Data Mapping and GDPR Compliance – What Your Business Needs to Know
A full data card can be a valuable tool in helping you manage your data privacy, but what exactly is a data card and why do you need it? Relentless privacy and compliance.
As we’ve passed the third anniversary of GDPR, most businesses have a pretty good understanding of what GDPR means to them.
They are well aware of the need for a legal basis for collecting and processing data. They understand all the benefits of hiring a Data Protection Officer (DPO) and whether they are legally obligated to appoint them or not. They are also well aware of their responsibilities when it comes to international data transfers.
Yet if there’s one aspect of data protection law that still leaves many of these same companies scratching their heads, it’s data discovery and mapping.
If you are one of them and still strive to understand what they are, we’re here to help.
Today, Formiti answers your key questions about data mapping and how it can help you achieve frictionless compliance with GDPR.
What exactly is data mapping?
Although it sounds complex, data discovery and data mapping are fairly straightforward concepts.
They refer to the process of taking stock of all the data your business collects and processes, and then mapping out exactly what is happening to it and where it is continuing in your business and beyond.
This is a process that is proving invaluable to businesses, no matter how much or how much data they process, tracking the entire life cycle of that data, from the time it is collected until it is collected. when they are finally deleted.
How to create a data card
In most cases, data mapping responsibilities usually rest with your Data Protection Officer (DPO) or other designated person with data protection responsibilities.
Depending on your situation, this person may be an internal employee or an external data privacy consultant. Specialized data mapping software is available, although in most cases a simple spreadsheet should suffice.
The extent of your data card will depend on the nature of your business and your data processing activities, but all data cards should contain a few things.
- What type of data do you collect (email, bank details, address etc.)?
- Why you collect this data
- Who do you collect data from
- When you collect the data
- What legal basis do you have for processing the data
- Where you store the data
- What conditions are in place to protect the data
- With which third parties, if any, you share this data
- Where are these third parties located
- What protocols do you follow to protect data when transferring data to third parties?
Why is data mapping so important?
At the most basic level, setting up a strong data map can help minimize the risk of data breaches and privacy threats by ensuring that no data enters or leaves your organization without being fully taken into account.
Yet there is more to it.
Article 30 of the GDPR states that:
“Each controller and, where applicable, his representative, keeps a register of the processing activities under his responsibility
Each processor and, where applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of a controller.
Records… must be in written or electronic form
The controller or the processor[…]makes the file available to the supervisory authority on request. “
In other words, the GDPR itself makes it mandatory to map data and make these maps available to oversight bodies such as the ICO when asked to do so.
Other useful benefits of data mapping include:
Privacy by design and by default
While Section 30 may be the most compelling reason for businesses to conduct data mapping, it is not the only one.
Remember that Article 5 of the GDPR establishes the principle of design confidentiality.
In other words, data protection and privacy should be built into the very foundation of your business, rather than being built into your operations after the fact.
Using data cards from the start ensures that you have the proof you need to show that you’ve embraced a culture of privacy by design within your business. This can be particularly useful when it comes to creating a DPIA data protection impact assessment for new projects.
A big part of the process of creating a DPIA is identifying the flow of data through your organization, as well as identifying the associated risks.
Having a full data card in place will make this process much easier for your DPD or other designated data protection specialist.
Using your data card will also make it much easier for your DPO to respond to data subjects’ access requests, as this will allow them to quickly and easily locate all relevant data requested by a data subject.