automated Data Mapping
There are two options for an organization to improve its understanding of personal data through data flow mapping. The first option is to conduct a manual information search. These are typically done through questionnaires and informational interviews. The data is usually gathered via in-person or paper surveys before being collected and analyzed.
The other option is to engage in a technology assisted search to gather the necessary information about how data flows through the organization. This can either be gathered through electronic questionnaires that are filled in online or via scanners that detect data collection and its movement around the electronic systems of the organization.
If the processes are done correctly, both the manual and automated processes will achieve the same result. However, there are benefits and drawbacks to each process so the ultimate result from two independent efforts may be different.
What is contained in a Data Map?
A comprehensive data flow map for privacy compliance shows all of the data coming into the organization and its path around and out of the organization. However, maps do not need to be comprehensive. They also can be segmented to follow the data of a single customer segment or type of data in particularly complex situations.
1. Where is Data Collected?
Organizations need to identify where they are getting the personal data coming into their organization. This is typically either straight from the individual (consumer) through an online form. However, many businesses are using external data sources in order to compile additional information about their users. Businesses need to understand what information they are getting from which sources, and what their obligations with respect to that data collection are under the GDPR.
2. What Data is Collected?
It is important for organizations to have a complete grasp of all the personal data (personnally identifiable information) that they possess about individuals. This PII can range from data about their customers, to their website visitors, to their employees. GDPR considers personal data any information relating to an identified or identifiable natural person. Examples given in Articl 4 include a name, identification number, location data, online identifier, or one or more physical, physiological, genetic, mental, economic, cultural or social identity factors specific to a natural person.
3. Where is the data stored? What is the format of the data?
If an organization is going to have an appropriate understanding of its data privacy practices, it needs to know where that data is located and what format it is held in. Most organizations are storing information electronically, but many may continue to have older paper records or employees may print off files containing PII for their own usage. Even electronic records need in depth examination since they be stored in the cloud, local servers, local computers or even the equipment of third-party vendors.
4. Where does the data go?
Organizations need to know where their data is going both internally within the organization or externally to third-party vendors. It is also important to pay attention to whether data is crossing borders when it is being received by the organization, when it is involved in a transfer to/from a processor or even when it is being moved for internal purposes, due to the special implications of personal data being transferred across the boundaries of the European Union to other countries.
5. What is the data used for?
Organizations need to know about their processing activities both to be able to provide accurate disclosures to consumers as well as to be able to fulfill Article 30 documentation requirements. Organizations also need to be able to demonstrate privacy by design and data minimization. Data maps can help organizations gather this information.
6. How long is the data retained?
Data retention is another important area of privacy by design and data minimization. Although most data flow mapping is focused on its collection and sharing, a comprehensive look may include when data is being deleted by an organization as well.
Need Help? Call Clarip at 1-888-252-5653
The Clarip GDPR data mapping tool can assist your organization in the creation of data map as well as the corresponding records and documentation. Or learn more about the GDPR data mapping requirement.
Is the California Consumer Privacy Act of 2018 your next challenge? Ask Clarip how data mapping can help you meet the law’s disclosure and DSAR requirements.