A comprehensive data map can prove an inavaluable tool in helping you manage your data privacy, but what exactly is a data map and why do you need one? Relentless Data Privacy.
With the GDPR being in force for over a year now most businesses have a fairly good grip on what GDPR means for them.
They’re well aware of the need for a lawful basis to collect and process data. They understand all the benefits of hiring a Data Protection Officer (DPO), and whether or not they’re legally obligated to appoint one. They’re also well aware of their responsibilities with regards to international data transfers and for International organisations offering services and monitoring EU data subjects the need to appoint an EU Representative.
Yet if there’s one aspect of data protection law that still leaves many of those same businesses scratching their heads, its data discovery and data mapping. If you’re one of them and still find yourself still scrambling to figure out what they are, we’re here to help.
Though it sounds fairly complex, both data discovery and data mapping are pretty simple concepts.
They refer to the process of taking stock of all the data your business collects and processes, then mapping exactly what happens to it and where it goes on its journey through your company and further afield. Relentless GDPR 24/7 is now live and takes it one stage further as it produces a visualisation of your data map.It’s a process that proves invaluable for businesses no matter how much, or how little, data they process, tracking the entire lifecycle of that data from the moment it’s collected to the point at which it’s finally deleted.
How to Create a Data Map
In most cases, the responsibilities for data mapping typically falls to your Data Protection Officer (DPO) or other designated person with data protection responsibilities. Depending on your circumstances, this person may be an in-house employee or an outsourced data privacy consultant. The extensiveness of your data map will depend on the nature of your business and your data processing activities, but all data maps have a number of things that they should contain.
For complex businesses where multiple departments process personal identifiable data you need to break down the mapping by department. Furthermore for multi entity global organisations the need to have seperate data mapping for each entity within one encompassing portal.
What type of data you collect (email, bank details, address etc.)
Why you’re collecting that data
Whose data you collect
When you collect the data
What legal basis you have for processing the data
Where you store the data
What conditions are in place to protect the data
Which, if any, third-parties you share that data with
Where those third-parties are located
What protocols do you follow to protect data during data transfers to third-parties?
Why is Data Mapping so Important?
At the most basic level, having a solid data map in place can help to minimise the risk of data breaches and privacy threats by ensuring that no data enters or leaves your organisation without being fully accounted for. Yet there’s more to it than just that.
Article 30 of GDPR states that:
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller
The records…shall be in writing, including in electronic form
The controller or the processor…shall make the record available to the supervisory authority on request.”
In other words, GDPR itself makes it mandatory to map data and make those maps available to supervisory bodies in the 28 member states when requested to do so.
Other useful benefits of data mapping include:
Privacy by Design
While Article 30 may be the most compelling reason for businesses to carry out data mapping, it isn’t the only one. Remember that Article 5 of GDPR establishes the principle of Privacy of Design.
In other words, data protection and privacy should be integrated into the very foundation of your business, rather than bolted on to your activities as an afterthought.
Using data maps from the beginning ensures that you have the proof you need to show that you’ve adopted a culture of Privacy by Design within your business. This can be especially helpful when it comes to creating a Data Protection Impact Assessment DPIA for new projects.
A big part of the process of creating a DPIA involves identifying the flow of data through your organisational, as well as identifying the associated risks.
Having a comprehensive data map in place will make this process so much easier for your DPO or other appointed data protection specialist.
Using your data map, your DPO will also have a much easier time of responding to data subject access requests, as this will allow them to quickly and simply pinpoint all the relevant data requested by a subject.
Relentless GDPR 24/7 portal which brings together 11 modules covering all of the above and more. for one monthly price
Still need more advice or hands-on support with creating a data map for your business? Talk to the data privacy specialists at Relentless. As well as serving as your designated Data Protection Officer, we can help with data discovery, data mapping, and ensuring that your business enjoys frictionless compliance with GDPR and all international data protection laws. Contact us online today to arrange your initial consultation or call now on +44 (0) 121 582 0192.
Art. 27 GDPR Representatives of controllers or processors not established in the Union
Your Questions Answered
Which companies need an EU representative under the GDPR?
Companies that do not have an presence / legal entity in the EU yet sell their products to or provide services to EU residents within the European Union must appoint a representative in the Union if they process personal data (GDPR Art. 27(1)).
The GDPR extends the “territorial” scope of its application to controllers and Processors who have their Headquarters outside of the European Union. The GDPR also applies to the processing of personal data of individuals residing in the EU, regardless of their nationality (GDPR Art. 3(2)). The centre of attention is therefore not only on where the company is located and where the processing takes place as long as the data processed involves individuals residing in the EU.
