What is GDPR Data Mapping?
Data mapping is often referenced as one of the first steps in any GDPR compliance project. However, for those that are new to privacy law, the term can be a bit confusing. Even more experienced professionals may find themselves wondering about the precise contours when asked to prepare a data map. So we are going to dive into the question in more depth here.
The concept of a data map or data flow map, as it is sometimes called, can be tricky even for those that have some experience with data maps, as many organizations do not have appropriate visibility into what information they are collecting, where it is being stored, how it is being used, and who it is being shared with either internally within the organization or externally to third-parties. This is at the heart of the concept in privacy.
What is GDPR data mapping?
In general, data mapping is the process of the identification of relationships between data elements. The term is not specific to the world of privacy and may refer to different specific concepts within the more general understanding just laid out above. However, the term is not particularly hard to grasp for most people when considered in the appropriate context. Here are a few of the different contexts where the term is sometimes used:
It can involve the process of connecting data elements between two locations, such as during the transfer or combination of data between two electronic databases. This is often the case in data management, where data elements are mapped between different data models.
It can refer to the process of plotting data points onto a graph or chart by visualization software in order to improve ease of manipulation and understanding. This is usually a more traditional map than the looser reference to the term above.
In the privacy context, data mapping involves development of an understanding of all of the information collected, how it is used within the organization, and where it is stored or shared.
In theory, a data map for data privacy is relatively simple in concept. However, it gets more confusing as the process begins. For example, organizations may send around questionnaires to various business devisions in order to get great insight into their company’s collection, usage and sharing of personal information and other data. Some organizations gather the responses and consider that the data map. Others attempt to compile the information onto one document, spreadsheet or report.
Why do privacy teams engage in data mapping?
In other words, what is data mapping used for? GDPR went into effect on May 25, 2018. However, many organizations are still struggling to be able to convincingly report that their company is compliant with the terms of the world’s most comprehensive data privacy and security law. For organizations that have not yet developed appropriate visibility into their data collection, usage and sharing, the appropriate step is the creation of a data map.
A GDPR data map creates a record of all of the information that typically flows through the organization. It may be compiled onto a spreadsheet. It may be formatted into a report. Or it could be stored on a computer using powerful visualization software that makes it easy to draw connections between the data. All three are acceptable as a data map as long as it is useful to the organization that created it and provides sufficient insight into its data practices.
Privacy Impact Assessments
Data maps are also created as part of impact assessments to describe the data flows of sensitive information. These maps are more targeted at the data coming into a specific area or product rather than a more comprehensive look moving from data collection to data deletion.
Updates
Organizations that are planning a data map for GDPR should also include in their plan some indication of how the document will be updated once it is completed. Because the data that is flowing through an organization is not static – it changes over time. The map needs to be able to change as data usage, sharing and collection changes within the organization. If it is not possible to update the map (whether it is once a month or once a quarter), then it will become out of date and the privacy team will stop using it to inform their decision making.
EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text
ePrivacy
– Cookie Scanner
– Cookie Banner Generator
– Cookie Consent Manager
– ePrivacy Regulation
California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar
– SB-1121 Amendments
Federal Privacy Laws
Privacy News
– Clarip Blog