GDPR Data Mapping The Definitive Guide

Modern-day enterprises thrive on utilizing data for making informed decisions. As the name itself suggests, GDPR data mapping refers to mapping the journey of data collected by an organization. A typical data mapping exercise will include the preparation of a data inventory and data flow diagrams. The data inventory will list the types of data an organization collects, while data flow diagrams will visualize how personal data flows from one system component to another. The result of a data mapping GDPR exercise helps an organization in fulfilling multiple GDPR requirements.

Article 30 is one such requirement which expects companies to maintain a record of their processing activities. Primarily, the idea of preserving a record may seem complicated and challenging. However, identifying your organizational data flow and storage practices will also help in fulfilling obligations under Articles 6, 7, 36, and many others. Without maintaining a record of data they process, organizations can’t comply with GDPR in letter and spirit.

Benefits of data mapping

Creating ROPA or GDPR Article 30 report:

To comply with GDPR requirements, an organization needs to understand the data they are collecting, how are they processing it, and whom they are sharing it with. This information is necessary to fulfil a variety of obligations under GDPR, not just Article 30. Data mapping can also help your organization in performing Data Protection Impact Assessment (DPIA) as required in Article 36.

If you are an organization based in EU and you complied with the 1995 directive, you should be already familiar with data mapping. The 1995 directive required registering processing activities with local DPAs. With the implementation of GPDR, an organization does not need to report its processing activities to the DPA. Instead, it must maintain an internal record and keep it available for review by a supervisory authority. This internal record is termed as “record of processing activities” or Article 30 report. There are different requirements for data controllers and data processors, given in Article 30(1) and 30(2) respectively.

For controllers, Article 30 states that the controllers should maintain the following records as a minimum:

1. Controller’s name and contact details, along with joint controller if applicable
2. Purpose(s) of processing
3. Description of categories of data subjects and categories of personal data
4. Categories of third parties with whom data has been or will be disclosed, including recipients in third countries or international organizations
5. If a controller is transferring personal data to a third country or an international organization, such country/organizations should be identified, and safeguards should be documented.
6. Expected time limits for erasure of the different categories of data
7. Description of technical and organizational security measures (Article 32(1))

Requirements for processors, given in Article 30(2) cover the processor’s information, categories of processing for each controller, along with fifth and seventh bullet points from the list mentioned above. These records can be maintained in electronic form, and a controller/processor’s representative shall make them available to a supervisory authority as and when requested.

For creating a data map, your team must follow the following steps:

1. Understand how the data is flowing from one place to another;
2. Describe the data flow and consider practical implications and future usage; and
3. Identify the key elements such as data items, formats, location, access, ownership, purpose, and accountability.

Identifying vendors affected by Schrems II Judgement

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Program in the Schrems II case. This program was aimed at US-based companies to demonstrate their GDPR compliance. In the same judgement, CJEU has upheld the validity of standard contractual clauses (SCCs), but with certain restrictions.

At this point, some companies may conclude that the exact requirements are not clear. They might wait for the European Data Protection Board (EDPB) and the local Data Protection Authority (DPA) to provide guidance. Irrespective of that, it becomes crucial than ever to map your cross-border data flows and existing transfer mechanisms carefully.

While interacting with our clients, we have often come across the assumption that they can transfer data anywhere if SCCs are in place. This is not entirely true, and an organization should cover cross-border data transfer in its GDPR data mapping through the following steps:

1. Identify the types of personal data that is being transferred to
2. Identify the types of persona data that is being accessed from
3. List down the countries and the extent of data transfer
4. Find out the export mechanism being relied on previously (Privacy Shield, SCCs, or binding corporate rules)
5. For each type of personal data, note its quantity and sensitivity

As a result, an organization will have detailed insights into its processing activities. We recommend using efficient GDPR data mapping software to streamline GDPR compliance for your organization.Software like Privado.ai automates the data mapping to a greater extent and allows an organization to answer questions related to the origin of data, data type, data subjects involved, SLAs, etc. Further, data mapping GDPR software can also assist your internal team in performing risk assessments by maintaining up-to-date data inventory.

