Select regional store:

GDPR Data Flow Mapping

Data mapping under the EU GDPR

Under Article 30 of the EU GDPR (General Data Protection Regulation) organisations need to have documentation of their data processing activities. The best way to create this documentation, is to map your data flows. This is also an essential first step for completing a DPIA (data protection impact assessment), which is a mandatory risk assessment for certain types of processing.

It is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

1. Understand the information flow

An information flow is a transfer of information from one location to another, for example:

  • From inside to outside the European Union; or
  • From suppliers and sub-suppliers through to customers.

2. Describe the information flow

  • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimize what data is collected.
  • Make sure the people who will be using the information are consulted on the practical implications.
  • Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

  • Data items

    What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?
  • Formats

    In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?
  • Transfer method

    How do you collect data (post, telephone, social media) and how do you share it internally (within your organization) and externally (with third parties)?
  • Location

    What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
  • Accountability

    Who is accountable for the personal data? Often this changes as the data moves throughout the organization.
  • Access

    Who has access to the data in question?
  • Lawful basis

    Identify the lawful basis used for processing the personal data.

The key challenges of data mapping

  • Identifying personal data:

    Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic, and audio. Your first challenge is deciding what information you need to record and in what format.
  • Identifying appropriate technical and organizational safeguards

    The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
  • Understanding legal and regulatory obligations

    Your final challenge is determining what your organization’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001. Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

Free PDF download: Data Flow Mapping Under the GDPR

This free paper will help you understand how to effectively map your data and the importance of keeping track of it all.

Download now

Watch our webinar to find out more about conducting a data flow mapping under the GDPR.

To help organizations understand what a data flow mapping exercise involves, this webinar will discuss: 

  • The GDPR remedies, liabilities and penalties
  • Data flows and identifying the key elements;
  • The benefits of conducting a data mapping exercise;
  • The challenges of data mapping
  • Techniques and best practices for data flow mapping

Map your data and become GDPR compliant with IT Governance

To gain full visibility over the flow of personal data through your organization and meet the requirement to maintain a record of processing activities under Article 30 of the EU GDPR (General Data Protection Regulation), we recommend the Data Flow Mapping Tool.

This tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held, and how it is transferred. The Data Flow Mapping Tool is a subscription based Cloud-based application, licensed for up to five users and can be accessed via any compatible browser.

Find out more

This website uses cookies. View our cookie policy