Why is Data Flow Mapping Important for GDPR Compliance?
Data mapping is considered an important component of GDPR compliance by many privacy professionals. It is also usually one of the first steps that is taken. However, there can be a lot of confusion about what privacy professionals mean by a data map and why it is important. We are going to tackle the latter question here.
Why is a data flow map important for organizations under the General Data Protection Regulation (GDPR)?
There are a number of reasons that organizations should create a data map as part of their GDPR journey.
1. Article 30
Having a written record of data processing activities is a requirement for many organizations under GDPR Article 30 and a best practice for even those that are not required to do it. A data map is one avenue by which organizations create the required written documentation. Additionally, the supervisory authorities may request records of the processing activities within an organization, and the production of a data map is one piece of information that would help fulfill their request.
2. Article 6
3. Article 25
Data mapping can also be evidence that an organization takes the privacy by design and default principles from GDPR Article 25 seriously. An organization that constructs a data flow map of a new technology or process is better prepared both to inject privacy protections into it at an early stage in the project as well as to demonstrate to the data protection authorities that the organization was thinking about the implications of it on data privacy. As an organization comes to understand what data is being collected, it can also use that information in order to figure out what personal data it truly needs to collect and where it should work through the process of data minimization.
4. Article 35
Data maps are also an important part of Data Protection Impact Assessments under Article 35. If an organization is going to assess the risk of a particular process, then it needs to understand where the data is collected, where it is stored, who gets the information and how long it is retained. These are critical ingredients that are often compiled as part of a data map.
5. Article 28
Data flow maps are also an important area for the identification of third party access to data falling within Article 28. Organizations that have a list of third-parties that are processing personal data on their behalf can conduct vendor assessments, review or enter into data processing agreements required by GDPR Article 28, and engage in pro-active risk management. If organizations have not mapped their data sharing with third-parties, they may not have all of the agreements that they need in place.
6. Other Required Information
Controllers are required to have records of the purposes of processing, the categories of personal data, the categories of recipients of the data, any transfers of personal data to a third country or international organization, the time period for retention of the different categories of data and, if possible, a general description of the technical and organizational security measures at work. Processors need to have records of the contact information for each controller, the categories of processing carried out for the processor, any transfers to a third country or international organization including documentation of the suitable safeguards in place, and a general description of the technical and organizational security measures used.
7. Transparent Disclosures and Process Improvements
Data maps can also be used for a variety of other purposes, including to improve business processes, improve IT systems and IT controls, identify areas for risk mitigation, provide ideas for annual budget planning as well as training opportunities for staff.
Data mapping is also going to be an important component of the California Consumer Privacy Act of 2018 (CaCPA). Businesses will need to disclose the categories of information that they are collecting as well as the categories of information sold to third-parties. The creation of a data map will be an important means to identify the information collected and shared.
GDPR Data Mapping Requirement & Software Solutions
Data Mapping Software Tools
GDPR Article 30 ROPA Software
Data Inventory Software Tools
Tips for Organizations Undertaking Data Mapping for GDPR
GDPR Data Mapping Software Tool for Privacy Risk Assessments