Data mapping and the GDPR

Knowing the who, what, where, why, and when of data collection and processing is essential in complying with the EU General Data Protection Regulation (GDPR), due to be enforced from May 25. Who is accountable for personal data, what data is collected, where is it stored, why is it being stored, and when must it be removed? To answer those questions, it’s important for organizations to review their data flows and produce data maps.

Data flows and data mapping

A data flow is the transfer of information from one location to another. Reviewing this flow means auditing the type of data being held, where the data resides, who ‘owns’ the data, who has access to the data, and who the data is shared with.

However, organizations often aren’t fully aware of the extent of their data flows, simply because they don’t have total visibility over what data is being collected and processed or why this is happening.

That’s where data mapping comes in. This is the process of identifying, understanding, and mapping out data flows. A good data map will provide a comprehensive view of the data flows within, to, and from an organization.

The key elements of any data map are:

  • The information itself (names, card data, biometrics, etc.)
  • The formats in which information is stored (hard copy, digital, etc.)
  • Transfer methods (the way it’s communicated, such as by email or telephone, and whether it’s transferred internally or externally)
  • Locations (offices, the Cloud, third parties, etc.)

Data mapping is an essential part of most robust data protection programs. In terms of the GDPR, it will help controllers achieve compliance with a number of the Regulation’s requirements, including:

  • Article 6: Lawfulness of processing, which requires controllers to be able to demonstrate that their processing activities are performed in compliance with the Regulation.
  • Article 25: Data protection by design, which requires the controller to ensure that, by default, the only personal data that’s processed is that which is necessary for each specific purpose of processing.
  • Article 30: Records of processing activities, which requires organizations to maintain detailed records of their data processing activities and to make those records available to their supervisory authority on request.

Next steps

You can find more information on the Regulation and the steps you can take to ensure your organization is compliant on our GDPR information page. It gives a brief outline of the GDPR and explains its effect on US organizations.

Our website also includes information on the products and services we offer to help you comply with the GDPR. From books, documentation toolkits, and penetration testing services to risk assessment software, training programs, and consultancy options, we have a wide selection of solutions to meet your needs.

Find out more about our GDPR products and services >>