'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on May 26, 2021 AUTHOR PRIVACY RESEARCH TEAM
In 2016, the European Commission replaced its long-existing Data Protection Directive with a modernized version, the General Data Protection Regulation (GDPR). The GDPR is based on the EU Charter of Fundamental Rights that considers the protection of personal data an individual’s fundamental human right.
The objective of the GDPR is to ensure the protection of personal information through a human rights centric approach and allow secure transfer of personal information within and across jurisdictions. At present, the GDPR is considered to be one of the best global practices in relation to data protection and privacy legal landscape.
For organizations to stay in compliance with this regulation and ensure that all personal data is safe, organizations need to have a solid grip on all their customers’ data and be able to map it back to the owners. Traditional methods may make this task virtually impossible and with data collection and processing growing and changing rapidly, organizations will need to incorporate a tool that will help them map their data assets. Doing so can help organizations map back their data to the customer and in turn improve processes.
Data mapping is an essential component of the GDPR. It is considered to be the foundational step for the fulfillment of all other legal requirements under the GDPR such as responding to data subjects’ requests, conducting data protection impact assessments, or maintaining records of data processing activities. A few examples of data mapping driven privacy compliance are as follows:
Article 30 of the GDPR requires controllers and processors to maintain a record of data processing activities (RoPAs). RoPAs include process activity information, such as the purpose of processing, legal basis, consent status, cross-border transfers, DPIA status and more. Data mapping helps organizations comply with GDPR by collecting and maintaining a list of data processing activities across the business.
Article 35 of the GDPR requires organizations to carry out data protection impact assessments (DPIAs) where processing is likely to result in a high risk to individuals. Such a DPIA must take into account the nature, scope, context, and purposes of the processing. For conducting efficient DPIAs, organizations must be able to document what types of data they are collecting, when and how that data is being collected and used, where the data is being stored, how data flows through various systems and vendors, all of this is achieved via data mapping.
Article 33 of the GDPR requires organizations to notify personal data breaches that are likely to cause risk to the rights and freedoms of data subjects to the supervisory authority no later than 72 hours after having become aware of the breach. Where the risk to the rights and freedoms of data subjects is high, organizations must notify personal data breaches to impacted data subjects without undue delay. Data mapping helps organizations swiftly identify impacted data subjects and compromised data in any security incident. It also enables organizations to assess the risks to the rights and freedoms of data subjects arising from a security breach, thereby helping organizations report, only the personal data breaches that meet a required risk threshold, to the proper stakeholders. As a result, they are able to meet notification timelines under the GDPR.
While relying on the user’s consent as a lawful basis of data processing, Article 4 of the GDPR requires such consent to be freely given, specific, informed and unambiguous indication of the data subject’s wishes. Besides, data subjects must also be able to withdraw their consent at any time and without any detriment. Data mapping helps organizations identify which processing activities rely on consent as a legal basis, highlight where consent capture mechanisms may be needed and facilitate consent revocation.
GDPR grants several rights to data subjects with respect to their personal data including the rights to
Once these rights are exercised by the data subject, the data controller and the data controller must respond to such requests within stipulated time frames. Data Mapping helps organizations identify where the data subject’s data resides and facilitate the data subject request. . It enables organizations to respond to a data subject’s request within the stipulated deadline under the GDPR.
The following are the key elements of a data map:
There are multiple data collection and processing elements combined with in-house and cloud-based application and storage infrastructure, with highly fluid data sharing and processing agreements in place. With more than 80% of enterprise workloads now moving to the cloud, organizations are finding it hard to document and track the flow of information within their vendor’s cloud infrastructure.
In most organizations, data catalogs and maps are hidden away in outdated spreadsheets and Powerpoint or Visio diagrams, making it impossible to bring clarity to this gigantic mesh of interconnected interfaces, systems, and processes.
Also, without a collaborative documentation and knowledge sharing environment, it is typical for such business process knowledge to get locked up in the minds of subject matter experts, making it nearly impossible to build and maintain an accurate record of data.
Data mapping enabled by PrivacyOps methodology helps resolve all these challenges. It provides a fully automated, single, and secure platform to organizations that help them conduct efficient and holistic data mapping.
A good data mapping solution helps companies gain full visibility and control of personal data and facilitates collaboration - not just within the organization but also externally.
Therefore, the PrivacyOps framework requires a system-of-record, a system-of-knowledge, a system-of-engagement, and a system-of-automation to bring all your SMEs in one place to document and track the flow of information, in one platform. Any data mapping solution under the PrivacyOps methodology provides the following features:
A system of record maintains:
A system of knowledge:
A system of engagement enables:
A system of automation enables:
Data mapping with manual methods is just not going to cut it given the added time, cost and resources - not to mention the risk of data sprawl and human error. In order to benefit from a truly robust data mapping structure, every business needs to adopt the PrivacyOps framework. Investing in such a framework will be immensely beneficial for any organization as it will be ready to comply with all data privacy regulations - not just the current ones but also those that are upcoming.