GDPR data mapping tutorial: tips, tricks and techniques

A data flow map is a diagram that shows how sensitive information moves between one part of your organisation and another.

For example, you might collect user information through a survey, which is then funnelled into a database used by your marketing team. If the data subject becomes a customer, their information will be shared with the sales team and expanded upon.

In order to stay on top of this information – whether that’s to update it, dispose of it when it’s no longer necessary or give it adequate protection – you need a data flow map.

How data flow mapping works

To create an accurate data flow map, you need to know:

  • The various ways information moves through your organisation;
  • Who is responsible for each transfer; and
  • Which assets are used to transfer and store information.

This information might not be documented – or, if it is, there may be additional steps that aren’t written down – so we recommend looking at how the process works in practice and diagramming your findings.

With the right software, such as our Data Flow Mapping Tool, you can create a map quickly and easily.

In this blog, we explain a few of the ways the tool helps organisations track their personal data flows and meet data protection requirements such as those outlined in the GDPR (General Data Protection Regulation).

Asset management

The first step to creating a data flow map is to identify your assets – i.e. information you process and the locations that it flows through, such as databases, hard drives and filing cabinets.

You also need to know who is responsible for managing each asset through its lifecycle. The Data Flow Mapping Tool makes it easy to add these details, ensuring that your map is completed efficiently.

With our tool, you can appoint an asset owner and state whether they are a data controller or data processor – which, when it comes to personal data, will have important ramifications for GDPR compliance.

The tool also helps you determine your data transfer requirements by giving you the option of stating the country where data is stored and by specifying which countries have received an adequacy decision.

Information classification

A successful data flow map not only determines what information is being transferred but also the level of protection it should be given.

That’s where information classification fits in. It’s usually considered in terms of the level of confidentiality each piece of data has – i.e. who is granted permission to access it.

A typical system will have four levels of confidentiality:

  • Confidential (only senior management has access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public (everyone has access)

However, these aren’t the only labels you can use to classify information. For example, you might want to state “sensitive” if the information poses a severe risk if misused but access is required by many people in your organisation.

Whatever classification works for the needs of your organisation is acceptable, and the Data Flow Mapping Tool makes it easy to create classifications and label your documents accordingly.

You simply establish a classification system at the beginning of the project (although it can be amended later), and then select the appropriate label for each new asset from a drop-down menu.

Data retention periods

Any information you process will inevitably flow towards an exit point. That is, you will no longer have a business or lawful reason to hold on to it and must therefore dispose of it.

The time frame between processing information and disposing of it is known as the data retention period. When it comes to personal information, the GDPR states that you must have an idea of what this time frame will be and document it.

You will benefit from doing this with other types of sensitive information too. If you don’t, your systems and data flow maps will soon be stacked with irrelevant data, as you keep adding information but never removing it.

The Data Flow Mapping Tool helps prevent this problem by including a data retention period category for the information you process.

You can track data as it moves through your organisation to its final destination(s), and easily locate and remove it from your systems when the deadline arrives.

Data Flow Mapping Tool

The Data Flow Mapping Tool will give you full visibility of the flow of data through your organisation.

This easy-to-use software package simplifies the data mapping process and helps you comply with data protection requirements, including the GDPR.

Available as a single-user option or for up to five people, and on a monthly or annual subscription basis, it’s suitable for all organisations whether they’re looking for long- or short-term help.

Plan your route to GDPR compliance with our Data Flow Mapping Tool

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.