Understanding what personal information is being collected and processed is a fundamental component of any EU General Data Protection Regulation (GDPR) compliance programme.
Without that understanding it will be difficult for any organisation to ensure that their data processing activities are compliant with the new obligations set out in the GDPR.
What does Article 30 state?
Article 30 requires organisations to “maintain a record of processing activities under [their] responsibility.
“That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
“The controller or the processor […] shall make the record available to the supervisory authority on request.”
How data mapping helps meet the requirements in Article 30
Article 30 doesn’t state how you should meet its requirements, but data flow maps can be a useful method.
A data flow map shows the flow of your organisation’s data and information from one location to another, e.g. from suppliers and sub-suppliers through to customers. When mapping data flows, the interaction points between all parties should be identified.
By mapping the flow of data, you identify any unforeseen or unintended uses. A data flow map is really useful for processes where there are a number of steps or parties involved and you want to ensure that you’ve identified all the components in that process.
How Vigilant Software can help
Vigilant Software’s Data Flow Mapping Tool can help you meet the requirements in Article 30 of the GDPR.
The tool simplifies the process of creating data flow maps, making them easy to review, revise and update as your organisation evolves.
It will also fast-track your understanding of how personal data is collected and processed, as well as systematically identify all the stages in a personal data flow that have data protection implications.
This will allow you to more quickly determine the appropriate administrative and technical controls necessary to comply with the GDPR.