GDPR Data Mapping: The Definitive Guide
GDPR data mapping
Gartner predicts by 2023, 65% of the world's population will be under a modern privacy law.
It started with the passing of GDPR in 2016, followed by CCPA in California, LGPD in Brazil while China & India have their draft privacy bills out.
Privacy laws across the world put obligations on how businesses use or handle data and have penalties in case an individual’s privacy or security is breached. A starting point for compliance is to know what data you are processing. Data Mapping is the process of finding out answers to these questions:
- Why do I process data?
- What data do I process?
- Where do you process data?
With answers to these questions, you know the right risk exposure of your company to these laws, you also know what are the systems or applications where data including sensitive data is stored and link it to a legal basis in the privacy laws.
Although data mapping was done by businesses to comply with GDPR, it’s a starting point for compliance with any privacy law and a foundation for your privacy program. Data Mapping is also a major control in frameworks like NIST Privacy Framework, ISO 27701 and can help you get those certifications.
Table of Contents
- What is data mapping?
- Benefits of data mapping
- Precursor to a successful data mapping
- Best practices for data mapping
- Creating GDPR Article 30 Reports
- Tools for GDPR Data Mapping
- Steps to ensure data maps are updated
What is Data Mapping?
Data Mapping is the process of finding out how your organization uses data. It starts by answering these questions:
Getting answers to these questions should get you a complete picture of how data is flowing across your organization. You should be able to create a data flow mapping diagram like the following:
Benefits of data mapping
- Bird’s eye view of data processing: You can’t protect what you don’t know. By doing data mapping you will get a clear picture of your company's use of data, privacy risks and a list of processes, systems and third parties where you can prioritize security safeguards.
- Identify privacy risks: At the end of data mapping exercise, you should be able to search any processing activity where a special category of data is being used or if legal basis is legitimate interest and you haven't done legitimate interest analysis. These privacy risks and gaps can then be taken up by you.
- Identify cross-border transfers: Using location of systems & vendors which are linked to your processing activities, you can easily identify cross-border transfers and mitigate the same by applying appropriate safeguards like a standard contractual clause.
- Prioritize security safeguards: Once you finish data mapping, you will realize you have a lot of systems and vendors used for data processing. Protecting all of them at the same level is a time consuming and costly process, by using categories of data or individual type you can easily prioritize security safeguards for these systems & vendors. For example, a vendor which is processing payroll information needs more protection & a more thorough risk assessment than someone who just has email addresses.
- Manage DSARs and individual rights: Another benefit of data mapping is that you get a list of assets, vendors with their owners where data of a specific individual is stored. For data mapping example, if you get a deletion request from a customer, you can filter to get the list of assets & vendors which have data of a customer and ask owners to delete the same.
- Comply with data processing principles of GDPR: When you have a list of processing activities, you can easily audit them against the GDPR principles of lawfulness, fairness and transparency.
- Generate Article 30 Reports: Key outcome of data mapping is that you get a Record of Processing Activities or GDPR Article 30 report. This can be maintained and shared with the regulatory authorities on request. We have covered the requirements of Article 30 Report in the Report section.
Precursor to a successful data mapping
Data mapping done right has a lot of benefits but it’s important to realize that it is an exercise which requires resources from multiple people in an organization. We have detailed some key steps to make your data mapping exercise successful:
Best Practices for Data Mapping:
Creating Record of Processing Activity(ROPA) or GDPR Article 30 report
If you are an organization based in the EU and you complied with the 1995 directive, you should be already familiar with data mapping. The 1995 directive required registering processing activities with local DPAs. With the implementation of GDPR, an organization does not need to report its processing activities to the DPA. Instead, it must maintain an internal record and keep it available for review by a supervisory authority. This internal record is termed as “record of processing activities'' or Article 30 report. There are different requirements for data controllers and data processors, given in Article 30(1) and 30(2) respectively.
For controllers, Article 30 states that the controllers should maintain the following records as a minimum:
- Controller's name and contact details, along with joint controller if applicable
- Purpose(s) of processing
- Description of categories of data subjects and categories of personal data
- Categories of third parties with whom data has been or will be disclosed, including recipients in third countries or international organizations
- If a controller is transferring personal data to a third country or an international organization, such country/organizations should be identified, and safeguards should be documented.
- Expected time limits for erasure of the different categories of data
- Description of technical and organizational security measures (Article 32(1))
Requirements for processors, given in Article 30(2) cover the processor's information, categories of processing for each controller, along with fifth and seventh bullet points from the list mentioned above. These records can be maintained in electronic form, and a controller/processor's representative shall make them available to a supervisory authority as and when requested.
Tools for GDPR Data Mapping
You are most likely to use tools & templates such as gdpr data mapping template in spreadsheets and Microsoft Visio to start data mapping and for maintaining data records and visualizing data flow. Without a doubt, they are great tools in their rights, but you will soon find challenges to manage data & may come across challenges such as:
- Lack of compatibility between Excel and Visio: If you update your processing activities, you will also need to update your data flow mapping diagram(s).
- Lack of automation: Generating reports, finding gaps will take a lot of time
- Management Dashboard: Presenting benefits of data mapping to the management will require you to create a lot of visual reports manually
- Searching, sorting and Filtering: For prioritizing assets, processes or vendors where risks exist you will need to search or sort by data categories, individual type or legal basis. Doing this in excel will take a lot of time and manual efforts.
We have built Privado’s data mapping solution after struggling with spreadsheets and visio for data mapping which automates all your manual tasks and generates reports in one click. You can choose any of our assessments from our library of over 100 privacy & security questionnaires and assign it to any of our team members. Once you get the response, we automatically draw data flow diagrams, find compliance gaps and risks for you and make it very easy for you to prioritize by letting you search, sort and filter.
Steps to ensure data maps are updated
Companies are dynamic, each month your team will like to do more by adding some features to the product, extending the scope of the vendor you chose or changing data collection of an existing process. It is important for you to have a process to ensure your data maps are updated and are not in point in time. We recommend the following two things:
- Assessments for new changes: We recommend you to do a Privacy Threshold Assessment and based on responses either do a PIA or DPIA based on certain triggers. The responses to these assessments should update your data maps by creating a new process or updating an existing one.
- Reviews of existing process: You should also send a bi-annual or annual review assessments to the owners of processes and capture any changes made in your data maps.
You can use Privado’s data mapping tool for automating these assessment workflows and ensure your data maps are always updated. You can also schedule a call with an expert to discuss your data mapping strategy.