What is Data Mapping
Data mapping is a process of cataloguing what data you collect, how it is used, where it is stored, and how it travels throughout your organization and beyond.
There are various ways to conduct this data mapping exercise – whether through a simple spreadsheet or a dedicated data mapping program – and the extent or limit of your data mapping will depend on your business.
However, most data maps should include the following information:
* What data you collect
* Whether that data is sensitive personal
* The legal basis for processing that data (reference the six legal bases established by the GDPR)
* Why data is being collected
* Where data is stored
* For how long data is stored
* Under what conditions data is stored (what protective measures are in place within your organization?)
* Where data is transferred
* Where third-party recipients are located (make note of international data transfers)
* What protocols are in place to protect data during transfers and data "at rest"
Data mapping is a combination of your data inventory and your data flow. These artifacts can be delivered by a spreadsheet detailing the data they collect, and a flow chart (MS Visio or MS Powerpoint) depicting the movement of that data through internal systems and external transfers.
Why Data Mapping is important for GDPR Compliance?
Here’s why data mapping is important and will help your business comply with the GDPR:
The GDPR is all about updating existing systems and implementing new ones to ensure the safekeeping and fair treatment of the user data you handle. But in order to properly assess data security, you must first be able to track a piece of data from the point of collection to its eventual deletion. Without a bird’s eye view of the entire lifecycle of your data, any security measures you implement will be piecemeal at best.
Not only is data mapping an essential foundation for carrying out the overall aims of the GDPR, but it’s also directly mandated by multiple articles of the regulation.
* Article 5 - Perform Privacy by Design.
* Article 6 - Establish Legal Basis of Processing
* Article 12 - Detail Data Practices.
Articles relating to Managing Data Subject Access Requests.
* Article 15 – The right of access
* Article 16 – The right to rectification
* Article 17 – The right to erasure (also known as the right to be forgotten)
* Article 18 – The right to restriction of data processing
* Article 20 – The right to data portability (to transfer)
* Article 21 – The right to object (to the processing of data)
Remaining articles include:
* Article 30 - Keep records of Processing Activities.
* Article 35 - Perform Data Protection Impact Assessments (DPIA).