How can you be sure that your organisation is compliant with the EU General Data Protection Regulation (GDPR) if you don’t know exactly what data you hold?
You might think it’s impossible to be unaware of data you store, but you’d be surprised. Information has a way of being left on hard drives, appropriated by other departments or reproduced in different formats. All personal data needs to be accounted for to comply with the GDPR, so organisations need to audit and map their data flows.
A data flow map helps organisations identify the information they keep and how it moves from one location to another, such as from suppliers and sub-suppliers through to customers. It covers the type of data being held, where the data resides, who ‘owns’ the data and who the data is shared with.
The key elements of a data map are:
- Data items (e.g. names, email addresses, records)
- Formats (e.g. hard copy forms, online data entry, database)
- Transfer methods (e.g. post, telephone, internal/external)
- Locations (e.g. offices, Cloud, third parties)
Complying with the GDPR
Data maps help organisations comply with multiple GDPR requirements:
- Article 6: Lawfulness of processing, which requires controllers to be able to demonstrate that their processing activities comply with the Regulation
- Article 25: Data protection by design and default, which requires the controller to make sure that personal data is only processed if it meets a specific purpose.
- Article 30: Records of processing activities, which requires organisations to maintain detailed records of their data processing activities and make those records available to their supervisory authority upon request.
Want help creating data flow maps?
Creating a data flow map might seem difficult, but with the right tools and a bit of preparation, the process can be relatively straightforward.
Our Data Flow Mapping Tool simplifies the process, and enables you to review, revise and update your data map when needed.
Our Data Flow Mapping Tool helps you gain full visibility over the data your organisation holds.
You can find out more about data flow mapping by reading our green paper Conducting a Data Flow Mapping Exercise Under the GDPR