The EU General Data Protection Regulation (GDPR) toughens the requirements for organisations to protect the data they process, store and transmit. Data controllers and processors must make sure they collect as little data as necessary, keep it secure, and allow data subjects to access, rectify or erase it on short notice.
To help do this, you should create a data flow map. By mapping your data flow, you can identify the information that your organisation keeps and how it moves from one location to another, such as from suppliers and sub-suppliers through to customers.
By mapping the flow of data, you’ll be able to review the most effective way of processing data and identify any unforeseen or unintended uses of it.
What’s in a data map?
A data map should identify the following key elements:
- Data items (e.g. names, email addresses, records).
- Formats (e.g. hard copy forms, online data entry, database).
- Transfer methods (e.g. post, telephone, internal/external).
- Locations (e.g. offices, Cloud, third parties).
A data map should also help you see who has access to the data at any given time and who is accountable for it.
Before you begin the process, there are a number of challenges you need to overcome:
- Identifying personal data. This includes any information that identifies or could be used to identify someone. Your first challenge will be reviewing each format that you store information on and locating personal data.
- Identifying technical and organisational safety measures. There will be a number of technological and organisational procedures that protect personal data, and you’ll need to determine who has access to this information.
- Understanding legal and regulatory requirements. Many of the GDPR’s requirements are similar to current data protection laws, but the rules are more extensive in places.
Register to attend our upcoming webinar, Conducting a data flow mapping exercise under the GDPR, for more information on data mapping.
According to our GDPR Report, 27.8% of respondents rely on data audits and data mapping, but as the Regulation approaches, that number should increase significantly.
Alan Calder, IT Governance’s founder and executive chairman, said: “Our research shows that organisations are still planning or have just started to work towards GDPR compliance.”
He added that one of the main challenges organisations face is a lack of appropriate skills and resources. “[R]esults show that professionals are struggling with conducting risk assessments, creating policies and procedures, and conducting a data protection impact assessment or a data audit.”
If you don’t know where to begin with data mapping, take a look at the new Data Flow Mapping Tool from Vigilant Software. It simplifies the process and makes it easy for you to create data flow maps that can be reviewed, revised and updated when needed.
It also helps you identify what personal data your organisation processes, why it’s processed, where it’s held and how it’s transferred.
You may also be interested in our upcoming webinar, Conducting a data flow mapping exercise under the GDPR.
This webinar goes into more detail on what data flow mapping is and what you need to do. It covers:
- The GDPR remedies, liabilities and penalties;
- Data flows and identifying the key elements;
- The benefits of conducting a data mapping exercise;
- The challenges of data mapping; and
- Techniques and best practices for data flow mapping.