With a clear focus on the transparency of the ‘data journey’, GDPR requires businesses of all sizes to evaluate how they process and store personal data.
If you’re just beginning your GDPR preparations, one of your first steps should be to conduct a Data Mapping exercise.
Once your data mapping is complete you will not only have a catalogue of what data is held where, but you will also be able to use it to support several other GDPR obligations such as completing Data Privacy Impact Assessments (DPIA) and developing Subject Access Request procedures.
Here we explain how we completed this task (with the help of an external data protection expert), and offer tips and advice based on our own experience. We hope this proves useful to you as you begin planning your own data mapping exercise.
1. Creating Data Mapping documents
Our starting point was to consider the most appropriate medium (or tools) for collating our data mapping information. Our decision took into account the size of our business and the nature of the service we provide.
For instance, it’s possible that within a smaller business, handling only the personal data of its employees, a simple questionnaire format may be sufficient for collecting all the relevant data mapping information. In a larger company, a format that can be completed by various departments at the same time may be more appropriate.
We used a central spreadsheet, with worksheets for each business area which could be edited by each departmental manager.
Is your confidential case data secured?
Our Case Management Software provides a full audit trail and secure storage to help you meet your GDPR obligations.
2. Deciding what to include
The minimum requirements for recording data under GDPR are:
- Name and details of your organisation
- Purposes for processing the data
- Description of the categories of individuals and categories of personal data
- Categories of recipients of personal data
- Details of transfers to third countries
- Retention schedules
- Description of technical and organisational security measures
Due to the nature of our work, the sensitivity of the data we hold, and the fact that we are ISO9001 and ISO27001 certified, we chose to include further information. The aim was to create a more complete picture of our data and simplify our Data Privacy Impact Assessments (DPIA).
The information we added included:
- Document Type
- Data type (i.e. name, contact details etc)
- Data categories (Personal, Special, Financial, etc)
- Reason for data collection
- Lawful basis for processing (consent, legal, contractual etc.)
- Data Subjects
- Approximate volume of data subjects (per day)
- Asset registration (linked to internal risk register)
- Method of collection
- Data owner
- Location of data storage (Physical / Electronic)
- Method used to transfer data out of the business
- Transborder processing
- Retention period
- Deletion method (manual/automatic etc.)
3. Gaining support within the company
Whilst your GDPR Team or project leader will oversee the completion of the data mapping exercise, gaining support from all departments is essential.
To ensure we catalogued all data, our GDPR Team spent time with heads of department from across the business to go through the data they hold, process and store.
This step is essential for larger businesses to ensure that all data and processes are captured. At the very least, departmental managers (especially those likely to encounter personal data) should be given the option to review the data mapping exercise once complete, to ensure nothing has been missed.
Based on our own experience, we would recommend involving the following people (as a bare minimum) in any data mapping exercise:
- Data Protection Officer (if applicable)
- CEO/member of the senior management team
- Information Security Officer
- Key departmental managers, such as:
4. Establishing the key facts
All activity within the GDPR mapping process was overseen by members of our internal GDPR Team. They spent time interpreting and understanding the key facts and definitions surrounding GDPR, which meant they were better equipped to answer any questions arising from colleagues during the exercise.
During the process we tried to uncover every potential weakness within our existing arrangements. This gave us the opportunity to begin addressing known risks as quickly as possible – and prevent them being ‘swept under the carpet’.
If you plan to delegate completion of the data mapping without the oversight of a GDPR ‘expert’, we recommend you attempt to fully understand several key areas before you begin:
1. What is personal data? Under GDPR, personal data is any information relating to an identified or identifiable natural person. For example, name, ID number, location, IP address and even biometric data.
2. What are the data categories? There are two main data categories under GDPR. The first is ‘personal data’, which is any information relating to an identifiable person.
The second is ‘sensitive personal data’ which reveals racial or ethnic origin, sexuality, political opinion, religious of philosophical beliefs, genetic or biometric data, trade union membership, or health/ medical data.
3. What are the lawful reasons for processing? There are several conditions provided under GDPR which provide a lawful basis for processing data. They are:
- Contractual obligation
- Legal obligation
- Vital interest
- Public interest
- Legitimate interest
4. What is the volume of data processed? When determining the volume of data being processed, it is recommended that you first outline the thresholds (before other members of staff to take part in your data mapping exercise).
For example, you may set five categories (eg. minimal, low, medium, high, very high) and detail the range within each one (eg. ‘minimal’ = less than 5, etc.)
5. Review, review, review
As stated above, it is essential that your data mapping document is reviewed by various members of the business to ensure all data is covered.
By including departmental heads in our own process, we were able to identify procedures in need of review and were already in a position to begin rectifying potential issues.
Including the managers in the GDPR review process also increased the visibility of ‘compliance’ across the company and helped demonstrate their individual role in helping us become a GDPR-compliant organisation.
By sharing your exercise with a wide audience, you are more likely to uncover potential risks in your current processes. For example, if you are holding data indefinitely in certain cases, use this as a chance to put in place a procedure to combat this.
6. What’s next?
Along with the risk assessment aspect (which should hopefully result in a full review of current data processing and storage to help ensure compliance), the data mapping exercise can also be used to address other requirements of GDPR.
Requirements for Data Minimisation, Data Pseudonymisation and facilitating the subjects Right to Data Portability are all made easier by reviewing the content, purpose, and location of your information.
What’s more, identifying exactly where information is stored will help you develop an effective Subject Access Request procedure.
Data Privacy Impact Assessments (DPIAs) are also likely to benefit from a thorough Data Mapping review. Under GDPR, DPIAs are required where there is a “high risk” to the rights and freedoms of data subjects.
Even if your business does not have any processes that present a “high risk”, your service may be part of a Data Controllers “data journey”. Queries from your Clients about how you handle their data may become more frequent as we draw closer to GDPR, so clear data mapping will help you provide a prompt, succinct response.