GDPR Data Mapping

As part of your EU General Data Protection Regulation (GDPR) compliance project, your organisation will need to understand what personal data it processes.

Article 30 of the GDPR requires organisations to “maintain a record of processing activities under [their] responsibility".

That record shall contain all of the following information:

• the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
• the purposes of the processing;
• a description of the categories of data subjects and of the categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
• where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation
• where possible, the envisaged time limits for erasure of the different categories of data;
• where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

"The controller or the processor […] shall make the record available to the supervisory authority on request."

Data mapping can be a useful method of meeting these requirements.

Key elements of data mapping

Figure 1: Using the Data Flow Mapping Tool to map methods of transferring data

 

An effective data mapping process will establish:

• The data items obtained (name, email, address, etc.);
• The format of the data (hard copy, digital copy, etc.);
• Transfer methods (internally or externally, post, telephone, etc.); and
• Where the data is stored (offices, the Cloud, third party, etc.).

Challenges in the data mapping process

Your organisation’s data protection officer (DPO) should play a key role in mapping the flow of information for GDPR compliance. When doing so, you may encounter the following challenges:

1. Identifying personal data and how it is stored (for each process in your organisation, you can obtain many data items, which can be stored in many formats, including paper, digital and audio).
2. Identifying technical and organisational safety measures (part of this challenge will be determining who has access to this information).
3. Understanding legal and regulatory requirements.

How Vigilant Software can help

Vigilant Software’s Data Flow Mapping Tool simplifies the data mapping process, making your maps easy to review, revise and update as your organisation evolves.

The tool establishes all the key elements needed for an effective data mapping process and reduces the challenges your organisation will face in the run-up to the GDPR compliance deadline.

The Data Flow Mapping Tool allows you to understand the flow of personal data through your organisation. It helps you identify those parts of your processes that may need extra measures to protect personal data, and identify and eliminate any process inefficiencies.