GDPR Data Mapping: What it is and How to Comply?

Data Mapping under the GDPR

Data mapping is an essential component of the GDPR. It is considered to be the foundational step for the fulfillment of all other legal requirements under the GDPR such as responding to data subjects’ requests, conducting data protection impact assessments, or maintaining records of data processing activities. A few examples of data mapping driven privacy compliance are as follows:

Records of Processing Activities

Article 30 of the GDPR requires controllers and processors to maintain a record of processing activities (RoPAs). RoPAs include process activity information, such as the purpose of processing, legal basis, consent status, cross-border transfers, DPIA status, and more. Data mapping helps organizations comply with GDPR by collecting and maintaining a list of data processing activities across the business.

Data Protection Impact Assessments

Article 35 of the GDPR requires organizations to carry out data protection impact assessments (DPIAs) where processing is likely to result in a high risk to individuals. Such a DPIA must take into account the nature, scope, context, and purposes of the processing. For conducting efficient DPIAs, organizations must be able to document what types of data they are collecting, when and how that data is being collected and used, where the data is being stored, how data flows through various systems and vendors, all of this is achieved via data mapping.

Breach Management

Article 33 of the GDPR requires organizations to notify personal data breaches that are likely to cause risk to the rights and freedoms of data subjects to the supervisory authority no later than 72 hours after having become aware of the breach. Where the risk to the rights and freedoms of data subjects is high, organizations must notify personal data breaches to impacted data subjects without undue delay. Data mapping helps organizations swiftly identify impacted data subjects and compromised data in any security incident. It also enables organizations to assess the risks to the rights and freedoms of data subjects arising from a security breach, thereby helping organizations report, only the personal data breaches that meet a required risk threshold, to the proper stakeholders. As a result, they are able to meet notification timelines under the GDPR.

Consent Management

While relying on the user’s consent as a lawful basis of data processing, Article 4 of the GDPR requires such consent to be freely given, specific, informed, and unambiguous indication of the data subject’s wishes. Besides, data subjects must also be able to withdraw their consent at any time and without any detriment. Data mapping helps organizations identify which processing activities rely on consent as a legal basis, highlight where consent capture mechanisms may be needed, and facilitate consent revocation.

Data Subjects’ Rights Fulfillment

GDPR grants several rights to data subjects with respect to their personal data including the right to

1. access a copy of personal data,
2. rectify or erase personal data,
3. restrict the processing of personal data, and
4. port personal data.

Once these rights are exercised by the data subject, the data controller and the data controller must respond to such requests within stipulated time frames. Data Mapping helps organizations identify where the data subject’s data resides and facilitate the data subject request. . It enables organizations to respond to a data subject’s request within the stipulated deadline under the GDPR.

Key Elements of Data Mapping

The following are the key elements of a data map:

• Allows businesses to organize, catalog, manage and structure data for operational needs
• Allows organizations to easily access and find relevant data whenever required
• Makes data management and protection more efficient - i.e riskier data has more robust security
• Enables data flow tracking
• Helps maintain adequate records of data processing activities

Key Challenges of Data Mapping

There are multiple data collection and processing elements combined with in-house and cloud-based application and storage infrastructure, with highly fluid data sharing and processing agreements in place. With more than 80% of enterprise workloads now moving to the cloud, organizations are finding it hard to document and track the flow of information within their vendor’s cloud infrastructure.

In most organizations, data catalogs and maps are hidden away in outdated spreadsheets and Powerpoint or Visio diagrams, making it impossible to bring clarity to this gigantic mesh of interconnected interfaces, systems, and processes.

Also, without a collaborative documentation and knowledge sharing environment, it is typical for such business process knowledge to get locked up in the minds of subject matter experts, making it nearly impossible to build and maintain an accurate record of data.

Data mapping enabled by PrivacyOps methodology helps resolve all these challenges. It provides a fully automated, single, and secure platform to organizations that help them conduct efficient and holistic data mapping.

Data Mapping & the PrivacyOps Framework

A good data mapping solution helps companies gain full visibility and control of personal data and facilitates collaboration - not just within the organization but also externally.

Therefore, the PrivacyOps framework requires a system-of-record, a system-of-knowledge, a system-of-engagement, and a system-of-automation to bring all your SMEs in one place to document and track the flow of information, in one platform. Any data mapping solution under the PrivacyOps methodology provides the following features:

A System of Record

A system of record maintains:

• Information flows—within the organization, between organizations (processors, contractors, suppliers) and outside the organization, and also data flow across countries.
• Extensive metadata for every element within a data map including—Data Type, Data Format, Location, Accountability, Access list, etc.
• A definition of all the PD attribute types handled by the data map element
• A record of the purpose of data collection, processing, or storage along with legal justification (e.g. consent) for those activities
• Easy-to-generate Article 30 (Record of Processing) reports that can be shared internally and made available to supervisory authorities & auditors instantly

A System of Knowledge

A system of knowledge:

• Provides an expandable, organization-centric icon library
• Allows users to define components once and use them within multiple data maps or business process flow diagrams
• Allows users to clone and enhance existing data maps making the process efficient and extensible
• Allows users to describe the information flow in a visual, easy to understand artboard
• Ensures that the right users and SMEs create, collaborate and provide feedback on information flows
• Provides intelligent connection options that track PD attributes along with the information flow
• Acts as the inventory of all business flow assets.
• Allows users to describe the information flow in a visual, easy-to-understand artboard.
• Acts as the interface to the system of record to glean insights into data flow by capturing all the characteristics of that flow including direction, properties, restrictions, and ownership.
• Reduces uncertainties in business flows where normally one or more subject matter experts would need to be consulted.
• Supports business and organizational decision-making capabilities through a combination of business flow records, component metadata, system ownership, and system-generated insights including data classification and privacy alerts.

A System of Engagement and Collaboration

A system of engagement enables:

• Mapping complex data flows and business process diagrams on a flexible and collaborative artboard
• Working with multiple subject matter experts and process/solution owners seamlessly within a single, collaborative data map
• Messaging capabilities to communicate with and to invite collaborators
• Working with teams on any device across multiple platforms and geographies
• A collaborative, easy to use environment that ensures that the data map is always up-to-date through automation, notifications, and policy alerts

A System of Automation and Insight

A system of automation enables:

• Automated data map creation through metadata ingestion
• Automatic scanning and classification of data in hundreds of locations to populate properties for map elements.
• The use of PD attributes discovered during live data scans as component metadata within data maps
• Periodic re-scans to ensure the data is always up-to-date
• Automatic monitoring of maps elements and process flows for compliance violations such as data collection without consent, improper access privileges, etc.
• Breach impact analysis as it applies to data flows and business processes
• Policy-based alerts to identify weak security processes and/ or non-compliance to legal or regulatory requirements
• Consent tracking at each stage of the data flow and highlight data that may be collected, stored, or processed without consent

Key Takeaway

Data mapping with manual methods is just not going to cut it given the added time, cost, and resources - not to mention the risk of data sprawl and human error. In order to benefit from a truly robust data mapping structure, every business needs to adopt the PrivacyOps framework. Investing in such a framework will be immensely beneficial for any organization as it will be ready to comply with all data privacy regulations - not just the current ones but also those that are upcoming.