What is Data Mapping for GDPR
Data mapping also referred to as a data inventory is the way in which Company’s can map out the flow of data within their company. A data map will contain the different categories of data that are used by different business sections in a company and how that data is processed and shared within the company and with external parties.
Why should my company create a data map for the GDPR?
A data map will not only allow you to comply with many of the GDPR requirement it can also be a valuable business asset. It can help company’s to improve business processes, IT systems and use data in a way that’s beneficial for the business.
If you don’t understand what data you hold, where it comes from and where it flows to you will never be in a position to meet your GDPR requirements.
A well planned and structured data map will let a company meet with the following GDPR requirements
- The requirement to maintain detailed records of a company’s data processing activities and to
make these records available to supervisory authorities on request.
- The accountability requirement according to which controllers must ensure and be able to
demonstrate that their processing activities are performed in compliance with the GDPR
- The data protection by design and by default requirements.
- The Subject Access requirements
GDPR Data Map How To!
When planning for the GDPR your first steps should include data mapping. While there are many ways and many tools available to do this I suggest the following.
- Set up a Data Mapping Project and identify team members from each business section in your company.
- Break your business down into functions e.g. HR, IT, Sales, Suppliers, Customers.
- List all the systems that deal with Personal Data for each of the Business Functions you have identified.
- Create a Spread Sheet detailing Personal Data for each of the systems with GDPR specific data.
GDPR Specific Data Requirements.
You will need to take the following into account when you are detailing personal data, add a column to your spreadsheet for each of the following:
- Business Function
- Business System
- Process Purpose
- Personal Data Processed
- Personal Data Categories
- Processing special category data basis
- Individuals Categories
- Recipients Categories
- Data Retention period
- Legal Basis for Processing
- Legitimate interests for processing
- Rights available to Data Subjects
- Security Measures
- Joint Controller Details
- Data Shared with Third Parties
- Safeguards for Transfers to Third Parties
- Automated Decision Making or Profiling
- Source of Personal Data
- Record of consent
- DIPA Process
You are a Data Controller if you collect, keep or process information about a living person
If your company decides what personal information is going to be kept and what use its put to then they are a Data Controller.
Data Controllers need to register with the Data Protection Commissioner
You are a Data Processor if you process data on behalf of a Data Controller – how ever you should remember that if you have employees you could be both a data controller and a data processor
Identify if you are a Controller or Processor
Document the Data you currently hold.
Document your Policies and Procedures for handling personal data.
Put in place Procedures for Subject Access Requests including how you will verify the identity of the requestor
Document your security procedures in relation to Personal Data
Document your Data Breach Notification Policy and Procedures
Revisit your Privacy Notices to make sure they are compliant
Identify your legal basis for processing personal data
Check your Consent mechanisms (current and historical) and ensure they are in compliance with the GDPR
Check your Third party processing Obligations
Check your contractual agreements to ensure they are in line with the GDPR
Check if your Legitimate Interests for Processing overrides the individuals rights under the GDPR
Carry out a Risk Assessment on the personal data you hold
Prepare to run a Privacy impact Assessment on any future projects – referred to as DIPA (Data Impact Privacy Assessment)
Educate your Staff about the GDPR and how it will impact their roles.
If dealing with Children – check your obligations regarding age verification and parental consent
A data subject is classed as any natural living person.
What rights apply to data subjects?
Data subjects have the following rights.
- Restrictions on processing
- Data portability
- Revision of automated decisions or profiling
What is a Subject Access Request?
This refers to a Data Subject exercising their rights under the GDPR. A Subject Access Request must be responded to within 30 Days. Companies need to have documented procedures in place detailing how they will respond to Subject Access Requests.
The General Data Protection Regulation (GDPR) is new legislation in the area of data protection. Its purpose is to strengthen individuals’ rights regarding the collection, use and storage of their personal data.
The General Data Protection Regulation replaces the Data Protection Act.
The law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply with the GDPR.
Any data that can be used to identify a living person directly or indirectly is classed as personal data
- Email address
- Social security number
- Location data
- IP address
- CCTV footage
What is Sensitive Personal Data ?
Sensitive personal data is a special category of personal data that has to be carefully handled. It includes factors such as:
- Health Details
- Sexual orientation
- Religious beliefs
- Political beliefs
- Membership of a trade union
Criminal records while not quite classed as special category data also needs to be carefully handled.