A data flow map should be one of the first things your organization produces as you prepare for the EU GDPR (General Data Protection Regulation). It helps you identify whether you store EU residents’ personal data – and therefore whether the Regulation applies to you. It also helps track how information moves through your organization, such as from suppliers and sub-suppliers through to customers, which you can use to ensure GDPR compliance.
You might be surprised at how extensively information travels through your organization, and it all needs to be accounted for. If it isn’t, you are not only at risk of a data breach but are also non-compliant with Article 30 of the GDPR, which requires organizations to maintain detailed records of their data processing activities and make those records available to their supervisory authority upon request.
But data flow maps are about more than being organized and efficient. They also help organizations identify vulnerabilities in the way information is transferred and establish the necessary steps to become secure.
Where to begin?
You should begin your data mapping exercise by identifying the following key elements:
- Data items (e.g. names, email addresses, records)
- Formats (e.g. hard copy forms, online data entry, databases)
- Transfer methods (e.g. post, telephone, internal/external)
- Locations (e.g. offices, the Cloud, third parties)
Each of these come with their own risks, which you’ll need to take note of. For example, databases might be misconfigured and made publicly available, storage devices might be misplaced or used by malicious insiders to create copies of sensitive information, and the Cloud might be rendered temporarily unavailable, hindering the organization’s access to important documents.
Once you’ve listed every risk, you should look for ways to mitigate them. You’ll probably find that many risks can be eradicated by simply cutting back on the amount of data you collect and transfer. This will also help you meet another of the GDPR’s requirements: organizations should collect only as much personal data as necessary and store it for only as long as necessary.
Data flow mapping challenges
It’ll probably be much harder than you anticipate to identify all the data you store, even if you are focusing on the GDPR and personal data. Remember, the Regulation defines personal data as any information that identifies someone or could be used alongside other data to do so.
You might also struggle to identify technical and organizational safety measures. There are several procedures for protecting data, and you’ll need to determine whether the risk is significant enough to be addressed.
Finally, you might also have a hard time interpreting the GDPR’s requirements. Although they are similar in places to current data protection laws, they are much stricter and the penalties for non-compliance are more severe. A data protection officer will be able to provide expert advice, but not all organizations are required to appoint one. Either way, you should commit to GDPR training for anyone who handles personal data.
Want help producing a data map?
This blog has covered the basics of data flow mapping, but you can get more comprehensive advice in our green paper: Conducting a Data Flow Mapping Exercise Under the GDPR. This free guide also outlines data flow mapping techniques, which will help you put your knowledge into practice.
You might also be interested in Vigilant Software’s Data Flow Mapping Tool. It simplifies the mapping process and makes it easy for you to review, revise, and update maps when needed.
The Data Flow Mapping Tool helps you understand the flow of data through your organization.
With this tool, you can create consistent visual representations of the flow of data through all your business processes without having to resort to more time-consuming methods, such as pen and paper or vector graphics.
