GDPR Data Mapping what it is and how to do it for your GDPR plan?

What is Data Mapping for GDPR

Data mapping also referred to as a data inventory is the way in which Company’s can map out the flow of data within their company. A data map will contain the different categories of data that are used by different business sections in a company and how that data is processed and shared within the company and with external parties.

Why should my company create a data map for the GDPR?

A data map will not only allow you to comply with many of the GDPR requirement it can also be a valuable business asset. It can help company’s to improve business processes, IT systems and use data in a way that’s beneficial for the business.

If you don’t understand what data you hold, where it comes from and where it flows to you will never be in a position to meet your GDPR requirements.

A well planned and structured data map will let a company meet with the following GDPR requirements

  • The requirement to maintain detailed records of a company’s data processing activities and to
    make these records available to supervisory authorities on request.
  • The accountability requirement according to which controllers must ensure and be able to
    demonstrate that their processing activities are performed in compliance with the GDPR
  • The data protection by design and by default requirements.
  • The Subject Access requirements


GDPR Data Map How To!

When planning for the GDPR your first steps should include data mapping. While there are many ways and many tools available to do this I suggest the following.

  1. Set up a Data Mapping Project and identify team members from each business section in your company.
  2. Break your business down into functions e.g. HR, IT, Sales, Suppliers, Customers.
  3. List all the systems that deal with Personal Data for each of the Business Functions you have identified.
  4. Create a Spread Sheet detailing Personal Data for each of the systems with GDPR specific data.

GDPR Specific Data Requirements.

You will need to take the following into account when you are detailing personal data, add a column to your spreadsheet for each of the following:

  • Business Function
  • Business System
  • Process Purpose
  • Personal Data Processed
  • Personal Data Categories
  • Processing special category data basis
  • Individuals Categories
  • Recipients Categories
  • Data Retention period
  • Legal Basis for Processing
  • Legitimate interests for processing
  • Rights available to Data Subjects
  • Security Measures
  • Joint Controller Details
  • Data Shared with Third Parties
  • Safeguards for Transfers to Third Parties
  • Automated Decision Making or Profiling
  • Source of Personal Data
  • Record of consent
  • DIPA Process


How do I determine if I am a Data Controller or a Data Processor?

Data Controller

You are a Data Controller if you collect, keep or process information about a living person

If your company decides what personal information is going to be kept and what use its put to then they are a Data Controller.

Data Controllers need to register with the Data Protection Commissioner


Data Processor

You are a Data Processor if you process data on behalf of a Data Controller – how ever you should remember that if you have employees you could be both a data controller and a data processor


What does my company have to do in order to be compliant with the GDPR?

Identify if you are a Controller or Processor

Document the Data you currently hold.

Document your Policies and Procedures for handling personal data.

Put in place Procedures for Subject Access Requests including how you will verify the identity of the requestor

Document your security procedures in relation to Personal Data

Document your Data Breach Notification Policy and Procedures

Revisit your Privacy Notices to make sure they are compliant

Identify your legal basis for processing personal data

Check your Consent mechanisms (current and historical)  and ensure they are in compliance with the GDPR

Check your Third party processing Obligations

Check your contractual agreements to ensure they are in line with the GDPR

Check if your Legitimate Interests for Processing overrides  the individuals rights under the GDPR

Carry out a Risk Assessment  on the personal data you hold

Prepare to run a Privacy impact Assessment on any future projects – referred to as DIPA (Data Impact Privacy Assessment)

Educate your Staff about the GDPR and how it will impact their roles.

If dealing with Children – check your obligations regarding age verification and parental consent




What is a Data Subject?

A data subject is classed as any natural living person.

What rights apply to data subjects?

Data subjects have the following rights.

  1. Information
  2. Access
  3. Rectification
  4. Erasure
  5. Restrictions on processing
  6. Data portability
  7. Objection
  8. Revision of automated decisions or profiling

What is a Subject Access Request?

This refers to a Data Subject exercising their rights under the GDPR. A Subject Access Request must be responded to within 30 Days. Companies need to have documented procedures in place detailing how they will respond to Subject Access Requests.

So what is the GDPR?

The General Data Protection Regulation (GDPR) is new legislation in the area of data protection. Its purpose is to strengthen individuals’ rights regarding the collection, use and storage of their personal data.

The General Data Protection Regulation replaces the Data Protection Act.

The law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply with the GDPR.


What is Personal Data exactly?

Any data that can be used to identify a living person directly or indirectly is classed as personal data

For example:

  • Name
  • Address
  • Email address
  • Social security number
  • Location data
  • IP address
  • CCTV footage

What is Sensitive Personal Data ?

Sensitive personal data is a special category of personal  data that has to be carefully handled. It includes factors such as:

  • Race
  • Health Details
  • Sexual orientation
  • Religious beliefs
  • Political beliefs
  • Membership of a trade union

Criminal records while not quite classed as special category data also needs to  be carefully handled.