With time ticking away rapidly on the GDPR countdown to 25 May 2018, organisations have about six months left to transform the way they collect and process data, to comply with this new EU-wide regulation.
GDPR aside, any business that relies on data to sell, target, service or market products or services needs a good handle on their data management processes to work effectively and meet their legal obligations.
From May 2018 organisations will now be required to understand their data flows inside out, and be able to answer to the five Ws: the Who, Where, Why, What and When of personal data that’s under their control.
- Who owns it?
- Where is it stored?
- Why do we have it?
- What is it used for?
- When should it be purged?
All of these need to be covered in detail to meet regulatory obligations. That’s where data mapping comes in.
What is data mapping?
The process of data mapping helps identify, understand and map the data flows of a business, giving you a bird’s eye view of all the information flowing in and out of an organisation.
Creating a meaningful data map is a big undertaking, but it will highlight everything you need to get GDPR-ready, including:
- The categories of data held and processed by different business units and
- Where data is being transferred or disclosed with other business units and third parties, such as service providers.
Why is data mapping required from a compliance perspective?
It’s a question of privacy. Without understanding what data you’re collecting, processing, storing, sharing, using and even deleting, it’s impossible to ensure your data processing is compliant with all the applicable privacy laws and regulations.
For example, it would be impossible to ensure compliance with the rules around a cross-border data transfer, without knowing which types of data you’re sharing, with whom, and in which countries.
Similarly, how could you guarantee sensitive personal information is secure if you don’t know where it’s stored, or who has access to it?
From a GDPR perspective, data mapping helps controllers (and in some cases data processors) cover the bases on privacy requirements, including:
- The requirement to maintain detailed records of an organisation's data processing activities and to make these records available to supervisory authorities on request
- The accountability requirement, according to which controllers must ensure and be able to demonstrate that their processing activities are performed in compliance with GDPR
- The data protection by design and by default requirements
Are there any other benefits of data mapping?
Absolutely. Legal compliance is a prerequisite, but the clarity, organisation and insight it will create for business has huge operational benefits allowing them to:
- Streamline data flows, making processes and procedures easier to understand and manage
- Assert more control over the IT budget required to acquire and manage data
- Improve efficiencies between business units who rely on shared information
- Allow companies to more smartly use data for customer service, acquisition and retention
- Reduce the risk of data breaches and cyber attacks
- Respond to data requests faster and reduce related costs
- Keep on top of compliance regulations long after the GPDR deadline has dropped
How can a certified GDPR consultant help?
Consider such a service as your data mapping task force.
Depending on the size and scale of your operation, carrying out a comprehensive IT audit and creating a data map that doesn’t simply tick the regulation box, but proves genuinely useful to the business, can be a full-time job.
If you’re going to spend time and money on it, you want 100% confidence it’s being approached with your business goals at the heart of the project.
A GDPR consultant should offer a structured, planned and practical approach, helping your business:
- Appoint personal or team responsibilities around data mapping
It’s important that people from the business are involved in the project, particularly those responsible for day-to-day data processing, as they’ll bring a wealth of knowledge on existing processes and procedures, and allow you to map with much more insight.
- Create a project plan
This will include the project scope, budget, resource requirements, timelines and responsibilities, among other things. Working with the organisation’s Data Controller, the team will agree on all elements of the plan, reaching consensus on the level of detail the map will deliver and the key business outcomes.
- Information collection
They can look at current business structures and processes and make recommendations on the best way to get the information needed to map successfully.
This might include talking to employees with processing responsibilities, reviewing IT processes, consulting third-party partners and reviewing existing documentation. All of this will help build a picture of the current set-up and allow the consulting service to raise the bar and make improvements for future processing.
- Design the data map
Using all the information gathered and keeping the business’s goals front of mind, they can create a map that:
- Tables end-to-end data flow
- Addresses any practical inefficiencies
- Bridges procedural gaps that cost time or money and
- Gives you your GDPR badge of approval
- Maintain and update
Data mapping isn’t a standalone piece. To have any business benefit and keep you compliant, it needs to be managed and updated regularly to remain accurate and useful.
pebble.it can help automate as much of the upkeep as possible, and create cost and time efficient processes where manual intervention is still required.
Discover the steps that will put you on the road towards GDPR compliance and how we can help get you there by downloading our GDPR-readiness checklist: