As part of your EU General Data Protection Regulation (GDPR) compliance project, your organisation will need to understand what personal data it processes. You will likely choose data mapping as a way to meet these requirements.
Key elements of data mapping
A data flow map of a process should chart the entire journey of personal data as it is processed for the purposes specified. If the same data is processed for an additional set of purposes, this constitutes a different process and should be charted in a separate map.
An effective data mapping process will establish:
- The data items obtained (name, email, address, etc.);
- The format of the data (hard copy, digital copy, etc.);
- Transfer methods (internally or externally, post, telephone, etc.); and
- Where the data is stored (offices, the Cloud, third party, etc.).
Tackling complex processes when data mapping
One of the main challenges in the data mapping process is identifying personal data and how it is stored. Personal data includes name, email address and location.
For each process in your organisation, you can obtain numerous data items, which can be stored in many formats, for example paper or digital.
Complex processes can be even more difficult to deal with
It is important to ensure you get the scope of the process right. The scope should be dictated by the purpose of processing, which in turn is closely tied to the lawful basis of processing the data.
Most processes can be broken down into several smaller processes to make them more manageable.
For example:
- The sales process for most car dealers involves recording a potential customer’s contact details. The purpose for doing this may be to follow up after an initial interaction. The lawful basis is likely to be one of consent or pursuing legitimate interests.
- However, most car dealers also offer test drives as part of their sales process. In order to let a customer take a test drive, the dealership needs to take a copy of their driving licence. The purpose for doing this may be managing risk, complying with the law and/or complying with the demands of an insurer. In this case, the lawful basis may well be compliance with a legal obligation or contractual necessity.
In this example, you have two separate processes that are often treated as one, but are much easier to manage when you split them.
Tools to help simplify the data mapping process
Vigilant Software’s Data Flow Mapping Tool simplifies the data mapping process, making your maps easy to review, revise and update as your organisation evolves.
The new and improved tool has been geared for repeatability and now allows users to create copies of entire processes and their corresponding maps, along with the ability to label the input points on data and add data subjects to maps to provide an overview of where data is passed on or returned to data subjects.
Chloe, this was a really useful article. What I have found in using the tool is that I initially came at it from a business process decomposition point of view; so I started with a process group being Sales Lifecycle for example. I have now realised that you need to think more about purposes than processes. So now my groups are Direct marketing to Prospects, for example. Then each process in this group can cover all the ways we do this.
One thing I do not understand, is how you use the Data Subject “asset” it cannot link into the Data Input, it doesn’t look right have it being an output of a Data Input, what is you’re advice?
Hi Paul, thank you for your comment. The data subject ‘asset’ is there so you can mark any point in a process where data gets sent onto, or returned to, the data subject. You might not have to use this in many maps, but there are some processes (particularly around hiring and recruitment) that can involve sending data back to the data subject. In such cases, you need to make sure that you’re using appropriate methods/controls to protect that data while it’s in transit, so it’s helpful to make sure that the transfer is explicitly marked on your map. I hope this helps! – Chloe
Thanks, now I understand.
Hello Chloe,
I’ve tried the tool a few weeks ago, but I did not manage to use data elements that are used in a process, but that are entered in another process. I could only select data elements that come into a process via a data input. I could not select data elements that enter an asset in another process.
Hi, thanks for getting in touch. Unfortunately at the moment you have to manually create the data items anew in each process. You can, however, record which processes are linked together either by adding them to the same group of processes or by creating a relationship between them from within the main area of CyberComply. We’re working on the functionality to add data items that originate from another process – keep an eye on our blog for all of our new product updates. – Chloe
Hello Chloe,
Thank you for your reply. I’m looking forward to the product update implementing this functionality.
Kind regards, Wim.
Me too