Non-EU-based companies that offer and deliver products or services to “data subjects” example an identified or identifiable natural person) in an EU country need to comply with the requirements stated in the GDPR. The GDPR regulation also applies to services that are offered free of charge. The same applies to non-EU-based companies that monitor the behaviour of EU residents (e.g.the creation of a customer or member profile), provided that their behaviour takes place in the EU.
Whom can companies designate as representative?
Companies can appoint individuals or other companies. The representative can reside or be established anywhere in the EU where relevant data subjects reside; Art. 27(3) does not prescribe a particular member state. The same person or company could serve as representative under Art. 27 and as a data protection officer under Art. 37-39, but companies could also select different persons or entities, in the same or different EU member states.
How do the roles of a representative and data protection officer compare?
A representative under Art. 27 and a data protection officer under Art. 37 have quite different roles, tasks, functions and duties: A data protection officer functions as the long arm of a data protection authority within a company and is intended to foster a compliance culture. The designated representative acts more like a local mailbox. Companies without an establishment in the EU are required under Art. 27 to designate a representative in the EU so data protection authorities can reach and sanction them easier and with less jurisdictional complications. The representative keeps records of processing activities and is available to receive inquiries and complaints; it has no other active duties.
What are the duties of an EU representative?
The main responsibility of the representative is to operate as the intermediary between the data subjects and the member state supervisory authorities. Therefore, the representative acts on behalf of the controller/processor with regards to their obligations under the GDPR.
In Addition EU representatives must maintain the records of processing activities (GDPR Art. 30 (1) and (2)) and – where necessary – making those records available to the supervisory authority (GDPR Art. 30(4)). It is also important to point out that the appointment of a representative does in no way replace or limit the responsibilities of the company located in a country outside of the European Union.
To what extent can the EU representative be held liable?
Appointing the representative in the EU is made without prejudice to legal actions, which could be initiated against the controller or processor. Therefore, the representative should be responsible to meet the regulatory obligations when processing personal data of EU residents.
Moreover, a representative may be subject to enforcement actions by data protection supervisory authorities in the event of non-compliance by the controller.
If Article 27 applies to your business and if you fail to appoint a Data Protection Representative you could be fined up to (the greater of) €10,000,000 or 2% of global turnover (Article 84(4)(a)).
How can Relentless Privacy and Compliance Services help ?
Relentless Privacy and Compliance Services have four simple steps to be appointed as your EU Representative .
Step One :
To carry out our duties of the EU Representative in maintaining records of processing activities for your organisation we assess your documentation of your processing activities as stipulated in article 30 of the GDPR and carry out any remedial actions as needed.
We create the copy of the record of processing activities producing a mapping of your data flows within the Relentless GDPR Portal. We also create the Data Subject Access process in the portal to enable us to answer DSAR requests from your customers and allow us to liaise where necessary with the local supervisory body should the need arise.
Assign a member of your staff as the direct contact point for the organisation for Relentless to communicate with.
Details of our EU Representative Services can be found here
DPO is an acronym for Data Protection Officer. which is a key appointment within your organisation. A DPO is a person who is given formal responsibility for data protection compliance within an organisation reporting into the CEO. Under the EU’s General Data Protection Regulation (GDPR), some organisations who fall under the requirements will be required to appoint a DPO. When appointed, the GDPR outlines a framework around the roles and responsibilities of the DPO. But it is important to note that not all organisations will have to appoint DPOs and that the DPOs themselves will not personally be responsible for an organisations non-compliance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or processor of the personal data.
What determines the need to appoint a DPO?
You must appoint a DPO if you are a public authority or body, if your core activities involve the relevant and systematic monitoring of individuals on a large scale or if your core activities involve the processing of sensitive personal data. You will not need a DPO if, for example, you:
Use personal data once or twice a year to promote your local clothes shop
You do need a DPO if, for example, you:
Process patient data on fertility and genetics for a hospital
Process personal data linked to people’s behaviour online for advertising purpose
DPO The Role Explained
The DPO must be involved, from the outset, in all issues related to data protection compliance. DPOs must monitor the organisation’s compliance and advise the organisation on data protection issues. They need to carry out data protection impact assessments, if the organisation is involved in high-risk processing activities. The DPO will also serve as the primary point of contact between the organisation and the supervisory authority responsible for implementing the GDPR. As you can see the DPO’s role is extensive, including overseeing data protection activities, devising policies and procedures that will enable an organisation to be compliant with the GDPR, monitoring the implementation of these policies and procedures, ensuring staff are trained in data protection and the GDPR, and handling subject access requests for personal data. If a data breach occurs the DPO is to inform all affected parties and be the point of contact for supervisory authorities. The exact responsibilities of a DPO will vary from organisation to organisation, depending on the collection, storage and processing of personal data taking place. The DPO must have access to the most senior positions in an organisation. They must be autonomous and independent, and they cannot be dismissed for fulfilling their role as DPO.
to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
What are the legal requirements for the DPO role?
