A comprehensive data map can prove an invaluable tool in helping you manage your data privacy, but what exactly is a data map and why do you need one? Relentless Privacy & Compliance.
As we have passed the third anniversary of GDPR, most businesses have a fairly good grip on what GDPR means for them.
They’re well aware of the need for a lawful basis to collect and process data. They understand all the benefits of hiring a Data Protection Officer (DPO), and whether or not they’re legally obligated to appoint. They’re also well aware of their responsibilities with regard to international data transfers.
Yet if there’s one aspect of data protection law that still leaves many of those same businesses scratching their heads, it’s data discovery and data mapping.
If you’re one of them and still find yourself still scrambling to figure out what they are, we’re here to help.
What Exactly is Data Mapping?
Though it sounds complex, both data discovery and data mapping are pretty simple concepts.
They refer to the process of taking stock of all the data your business collects and processes, then mapping exactly what happens to it and where it goes on its journey through your company and further afield.
It’s a process that proves invaluable for businesses no matter how much, or how little, data they process, tracking the entire lifecycle of that data from the moment it’s collected to the point at which it’s finally deleted.
How to Create a Data Map
In most cases, the responsibilities for data mapping typically falls to your Data Protection Officer (DPO) or other designated person with data protection responsibilities.
Depending on your circumstances, this person may be an in-house employee or an outsourced data privacy consultant. Specialist data mapping software is available, though in most cases a simple spreadsheet should suffice.
The extensiveness of your data map will depend on the nature of your business and your data processing activities, but all data maps have a number of things that they should contain.
- What type of data do you collect (email, bank details, address etc.)?
- Why you are collecting that data
- Whose data do you collect
- When you collect the data
- What legal basis do you have for processing the data
- Where you store the data
- What conditions are in place to protect the data
- Which, if any, third parties you share that data with
- Where those third parties are located
- What protocols do you follow to protect data during data transfers to third parties?
Why is Data Mapping so Important?
At the most basic level, having a solid data map in place can help to minimise the risk of data breaches and privacy threats by ensuring that no data enters or leaves your organisation without being fully accounted for.
Yet there is more to it than just that.
Article 30 of GDPR states that:
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller
The records…shall be in writing or electronic format
The controller or the processor…shall make the record available to the supervisory authority on request.”
In other words, GDPR itself makes it mandatory to map data and make those maps available to supervisory bodies such as the ICO when requested to do so.
Other useful benefits of data mapping include:
Privacy by Design and by Default
While Article 30 may be the most compelling reason for businesses to carry out data mapping, it isn’t the only one.
Remember that Article 5 of GDPR establishes the principle of Privacy of Design.
In other words, data protection and privacy should be integrated into the very foundation of your business, rather than bolted on to your activities as an afterthought.
Using data maps from the beginning ensures that you have the proof you need to show that you’ve adopted a culture of Privacy by Design within your business. This can be especially helpful when it comes to creating a Data Protection Impact Assessment DPIA for new projects.
A big part of the process of creating a DPIA involves identifying the flow of data through your organisational, as well as identifying the associated risks.
Having a comprehensive data map in place will make this process so much easier for your DPO or other appointed data protection specialist.
Using your data map, your DPO will also have a much easier time responding to data subject access requests, as this will allow them to quickly and simply pinpoint all the relevant data requested by a subject.