GDPR Data Mapping Requirement & Software Solutions
Data mapping is a critical component of GDPR compliance and an important tool for data visualization within an organization. GDPR data mapping software tools can automate portions of the process to make it quicker and easier to understand where data is collected and if it is being shared.
The term mapping is not explicitly used in the GPDR. However, it has become well-recognized that undergoing a data inventory and mapping is an essential first step in building a GDPR compliance program. It would be difficult to meet Article 30’s record-keeping requirement and Article 35’s data protection impact assessment (DPIA) requirement without having a complete understanding of the data collected, stored and used by an organization.
Data mapping can also be an important compliance tool once the GDPR process is underway. Data mapping at the end of the process can illuminate areas that were missed initially or where the process has changed. Organizations that do not undertake a data inventory or map after they have set their processes may find that they are working from out of date information.
What is Data Mapping?
A data map shows the points of collection for data throughout the organization and external sharing with third-party vendors and others. It can be used as the starting point for data protection impact assessments into the consequences of data collection and storage on the privacy rights of the data subjects under Article 35. It also forms the basis for ensuring adequate recordkeeping about processing activities under Article 30. Data maps are often put into visual representations such as graphs or tables in order to understand where the data is being collected, held or transferred.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
What is a Data Inventory?
A data inventory is a record of all the personal data and related information collected by an organization. Previously, organizations meeting the definition of a controller had to notify the data protection authorities of their processing activities prior to undertaking them. Now, the GDPR documentation requirement means that data inventories have substituted for such notifications.
The Purpose of a Data Inventory and Map
There are a wide variety of use cases for these tools. They can be used as a checklist for compliance purposes, close gaps in privacy notices, respond to data subject access requests, or meet the documentation requirement of Article 30.
Manual vs. Automated Data Maps?
Generally, there are two approaches to data mapping: manual and automatic. Individually, each has its benefits. For organizations concerned about compliance, both can be done to ensure that no stone is left unturned. The GDPR does not specify whether the process should be manual or automatic.
The manual process is through questionnaires and interviews with the appropriate employees, contractors and third-party vendors to ensure that the organization understands what data is being collected, why it is being collected, how long it is being retained and with whom it is being shared. It usually involves a team spanning several business units to collect the necessary information. the team puts together a template to use to gather information.
An automated data map uses computer software to scan the company’s electronic systems, usually either its website or its internal file servers and storage, to determine what data is being collected and where it is being transferred. The benefits of an automatic approach are that it is fast and usually less expensive.
External vs Internal Data Detection
Most organizations have both internal and external assets that collect, use or share data. Internal assets are hosted and protected behind a company’s firewall. External assets may include an app downloadable from Google or Apple to your mobile phone, or a website that is accessible via an internet browser.
However, there are examples where assets cross these easy definitions. Vendors for a company may host an organization’s data in the cloud rather on the organization’s servers behind a firewall. A website may present users with a login option that acts more like an internal asset (since credentials like a username and password are required) than an external asset.
To have a complete picture of the data held by an organization, a company needs to look at each of these different systems.
Structured vs Unstructured Data
Data mapping can involve analyzing a large amount of data. Some of that data will be structured data with a high degree of organization. Spreadsheets and relational databases are two examples of structured data.
Unstructured data is everything else. It may include text, images, video, audio or other items. It may be generated by humans or machines. It is typically more difficult for software to understand the data. For example, there is a large amount of unstructured data in healthcare medical records. An image of a patient chart is an example of unstructured data.
Some types of data can fall in the margins of both examples. For example, email. Email contains metadata about the time sent, subject and sender. These all fall within the classic example of structured data. On the other hand, the email subject contains text which is not structured. This type of data is sometimes referred to as semi-structured data.
If an organization wants a complete data map, it needs to look for personal data within both structured and unstructured data.
GDPR Data Mapping Software Tool
Clarip offers a powerful scanning solution that offers data intelligence on GDPR compliance, data collection, risks, and third-party sharing of information. For a demo of the Clarip’s GDPR software, call 1-888-252-5653 or contact us.
Data Mapping Software Tools
GDPR Article 30 ROPA Software
Data Inventory Software Tools
Tips for Organizations Undertaking Data Mapping for GDPR
Why is Data Flow Mapping Important for GDPR Compliance?
GDPR Data Mapping Software Tool for Privacy Risk Assessments