In all the talk surrounding the GDPR and what businesses need to do to comply, you’ve no doubt heard the words “data mapping” brought up time and time again.
But what exactly is data mapping? And why is it so critically linked to the GDPR?
We’ll walk you through the definition of data mapping and why it matters for GDPR compliance, along with some helpful examples and resources, so you can create a data map for your business.
1. What is Data Mapping?
Data mapping is a system of cataloguing what data you collect, how it’s used, where it’s stored, and how it travels throughout your organization and beyond. There are various ways to achieve this goal – whether through a simple spreadsheet or a dedicated data mapping program – and the extent or limit of your data mapping will depend on your business.
However, most data maps should include the following information:
- What data you collect
- Whether that data is sensitive personal
- The legal basis for processing that data (reference the six legal bases established by the GDPR)
- Why data is being collected
- Where data is stored
- For how long data is stored
- Under what conditions data is stored (what protective measures are in place within your organization?)
- Where data is transferred
- Where third-party recipients are located (make note of international data transfers)
- What protocols are in place to protect data during transfers (i.e. do you adhere to the EU-U.S. Privacy Shield Framework?)
Data mapping is a combination of your data inventory and your data flow. In the CloudNine example below, you can see that their data map comes in two parts – a spreadsheet detailing the data they collect, and a flow chart depicting the movement of that data through internal systems and external transfers.
Effective data maps require the input of nearly every department, especially IT, legal, marketing, and HR departments. Furthermore, documenting every bit of data should be closely supervised by either your data protection officer (DPO), or a senior member of your privacy team.
Lastly, data mapping is not a one-time activity. While it should be carried out as soon as possible – especially if you’re subject to comply with the GDPR – data mapping is an ongoing activity that should be implemented into your regular business practices.
2. Why Data Mapping Matters for GDPR Compliance
The GDPR is all about updating existing systems and implementing new ones to ensure the safekeeping and fair treatment of the user data you handle. But in order to properly assess data security, you must first be able to track a piece of data from the point of collection to its eventual deletion. Without a bird’s eye view of the entire lifecycle of your data, any security measures you implement will be piecemeal at best.
Not only is data mapping an essential foundation for carrying out the overall aims of the GDPR, but it’s also directly mandated by multiple articles of the regulation.
Here’s why data mapping will help your business comply with the GDPR:
Reason #1: Keep Records of Processing Activities (Article 30)
The article that most directly establishes the need for data mapping is GDPR Article 30, titled “records of processing activities.”
The regulation states that:
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller
- The records…shall be in writing, including in electronic form
- The controller or the processor…shall make the record available to the supervisory authority on request
Essentially, this article of the regulation is mandating that businesses map their data, and make those records available to supervisory bodies upon request.
Reason #2: Perform DPIAs (Article 35)
Under Article 35 of the GDPR, if you process data using new technologies, or in a way that potentially puts consumer rights and data at risk, you’re required to perform a data protection impact assessment (DPIA).
A DPIA, as defined by the UK’s Information Commissioner’s Office, is:
…a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan.
According to IT Governance, carrying out a DPIA requires the following six steps:
- Identify the need for the DPIA
- Describe the information flow
- Identify privacy and related risks
- Identify and evaluate privacy solutions
- Sign off and record the DPIA outcomes
- Integrate the DPIA outcomes into the project plan
Steps #2 and #3 of this DPIA plan are directly related to data mapping. Step #2 is, itself, data mapping, while Step #3 – identify privacy and related risks – is an essential component of creating a useful data map.
In the event that you need to carry out a DPIA, having these critical steps already accomplished from your data mapping efforts will simplify and hasten the process for you or your DPO.
Reason #3: Demonstrate Privacy by Design (Article 5)
The fundamental goal of the GDPR is to protect user data by establishing stricter guidelines for the collection and handling of personal information. In Article 5 of the GDPR, the regulation establishes the key principles of data processing, as should be followed by businesses in order to meet this end goal.
Among these principles is the idea of Privacy by Design (PbD). This is the concept that data protection and privacy measures should be built into every element of your business – as an essential building block, rather than an afterthought.
According to the text of the GDPR itself, you need to ensure that personal data is:
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
Accounting for your data, and scouring your processes for weak points through data mapping, are key steps to implementing PbD and ensuring the safekeeping of user data.
Reason #4: Establish Lawful Basis of Processing (Article 6)
Under Article 6 of the GDPR, in order for the processing of data to be done lawfully, it must be performed on one or more of the following bases:
- With GDPR consent of the data subject
- For GDPR legitimate interests
- For the performance of a contract
- To comply with a legal obligation
- To protect the vital interests of the data subject
- For the public interest
When constructing your data map, you should note the purposes for which you collect or process data, along with the legal justification for those activities.
For example, if you collect email addresses from users who sign up to receive newsletters, you can log that category of data along with the note that it’s done on the basis of user consent.
Sifting through your data and determining which basis applies to each of your processing activities will ensure that you aren’t inadvertently collecting or handling data unlawfully. This can both protect you in the event of a privacy inquest, and help you achieve the next GDPR compliance task on our list.
Reason #5: Detail Data Practices (Article 12)
Article 12 of the GDPR establishes the requirement that businesses present their users with clear and comprehensive privacy policies (also referred to as privacy notices).