The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the ICO. Organisations also cannot tell their DPO how to interpret data protection law.
No conflicts of interest
Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g. CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).
What qualifications does a DPO need?
The GDPR does not specify the credentials a DPO should have.
Level of expertise – an understanding of how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
Professional qualities – DPOs do not need to be qualified lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organisational measures the organisation has in place, and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.
Relentless Privacy and Compliance Services provides DPO Services across 6 global regions.
If tasked with ensuring your organisation achieves compliance with the General Data Protection Regulation is not difficult enough, the task of putting in place a strategy by which you can manage the GDPR compliance of the people you outsource the processing of your customers personal data ( data processors) seem like the mountain stages of the tour de france. The monumental shift of accountability and responsibility now placed upon data controllers has changed the landscape of vendor relations for the good of both parties but more so for the controller.
Together with this shift in responsibility, companies will also need to establish more strenuous due diligence practices for managing their relationships with vendors who act as data processors.
As an example, a global tech company offering cloud SAAS services may act as a controller with regard to its own employees data and as a processor with regard to its customer data. Under the GDPR, the company would be accountable for the vendors used to manage its EU employee data (in that case, its processors) and the vendors used to manage its EU customer data (in that case, its sub-processors).
Don’t expect vendors to roll out the red carpet when it comes to due diligence be prepared for push-back when it comes to raising the privacy bar and and the tightening of what is expected and demanded of the vendor when they are entrusted with your customer data. .
Make no mistake the task of vendor management is not an easy road and can be resource sapping.
But the organisation’s obligation for compliance with GDPR could not be clearer — the penalties are steep and the collateral public relations and organisational brand damage can have an exponential effect on a company’s performance and balance sheet.
So what is the best and smartest approach to vendor management under GDPR? I hear you say.
Here we outline some best practices for conquering this challenge.
1: What are the legal requirements
Before sending your team into battle a team in an attempt to simplify and make a compliance process more efficient and less resource sapping, you absolutely must have a clear understanding of what the GDPR specifies as obligations to manage the complexity of processor relationships.
Be sure to examine:
Article 28 (1)-(3): Processor Obligations
Article 24(1): Controllers
Article 29: Processing under the authority of the controller or processor, and
Article 46(1): Transfer subject to appropriate safeguards.
After reading through the above it will become glaringly obvious that your organisation cannot just sign on the dotted line and pass the valuable assets ( your customers personal data) over to an outsourced partner for processing without conducting in depth due diligence. If in the worse case scenario if a data breach happening at your data processors organisation the spotlight will always start to shine upon how the data was assigned to the processor and under what conditions. Three vital pillars for Controller / processor arrangements are
2 Controllers must monitor the services provided by the processor during the arrangement.
3: At the end of the arrangement how the controller manages the return and destruction of the personal data the data processor is holding.
If there is a violation or data breach caused by a vendor, your organization will be liable.
The best practice of applying such a wide and inspiring approach to vendor management include:
Identifying the right people, formulating a process for effective communication with vendors, leveraging technology to manage the process, and retaining solid metrics for internal and external compliance purposes
A first step is to establish who within your organization should be engaged with vendor selection and management. Someone should be accountable within each business unit that utilizes vendors – this may be a senior manager,or director, of a particular operational business unit or product team. It helps to identify these privacy champions who are responsible for following company policy on vendor management and for promoting a culture of mindful sharing of data with vendors. While it’s great if you have a formal Vendor Management Department , the best strategy of forming a data privacy centre of excellence team formed of department stakeholders and technical security professionals.
Vendor management cannot be seen as a purely a rigorous selection process only reviewed at the contract renewal stage.
Any processing of personal data by a third-party vendor should be in scope for a GDPR-compliant vendor-management process, regardless of the cost of the service being offered and should be reviewed throughout the lifecycle of the contract.
Vendor Inventory :
Not having a vendor inventory and contract record keeping depository can be a recipe for disaster.
Many companies struggle with the design and maintenance of a complete inventory of vendors and vendor contracts. This is especially true where their are multi entity divisional silos across organizations where there is no central repository of vendor contracts, and local teams retain copies of vendor contracts locally unsure if they are up to date.
Ideally, you’ll want to have a centralized system which will not only track vendor contracts, but will also provide robust reporting to flag vendors who process personal data and could be underperforming,
With the right reporting platform in place, your organization will have superior visibility into your vendor management strategy and roadmap, and should have no problem tracking progress and measuring success or failure. This is key, because you will want to be able to create evidences which demonstrate compliance with GDPR.
Relentless Data Privacy and Compliance have a wide range of services covering all aspects of the GDPR journey.