Data mapping creates a visual overview of all the data an organisation collects and stores, providing insight into the potential risks associated with each data type and location. As an integral part of your journey towards General Data Protection Regulation (GDPR) compliance, data mapping helps organisations understand what data is being collected, where it is being stored and the conditions in which it is stored. Data mapping, also known as a data inventory, can be a challenging process for organisations. Particularly so if there is no existing central map of personal data, or if operations span multiple locations.
GDPR will come into force from the 25th of May 2018. The product of four years of work by the EU, GDPR is an update on the original EU Data Protection Directive of 1995 and reflects the dramatically different technological and social environment we live in. GDPR aims to strengthen the fundamental rights and freedoms of individuals residing in the EU and holds organisations accountable for the protection of their personal data. Data mapping can help organisations meet aspects of GDPR compliance by identifying and addressing any potential privacy issues and risks towards the confidentiality, integrity and availability of data held.
Data mapping should cover:
- What data is being collected? Does it fall under ‘special category’ data?
- How is data collected and from where? E.g. via a website, an event sign up or from a call centre
- Has the data subject given explicit consent for data collection and processing? Who has the overall responsibility for the personal data?
- Where is data stored and who has access to the data?
- What security measures are in place to protect the data? Does it have appropriate technical and organisational safeguards?
- How is data shared – is it encrypted? Anonymised? Does it leave the UK?
- Are any third-party organisations involved?
- How long is data kept? Does it follow data retention policies?
As an organisation-wide exercise, key departmental managers who handle or process personal data such as operations, finance, HR and marketing should all be included. The support of the senior management team is also an important success factor, ensuring that data protection is placed firmly at the top of the agenda.
Record keeping has always been an important part of the Data Protection Act, however under GDPR there are enhanced requirements to fully document processing activities. Records must be maintained for processing purposes, data sharing and retention policies, and could be requested, at any time, from the supervisory authority. In the UK, our supervisory authority is the Information Commissioner’s Office (ICO).
The increased control and monitoring ability from the data mapping exercise will help facilitate GDPR compliance as well as enable organisations to meet other GDPR obligations such as Data Privacy Impact Assessments and Subject Access Requests.
Outside of GDPR compliance, data mapping has the potential to bring additional operational efficiencies to an organisation. The removal of excess and unnecessary processes and procedures helping to streamline operations. Finally, strategic data-led decision making should also be more accurate under GDPR as a result of accurate and accessible data.