A data flow map should be one of the first things your organisation produces as you prepare for the EU General Data Protection Regulation (GDPR). It helps you identify all the information you hold and how it transfers from one location to another, such as from suppliers and sub-suppliers through to customers.
You might be surprised at how often your information is copied or transferred, which is why the GDPR makes it such a top priority. If any personal data is unaccounted for, you are not only at risk of a data breach but are also non-compliant with Article 30 of the GDPR, which requires organisations to maintain detailed records of their data processing activities and make those records available to their supervisory authority upon request.
But data flow maps are about more than being organised and efficient. They also help organisations identify vulnerabilities in the way information is transferred and establish the necessary steps to become secure.
Where to begin?
You should begin your data mapping exercising by identifying the following key elements:
- Data items(e.g. names, email addresses, records)
- Formats(e.g. hard copy forms, online data entry, database)
- Transfer methods(e.g. post, telephone, internal/external)
- Locations(e.g. offices, Cloud, third parties)
Each of these come with their own risks, which you’ll need to take note of. For example, databases can be misconfigured and made publicly available, storage devices can be misplaced or used by malicious insiders to create copies of sensitive information, and the Cloud could be rendered temporarily unavailable, hindering the organisation’s access to important documents.
Once you’ve listed every risk, you should look for ways to mitigate them. You’ll probably find that you can eradicate many risks by simply cutting back on the amount of data you collect and transfer. This will also help you meet another of the GDPR’s requirements: organisations should collect only as much data as necessary and store it for only as long as necessary.
Data flow mapping challenges
It’ll probably be much harder than you anticipate to identify all the data you store, even if you are focusing on the GDPR and personal data. Remember, the Regulation defines personal data as any information that identifies someone or could be used alongside other data to do so.
You might also struggle to identify technical and organisational safety measures. There are several procedures for protecting data, and you’ll need to determine who has access to this information. Anyone with access poses a risk, and it’s up to the organisation to determine whether the risk is significant enough to be addressed.
Finally, you might also have a hard time interpreting the GDPR’s requirements. Although they are similar in places to current data protection laws, they are much stricter and the penalties for non-compliance are more severe. A data protection officer will be able to provide expert advice, but you should also commit to GDPR training for anyone involved in handling personal data.
Want help producing a data map?
This blog has covered the basics of data flow mapping, but you can get more comprehensive advice by reading Conducting a Data Flow Mapping Exercise Under the GDPR. This free green paper also outlines data flow mapping techniques, which will help you put your knowledge into practice.
You might also be interested in Vigilant Software’s Data Flow Mapping Tool. It simplifies the mapping process and makes it easy for you to review, revise and update maps when needed.
The Data Flow Mapping Tool helps you understand the flow of data through your organisation.
With this tool, you can create consistent visual representations of the flow of data through all your business processes without having to resort to more time-consuming methods, such as pen and paper or vector graphics.