What is Data Mapping for GDPR?
Data mapping also referred to as a data inventory is the way in which Company’s can map out the flow of data within their company. A data map will contain the different categories of data that are used by different business sections in a company and how that data is processed and shared within the company and with external parties.
Why should my company create a data map for the GDPR?
A data map will not only allow you to comply with many of the GDPR requirement it can also be a valuable business asset. It can help company’s to improve business processes, IT systems and use data in a way that’s beneficial for the business.
If you don’t understand what data you hold, where it comes from and where it flows to you will never be in a position to meet your GDPR requirements.
A well planned and structured data map will let a company meet with the following GDPR requirements
- The requirement to maintain detailed records of a company’s data processing activities and to
make these records available to supervisory authorities on request.
- The accountability requirement according to which controllers must ensure and be able to
demonstrate that their processing activities are performed in compliance with the GDPR
- The data protection by design and by default requirements.
- The Subject Access requirements
GDPR Data Map How To!
When planning for the GDPR your first steps should include data mapping. While there are many ways and many tools available to do this I suggest the following.
- Set up a Data Mapping Project and identify team members from each business section in your company.
- Break your business down into functions e.g. HR, IT, Sales, Suppliers, Customers.
- List all the systems that deal with Personal Data for each of the Business Functions you have identified.
- Create a Spread Sheet detailing Personal Data for each of the systems with GDPR specific data.
GDPR Specific Data Requirements.
You will need to take the following into account when you are detailing personal data, add a column to your spreadsheet for each of the following:
- Business Function
- Business System
- Process Purpose
- Personal Data Processed
- Personal Data Categories
- Processing special category data basis
- Individuals Categories
- Recipients Categories
- Data Retention period
- Legal Basis for Processing
- Legitimate interests for processing
- Rights available to Data Subjects
- Security Measures
- Joint Controller Details
- Data Shared with Third Parties
- Safeguards for Transfers to Third Parties
- Automated Decision Making or Profiling
- Source of Personal Data
- Record of consent
- DIPA Process