A comprehensive data map can prove an inavaluable tool in helping you manage your data privacy, but what exactly is a data map and why do you need one? Relentless Data Privacy.
As we approach the one-year anniversary of its arrival, most businesses have a fairly good grip on what GDPR means for them.
They’re well aware of the need for a lawful basis to collect and process data. They understand all the benefits of hiring a Data Protection Officer (DPO), and whether or not they’re legally obligated to appoint one. They’re also well aware of their responsibilities with regards to international data transfers and for International organisations offering services and monitoring EU data subjects the need to appoint an EU Representative.
Yet if there’s one aspect of data protection law that still leaves many of those same businesses scratching their heads, its data discovery and data mapping. If you’re one of them and still find yourself still scrambling to figure out what they are, we’re here to help.
Today, Relentless Data Privacy & Compliance answers your key questions about data mapping and how it can help you achieve frictionless compliance with GDPR.
What Exactly is Data Mapping?
Though it sounds fairly complex, both data discovery and data mapping are pretty simple concepts.
They refer to the process of taking stock of all the data your business collects and processes, then mapping exactly what happens to it and where it goes on its journey through your company and further afield. Relentless GDPR 24/7 launching in late April 2019 takes it one stage forward as it produces a visualisation of your data map.It’s a process that proves invaluable for businesses no matter how much, or how little, data they process, tracking the entire lifecycle of that data from the moment it’s collected to the point at which it’s finally deleted.
How to Create a Data Map
In most cases, the responsibilities for data mapping typically falls to your Data Protection Officer (DPO) or other designated person with data protection responsibilities. Depending on your circumstances, this person may be an in-house employee or an outsourced data privacy consultant. The extensiveness of your data map will depend on the nature of your business and your data processing activities, but all data maps have a number of things that they should contain.
For complex businesses where multiple departments process personal identifiable data you need to break down the mapping by department. Furthermore for multi entity global organisations the need to have seperate data mapping for each entity within one encompassing portal.
- What type of data you collect (email, bank details, address etc.)
- Why you’re collecting that data
- Whose data you collect
- When you collect the data
- What legal basis you have for processing the data
- Where you store the data
- What conditions are in place to protect the data
- Which, if any, third-parties you share that data with
- Where those third-parties are located
- What protocols do you follow to protect data during data transfers to third-parties?
Why is Data Mapping so Important?
At the most basic level, having a solid data map in place can help to minimise the risk of data breaches and privacy threats by ensuring that no data enters or leaves your organisation without being fully accounted for. Yet there’s more to it than just that.
Article 30 of GDPR states that:
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller
The records…shall be in writing, including in electronic form
The controller or the processor…shall make the record available to the supervisory authority on request.”
In other words, GDPR itself makes it mandatory to map data and make those maps available to supervisory bodies in the 28 member states when requested to do so.
Other useful benefits of data mapping include:
Privacy by Design
In other words, data protection and privacy should be integrated into the very foundation of your business, rather than bolted on to your activities as an afterthought.
Using data maps from the beginning ensures that you have the proof you need to show that you’ve adopted a culture of Privacy by Design within your business. This can be especially helpful when it comes to creating a Data Protection Impact Assessment DPIA for new projects.
A big part of the process of creating a DPIA involves identifying the flow of data through your organisational, as well as identifying the associated risks.
Having a comprehensive data map in place will make this process so much easier for your DPO or other appointed data protection specialist.
Using your data map, your DPO will also have a much easier time of responding to data subject access requests, as this will allow them to quickly and simply pinpoint all the relevant data requested by a subject.
Launching in April 2019 Relentless GDPR 24/7 portal which brings together 10 modules covering all of the above and more.
Still need more advice or hands-on support with creating a data map for your business? Talk to the data privacy specialists at Relentless. As well as serving as your designated Data Protection Officer, we can help with data discovery, data mapping, and ensuring that your business enjoys frictionless compliance with GDPR and all international data protection laws. Contact us online today to arrange your initial consultation or call now on +44 (0) 121 582 0192.