With only a few months until the EU General Data Protection Regulation (GDPR) comes into effect, it is vital that your organisation is compliant. One requirement of the Regulation is that organisations map their data flows to assess their privacy risks.
Organisations need to be aware of what personal data they process and ensure this processing is in accordance with the law. As organisations often process much more data than they realise, it’s important to implement data flow maps.
A data flow map identifies detailed gaps between actual practices and the GDPR’s requirements. It also builds trust and confidence in data subjects about how their data is being managed.
To effectively map data, you need to be able to identify its key elements.
- Data items
Data items are the type of data being processed and the categories into which it falls. This includes a person’s name, email, address, health data, criminal records, biometrics and location data.
You must clarify how the data has been collected. Was it collected as a hard copy (paper records) or a digital copy (USB), or is it stored on a database?
- Transfer method
Your organisation will need to look at how the data is being collected and transferred. This could be by post, telephone, social media, within your organisation or with third parties.
It is important to know the locations involved within the data flow. This could be an office, the Cloud or a third party.
Who is accountable for the personal data often changes as the data moves through the organisation, so it is important to keep track.
Your organisation will need to know who has access to the data in question.
Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.
The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.
It simplifies the process of creating data flow maps, allowing you to review, revise and update your maps when needed.