As part of your EU General Data Protection Regulation (GDPR) compliance project, your organisation must understand what personal data it processes. To do so, it’s necessary to create a data flow map.
The Information Commissioner’s Office (ICO) has a staged approach to an effective data protection impact assessment (DPIA)1, which is a legal requirement of the GDPR for certain types of processing. The second stage in this process states that organisations should “describe the information flows” throughout the company in order to properly assess the privacy risks.
What is a data flow map?
A data flow map shows the flow of your organisation’s data and information from one location to another, for example, from suppliers and sub-suppliers through to customers. When mapping data flows, the interaction points between all parties should be identified.
By mapping the flow of data, you identify any unforeseen or unintended uses of it. A data flow map also helps you to consider the parties who will be using the information and the potential future uses of any data processed.
Data flow maps should identify key information, including the types of data items processed, how they are collected or transferred (e.g. via a form, online data entry or a phone call) and who is accountable for the personal data.
Challenges in the data flow mapping process
Your organisation’s data protection officer (DPO) should play a key role in producing a DPIA and mapping the flow of information. Creating a data flow map can involve the following three challenges:
- Identifying your personal data
Personal data means any information that identifies or could be used to identify a natural person. This can include name, email address, identification number and location data. Personal data can be stored in a number of formats, including paper, digital or audio. Your first challenge is likely to be identifying what information is stored in which formats.
- Identifying technical and organisational safety measures
Your second challenge is identifying the types of technology and organisational procedures that protect personal data. Part of this challenge is determining who has access to this information.
- Understanding legal and regulatory requirements
Your final challenge is determining your organisation’s legal and regulatory obligations.
Once you have solved these challenges, you will be in a good position to move forward in your GDPR compliance project, building trust and confidence in your organisation.
New: Data Flow Mapping Tool
Our Data Flow Mapping Tool simplifies the process of creating data flow maps, making them easy to review, revise and update as your organisation evolves.
The tool will help accelerate your understanding of how personal data is collected and processed, and will also help you systematically identify all the stages in a personal data flow that have data protection implications. This will allow you to more quickly determine the appropriate administrative and technical controls necessary to comply with the GDPR.