GDPR - Data Flow Mapping
The General Data Protection Regulation (GDPR) was published on 4 May 2016 and has taken effect on 25 May 2018. It replaces the Data Protection Directive, which had become dramatically outdated and was not suitable for the digital reality of today’s world. Every company that processes personal data of customers or staff shall have to take the new GDPR regulations into account.
Personal data is taken to be all information that can be directly linked to the personal as well as the public or professional life of an individual – their email address, bank account number, purchasing history, even their online actions on a website, ... Individuals will henceforth have more rights in respect of accessing and processing their data, which means that companies must adapt their internal processes.
As transparency about "data" is a key driver of the regulation, an important step will be to understand how your business is "processing" personal data and what personal data you record, store and process in the first place. This requires a deep dive in all your "processes" and "systems" to get a better understanding of all data flows with special focus and attention on the "personal" data flows. The definition of “data processing” is rather broad and covers any operation performed on the data such collection, use, management, disclosure, …
A phased approach towards GDPR compliance requires a proper methodology and a skilled team (consisting of lawyer, data architect, process owners, application owners, IT architect, …).
Typical steps in this phased approach are:
- Knowledge & Awareness
- GDPR Readiness Scan
- GDPR Assessment (this phase will focus on data mapping and data flows within your organisation and application landscape)
- Roadmap to Compliance
We have developed a methodology that will facilitate the creation of key deliverables to enable your organisation to prepare for "Roadmap to Compliance".
These deliverables consist of:
- Data mapping document (5Ws)
- Data flow diagram
Data mapping document – 5Ws
Data mapping allows you to identify the information that your organization keeps and how it moves from one location to another, such as from suppliers and sub-suppliers through to customers. By mapping the flow of data, you’ll be able to review the most effective way of processing data and identify any unforeseen or unintended uses.
A data map should identify the following key elements:
- Data items (e.g. names, email addresses, records)
- Formats (e.g. hard copy forms, online data entry, database)
- Transfer methods (e.g. post, telephone, internal/external)
- Locations (e.g. offices, cloud, third parties)
A data map should also help you see who has access to the data at any given time and who is accountable for it.
Using the 5Ws will allow you to be complete and cover:
- Why - Consider all areas of the business and list all the reasons that personal data is used
- Whose - For each of the reasons identified list all the different categories of persons about whom personal data is processed
- What - For each reason identified list all the different types of personal data recorded or used and identify the source and legal basis of the data
- When - For each reason identified establish when the personal data is obtained
- Where - For each of the reasons for processing identified establish where processing occurs
Data flow diagram
The data flow diagrams, which are a graphical representation of the flow, are typically created by process. They will help to understand the information lifecycle and represent all in- and cross application flows.
This exercise is typically executed by a data architect together with both functional and technical application and process owners within your organisation and facilitated by interviews and workshops.
With these deliverables your Data Protection Officer (DPO) and legal advisor can facilitate the next steps which typically consist of the creation of “Register of Processing Activities” (RoPA) and “Technical and Organisational Measures” (TOMs).