How Does Personal Data Flow Through Your Organization?
GDPR compliance is challenging for many organizations, not least because it often requires an expensive and disruptive restructuring of IT systems and work practices. It is also complex. The legalese wording which describes it sometimes seems impenetrable or vague. Where do you start?
At the very core of GDPR compliance is data mapping. This is the process of finding, consolidating, analyzing and recording data and all the relevant details attached to it. Only when this is done can the data flow be efficiently managed. Personal data flow mapping reduces the risk of data breaches and benefits several areas of GDPR compliance.
The idea of reining in vast amounts of wayward data seems daunting. Still, there are ready-made solutions available for many businesses and organizations. Good GDPR compliance software should include data mapping tools and is often ideal for small to mid-sized enterprises (SMEs).
Dissecting the Data Flow
It’s all very well talking about data flow mapping, but what data are we talking about here? GDPR Article 30 provides information on what data organizations must document. Requirements differ slightly between data controllers and processors, but data records should include the following:
- Name and contact details of your organization
- Name and contact details of the data protection officer (DPO) where applicable
- Name and contact details of controllers (if you are a processor) or joint controllers
- Name and contact details of representatives outside the EU
- Purposes of data processing (if you are a controller)
- Categories of individuals (different types of people whose data you are processing)
- Categories of personal data you process (e.g. financial, health)
- Categories of recipients of personal data, including credit reference agencies or governmental departments
- Retention schedule for different data types; how long you will keep data for
- Safeguards in place for exceptional transfers of personal data to third parties or international organizations
- Security measures in place such as encryption, multi-factor access control or training
Data Mapping Feeds Other Areas of Compliance
By seeing how data flows through their business, companies can assess privacy risks and see opportunities for improvement in the way they work. Data mapping is an ongoing, perpetual process which feeds into various areas of GDPR compliance.
Data Duration and Deletion
Under GDPR, data subjects possess the “right to be forgotten” in some circumstances. In other words, they can ask that you erase their data. Needless to say, you can’t meet this obligation with great confidence if you don’t know where it is all stored.
As well, GDPR says that you can only store data for a duration that it is needed for the stated purposes. For that reason, companies should regularly sweep for obsolete data to comply with GDPR. Good data-mapping software allows you to scan for such information quickly.
You can see at a glance on a personal data flow diagram the journey of each data set, including point of collection, how the data flows through the organization and ends with deletion. In instances where backup data is hard to delete, the company or organization must be able to prove this to authorities.
A key requirement of GDPR is that only the minimum amount of data should be stored for the stated purpose. The process of data mapping allows organizations to assess whether this is the case. Consolidating data so that it doesn’t reside on many devices, PCs and servers help to meet this aim. Good data management starts with data mapping.
Reporting a Breach
According to Article 33 of GDPR, a personal data breach must be reported to the supervisory authority within 72 hours of being found. This report must include information surrounding the breach, such as how it happened, its likely impact and the security measures which were in place. All of this is much easier to supply if the journey of each data set is carefully charted.
Responding to SARs
Data subjects have a right to access their data under GDPR, which they channel through a subject access request (SAR). They may know details such as the name of the DPO where one exists. Gathering this information within the one-month time limit is made easier by data mapping.
Generating Privacy Notices
Aside from helping companies to control data and supply information to various parties, data-mapping software can generate privacy notices in some cases. This will include much of the information listed above in this article, such as the data controller’s contact details, type of data and purpose for its collection, who the data is shared with, retention periods and so on.
Generating Processor Contracts
One of the main changes which GDPR made was to make everyone in the data-handling chain accountable. To that end, a contract must always exist between data collectors and processors (often third-party companies). This contract is a necessity under Article 28 of GDPR. It sets out all obligations of both parties as well as the type of data and the purpose/nature of its processing. Data-mapping tools can sometimes generate such a contract.
Data Mapping Challenges
Data mapping provides a solid foundation for GDPR compliance, but it calls other areas of operation into question. Data controllers need an understanding of security and ways of safeguarding data through access control and encryption. Legal and regulatory obligations outside of GDPR can complicate the route to compliance, too.
Still, much can be learned by studying the life cycle of data and seeing the various ways it has been used, sometimes unexpectedly. Data mapping is educational.
Remember that much of the expertise you need for GDPR may be found in off-the-shelf solutions. Software such as PrivIQ offers formidable data-mapping capabilities and works well for smaller companies. If you haven’t done so already, get the data-mapping process underway and take a big step towards GDPR compliance!