A data mapping exercise is essential to gain an understanding of how your organisation will be able to comply with the GDPR requirements. It will help you to organise the personal information that you store and process and structure it in a standard, secure and easily accessible format.
Why Map Your Data?
The Information Commissioners Office (ICO) recommends that organisations document the personal data they hold, where it came from and with whom they share it, to comply with the Article 30 requirements and to enable individuals to exercise their rights under the Regulation.
If you do not know what personal data you hold, how you obtained it or who it has been shared with, it is unlikely that you will be fully compliant with the GDPR and will also find it more difficult to uphold the rights and freedoms of the data subjects that you interact with.
Records of Processing Activities
Article 30 of the GDPR requires organisations to maintain a record of the processing activities that they control. Organisations with fewer than 250 employees only need to keep records of their processing activities where they are likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data. Keeping records of processing remains good practice regardless of organisational size.
Under Article 30, the records must contain:
(a) The name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer
(b) The purposes of the processing
(c) A description of the categories of data subjects and categories of personal data
(d) The categories of recipients to whom the personal data has been (or will be) disclosed (including to third countries/international organisations)
(e) Where applicable, transfers of personal data to a third country or an international organisation, including their identity and documentation of suitable safeguards (if applicable)
(f) Where possible, the envisaged time limits for erasure of the different categories of data
(g) Where possible, a general description of the technical and organisational security measures
The items above must be documented by all controllers, with processors being required to record points (a), (e) and (g) along with the processor’s name, contact details and the categories of processing carried out on behalf of each controller.
Carrying out an information audit across your organisation is a good start in helping you to comply with the GDPR’s accountability principle. Documenting the “who, what, why and when” of your personal data will provide evidence that you take data protection seriously and that you know and understand what personal information you collect, maintain and share (data processing).
We supply a GDPR document toolkit as part of our GDPR Support Pack which contains customisable Word and Excel templates. This contains an Information Audit template, which guides you through the process. Whether you use existing templates or create your own record, you should aim to review all areas of your business and compile a central register that includes: –
- The personal data that is processed
- Where it originates from
- The lawful basis for processing it
- With whom you share it
- The format(s) that it is in
- Who is responsible for it?.
Your information audit register enables you to map your personal data and ensure that if you need to comply with an individual’s’ rights or provide information to the ICO who are the UK’s Supervisory Authority, you can do so easily to comply with the GDPR.
Consider the use of a system to help with this particular task. Flowz is a SaaS (Software as a Service) solution, which provides a solution to record the information flowing around an organisation. The software provides a risk score against the data and the way that it flows within an organisation and helps towards GDPR compliance (Articles 30, 32 & 39).