These policies should thoroughly detail your interactions with user data, including what you collect, why you collect it, how it’s stored, where it may be transferred, and other details concerning the collection and movement of users’ personal information.
In order to assemble this document – and make it GDPR compliant – you need to have a strong grasp on what data passes through your business. With a complete data map, becomes much easier for you to transcribe that information into a user-friendly privacy policy.
If you’d prefer to create your own, you can start with a privacy policy template to ensure you aren’t overlooking any necessary sections.
Reason #6: Manage Data Subject Access Requests (Articles 15-18, 20-21)
The GDPR makes a point to grant internet users new rights over their data. Some of the major new rights come from Articles 15-18, and 20-21 of the GDPR, which establish:
- Article 15 – The right of access
- Article 16 – The right to rectification
- Article 17 – The right to erasure (also known as the right to be forgotten)
- Article 18 – The right to restriction of data processing
- Article 20 – The right to data portability (to transfer)
- Article 21 – The right to object (to the processing of data)
These are all components of the GDPR’s mission to grant users more control over their data. In order for businesses to comply with this section of the regulation, they must allow users a way to exercise these rights.
The most common means of doing so is by offering users a Data Subject Access Request (DSAR) form. This is a popup or page that gives users the ability to request to access, edit, transfer, or delete their personal data.
Offering users a DSAR form where they can exercise their user rights is one thing – but your job isn’t done until the requests have been addressed. Organization is made all the more essential in the event of DSAR submissions as the GDPR stipulates a one month time limit in which businesses must respond to these requests.
Without an easily accessible, well-organized record of the data collected and processed for each user, along with the reasoning behind each processing activity, responding to each DSAR can be time consuming and costly. This is where a data map can help alleviate the burden of having to hunt for all the data collected from a user.
Taking the appropriate action in the event that a DSAR comes your way will be made quick and easy is you’ve already mapped your data and can easily access the required information and accompanying details.
3. Data Mapping Examples
There is no one-size-fits-all format or process for data mapping. In fact, they can come in all different forms, through different means of execution, and in a wide range of sizes and depth.
What your data map looks like will depend largely on your data processing activities, and your budget.
If your business collects, processes, or shares a lot of data, you may want to invest in a software program dedicated to data mapping. Through data mapping software, you’ll likely be working with a dashboard, through which you can navigate to your data inventory, flow chart, location details, and analytics.
Some programs are more technically-advanced, and should be overseen by the appropriate personnel. Take, for instance, the following examples:
On the other hand, there are more user-friendly data mapping software services that don’t require a wealth of technical know-how to operate, like this example:
If you’d prefer to create your own data map outside of a dedicated software service, you’ll most likely end up with a doc, spreadsheet, or map (or all three) detailing your data handling.
Here’s an example of a data mapping chart in its simplest form:
The above style of map can be accomplished in either a doc or a spreadsheet, and is ideal for companies that don’t collect, process, or transfer large amounts of data – as this solution requires all manual input and is not highly-detailed.
For more involved data activities, creating an interactive Excel map is a good option. This is a scalable solution that still requires manual input, but allows you more avenues for tracking and visualizing data processes.
Here’s an example of what an interactive Excel map might look like:
These are just a few of the many examples of what a data map can look like. Yours may be any one of these – or any combination of these. The important part of data mapping is that the end result contains all the necessary information about your data processing activities.
4. Data Mapping Resources
When it comes to data mapping, there are both free and paid resources available online.
If you’re undertaking your business’s data map in-house without a dedicated software package, here are some sources where you can find free docs and Excel sheets to kick off your efforts:
- Isle of Man Information Commissioner – Here you’ll find some helpful guides on data mapping, along with printable sheets that you can fill in with your business’s corresponding information.
- UK Information Commissioner’s Office – The ICO offers a detailed guide, including checklists and downloadable documentation templates for both data processors and data controllers.
- IAPP Data Mapping Tool – While this resource is technically free, you need to be an IAPP member to access it.
- IT Governance Data Mapping Green Paper – Here you can find a free green paper about data mapping, or access one of their paid data mapping tools.
- Astera Data Mapping eBook – In exchange for your contact details, you can download a free ebook about the ins and outs of data mapping from Astera.
- Pinterest – It may not be the first place you think to look, but Pinterest actually hosts a variety of free data flow templates, checklists, spreadsheets, and infographics.
If you’re willing to shell out some funds for your data mapping, here are some paid tools that can help:
- IT Governance Data Flow Audit
- Vigilant Software’s Data Flow Mapping Tool
- GDPR Data Mapper
- Astera Data Mapping
5. Conclusion
In the past year, the world has been feeling the effects of the GDPR and the changing privacy standards that have followed.
Complying with the massive regulation may seem like an unachievable goal, but addressing the GDPR piece-by-piece will help your business adjust to developing privacy standards and customer demands.
One of the biggest steps you can take to accomplish this is to map your data. Not only is it a critical step toward GDPR compliance, but it’s also a good business practice. Understanding the intersection of data mapping and GDPR compliance, and taking advantage of the tools and resources above will ultimately help protect your users’ data – and your business.
