An organization needs to be aware of what personal data it processes, and it needs to know that the data is being processed in accordance with the law. As one of the EU GDPR’s (General Data Protection Regulation) requirements, organizations need to map their data and information flows in order to assess their privacy risks.
Organizations often process much more data than they realize, and it can be left on hard drives and reproduced in different formats, which is why it is vital to conduct data mapping.
To effectively map your data, you need to understand the information flow, describe it, and identify its key elements.
What are the key elements of a data flow map?
- Understand the information flow
An information flow is a transfer of information from one location to another, e.g. from inside to outside the European Union, or from suppliers and sub-suppliers through to customers.
- Describe the information flow
Walk through the information lifecycle to identify unforeseen or unintended uses of the data. This also helps to minimize what data is collected. It is important to make sure the people who will be using the information are consulted on the practical implications. Consider the potential future uses of the information collected, even if it is not immediately necessary.
- Identify its key elements
- Data items (what kind of data is being processed, e.g. name, email address)
- Formats (how is the data being stored, e.g. hard copy, digital, database)
- Transfer method (how do you collect data, e.g. post, telephone, and how is it shared internally and externally)
- Location (where is the data stored, e.g. offices, the Cloud, third parties)
- Accountability (who is responsible for the data, which often changes as the data moves through the organization)
- Access (who has access to the data and for what purposes)
What are the key challenges?
There are three key challenges when mapping data:
- Identifying personal data
Personal data is often stored in multiple locations in a variety of different formats, such as paper, electronic, and audio. You must decide what information you need to record and in what format.
- Identifying appropriate technical and organizational safeguards
Identify the appropriate technology to use, implement policies and procedures, and decide who controls user access to the data.
- Understanding legal and regulatory obligations
Determine what your organization’s legal and regulatory obligations are in addition to the GDPR, including other compliance standards such as the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001.
Free data flow mapping resources
Our free Conducting a Data Flow Mapping Exercise Under the GDPR green paper will help you understand how to effectively map your data and the importance of keeping track of it.
Watch our Conducting a data flow mapping exercise under the GDPR webinar recording. Alan Calder, founder and executive chairman of IT Governance, takes you through the data flow mapping process. The webinar includes a demonstration of the Data Flow Mapping Tool.