The Data Mapping Monster
In the run-up to May 25, 2018, organizations should be trying to get their arms around the entirety of the personal data they hold and/or process. By no means is this an easy task, of course. But then again, it isn’t going to go away. Data mapping might seem Hydra-like to some; however, it is not as daunting as it may seem. So, let’s get down to it and de-mystify this data mapping monster a bit.
Why is Data Mapping Important?
First things first, data mapping per se is not a GDPR mandate. However, it helps you meet the other core mandates such as:
- Article 5 (Principles relating to the processing of personal data);
- Article 15 (Right of access by the data subject);
- Article 17 (Right to erasure);
- Article 32 (Security of processing);
- Article 25 (Data protection by design and by default);
- Article 30 (Records of processing activities) ;
- Article 35 (Data protection impact assessment);
- Article 33 (Notification of a personal data breach to the supervisory authority);
- Article 34 (Communication of a personal data breach to the data subject).
Further, knowledge of the personal data flow within your company will help you meet your requirements for additional controls on cross-border/international data transfers. Therefore, in order to be GDPR-compliant, you will have to know what data you hold and where it is.
The Five Questions you should Ask
Let us begin with wrapping our heads around the five
- Who owns the personal data?
- Where is this personal data stored?
- Why do we collect/have the personal data?
- What is this personal data used for?
- When should it be destroyed/purged?
Collating the Information
You will need to choose the most appropriate medium to collate your data mapping findings. This will require you to consider the size of your business and understand what services you provide. The simplest is to use a central/local spreadsheet that can be edited by persons responsible for functions and/or locations.
While you are trying to answer the 5 Ws above, try recording details as under:
- Name and details of your organization (it could also be a business function or team);
- The purposes that you are processing the personal data for;
- The categories of individuals (data subjects) (employees, job applicants, etc.) and categories of personal data;
- Method of collection of personal data;
- What format is the personal data in (Emails, forms, letters, spreadsheets, application data or database records?);
- Identity of the controller/processor;
- Categories of recipients of the personal data;
- Details if transfers to other countries/functions/third parties;
- Method of cross-border/international data transfers; or transfer to a third party for sub-processing;
- Location of data storage (Is it on a local device, in a database, in an application, hosted in the cloud, or with a partner?);
- Retention periods/schedules;
- A general description of the technical and organizational security measures that you have in place to protect the data;
- Deletion methods.
Getting Appropriate Buy-ins and Support within your Company
First of all, have a GDPR team to manage the completion of data mapping. Thereafter, you will need senior management and executive leadership within your company to support and endorse your data mapping initiative. You will have to spend a lot of time with heads and managers of business and business support functions across your businesses and locations in order to sift through the personal data that is held, processed, and stored.
Once your GDPR team has completed the exercise, they must share the results of the data mapping exercise with the different business and business support managers so that they can go through the findings. This is important as you have to ensure that the data is comprehensive and that nothing has been missed out. For all of the above, you will need to have, at least, the following people involved: your data protection officer (or a data protection SME, or an external privacy consultant); your executive leadership team members; the head of information security; key departments’ personnel like Finance, HR, Operations, etc.
Understanding GDPR and Identifying Risks and Controls
Your GDPR team should have a thorough knowledge of GDPR and related definitions so that they can answer questions from colleagues while undertaking the data mapping exercise. Knowing GDPR thoroughly will help to identify risks better, and suggest better remediation measures. So, it is a must that they know the definitions of personal data (name, ID number, address, IP address, biometric data, etc.); sensitive personal data (race or ethnicity, sexuality, political opinion, religious or philosophical beliefs, genetic data, trade union membership, health/medical data, etc.); the lawful reasons for processing (consent, contractual obligation, legal obligation, vital interest, public interest, legitimate interest).
As discussed above, it is extremely important that the data mapping document is vetted thoroughly by various stakeholders with a hawk’s eye so that nothing vital missed – existing processes and controls that require improvement or strengthening need to be identified correctly, and potential issues have to be correctly identified so that those could be rectified. Plus, managers’ involvement in the project ensures that their roles in keeping the company GDPR compliant becomes visible.
Benefits of Data Mapping
The most clear advantage of completing data mapping is to be able to meet your GDPR requirements, as listed above. Additionally, as we get closer to the GDPR deadline of May 25, 2018, there will be frequent RFIs and queries from clients about how you protect their personal data, and the data mapping will assist you in responding to such queries in a prompt and succinct manner.
Also, consider the bonus benefits, like:
- Streamlining of data flows so that processes are easier to understand and manage;
- Asserting more control over the budget required to be GDPR compliant;
- Improving efficiency between business functions who rely on shared information;
- Reducing the risk of data breaches, etc.
- Responding to data subject access requests faster, and more efficiently;
- Remaining compliant even after the May 25 deadline.
Anghrija is a legal and statutory risk and compliance specialist, and in her current role, she also manages her employer’s alignment with the General Data Protection Regulation (GDPR), wherein she offers data protection advice, supports data protection impact assessments and audits, trains employees, responds to data protection related queries, and acts as an intermediary between data subjects, the company’s business units, senior management, and the data privacy office. She is a part-time blogger, small human, a Millenial, and a feminist. She earned a B.A. in English Literature, and uses that as an excuse to write about books while swearing a lot. She then switched gears to studying law, and now manages risk and compliance. At leisure, she reads books, writes, curses at popular fiction by Chetan Bhagat, and posts silly dog videos on Facebook. Her interests are books, dogs, music, podcasts, and Oxford commas.
Role: Anghrija is a guest blogger at Kinant. Opinions expressed are her own and not necessarily those of Kinant.