As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.
To effectively map your data, you need to understand the information flow, describe it and identify its key elements.
Below we have listed the key elements of data mapping under the GDPR:
- Understand the information flow
An information flow is a transfer of information from one location to another, for example:
- From inside to outside the European Union; or
- From suppliers and sub-suppliers through to customers.
- Describe the information flow
- Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
- Make sure the people who will be using the information are consulted on the practical implications.
- Consider the potential future uses of the information collected, even if it is not immediately necessary.
- Identify its key elements
- What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?
- In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?
- How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?
- What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
- Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.
- Who has access to the data in question?
You can also find out more about conducting a data flow mapping exercise under the GDPR with our upcoming webinar in October.