Managing DSAR and other individual rights;

Modern privacy laws like GDPR, CCPA offer individuals right over their data wherein they can ask the company to access, port, delete their data. Finding locations of data is a challenge; data mapping done right will give you a list of assets, vendors with their owners where data of a specific individual is stored. For example, if you get a deletion request from a customer, you can filter to get the list of assets & vendors which have data of a customer and ask owners to delete the same.

How to do data mapping?

Data mapping done right has a lot of benefits, but it’s important to realize that it is an exercise that requires resources from multiple people in an organization. We have detailed some key steps to make your data mapping exercise successful:

Your buy-in presentation should cover:

• What is GDPR?
• Cost of non-compliance: Highlight that it can be up to 10 Million Euros, showing a trend of fines over the years is a plus and can really drive alignment. Enforcement Tracker has some great graphics that you can use.
• Give an example of a recent fine and how data mapping could have prevented it.
• Benefits: Refer to the benefits section to create a compelling slide
• Resource Planning & Timelines: It’s important to highlight if you will need project managers to help you, also highlight what help you need from other team members who will be responding to your questions. Finally, touch on how long the project will run.
• Budget for privacy consultants

1. Kick-Off Meetings: Congratulations on getting the management buy-in, we still need to ensure our respondents who are indifferent business functions understand the scope of the project. Kick-off meetings can be used to explain the role of each business function, answer their doubts, reinforce why this project is important to the organization.
2. Workshop: A great way to end these kick-off meetings are workshops. Here the idea is for you to simulate the questions and walkthrough with two-three members so that everyone gets expected answers, ask doubts. We have observed a lot of people who ask questions in these workshops, and it leads to a successful data mapping exercise.
3. Define Processing Activity: The biggest challenge in getting information for data mapping is an empty state, that leads to inertia for people to give answers. This is why we recommend breaking the questions in two phases, the first step should be to define key business processes:
4. Getting more information: Once you have basic information, you can send a detailed assessment for each of these processes where you can ask questions around Purpose, Legal Basis, Consent, Rights, amongst others.
5. Data Flow Mapping: The final step to complete is to map your internal assets, vendors, third parties to each process. IT, Engineering teams have this information, leverage the asset register that IT might already have and start from there. Ensure location, Technical & Organizational measures are associated with finishing the data map.
6. Finding Gaps: After the initial information collection, you will sit on a heap of data. It’s important to find the gaps that exist currently. Some of the common ones are:

• Lack of compatibility between Excel and Visio: If you update your processing activities, you will also need to update your data flow diagram(s).
• Lack of automation: Generating reports, finding gaps will take a lot of time
• Management Dashboard: Presenting the benefits of data mapping to the management will require you to create a lot of visual reports manually
• Purpose: They are general purpose applications, while Privado.ai is specifically built to partner with your organization in achieving hassle-free GDPR compliance.
• Transfers: Do we have an appropriate mechanism for cross-border transfers?
• Consent: Is our consent as per GDPR standard?
• Privacy Notice: Have we included all purposes and legal basis of processing in our privacy notice?
• Employee notice: Are we giving privacy notices to employees. This is generally overlooked and can be a major area of non-compliance
• Technical & Organizational Measures: You should prioritize security budget towards high-risk processes where sensitive data is being used, or processing itself has risks.
• DPIAs: Identify processes where a DPIA is needed
• ROPA or Article 30 report
• Asset Maps: Visualize how your assets are placed globally
• Cross-Border Transfers: Visualize data transfers between geographies
• Data Flow Diagram

You are most likely to use tools such as Microsoft Excel and Microsoft Visio to start data mapping and for maintaining data records and visualizing data flow. Without a doubt, they are great tools in their rights, but you will soon find challenges to manage data & may come across challenges such as:

Privado’s GDPR Data mapping tool allows you to collaborate with your team members, sync data with your database and identity access management applications, and save plenty of time by avoiding spreadsheets altogether. We automate assessments; data flow diagrams, mapping cross-border data flow, and Article 30 reports. You can also schedule a call with an expert to discuss your data mapping strategy.

Originally published at https://www.privado.ai on December 11, 2020.