GDPR Data Mapping: What is it and how to comply
Data mapping is the backbone of GDPR compliance. By creating a data map, you’ll get a clear view of how your organization collects, uses, and shares personal data—helping you reduce risk, work better, and develop great products.
This article will explain what a data map is, why data mapping is important, and how to create a data map.
What Is Data Mapping?
Data mapping is a process that helps you understand how and why your organization uses personal data.
The data mapping process will help you better understand what personal data you collect, why you collect it, whether you need it, and how it flows out of your organization to third parties.
Data mapping can help you keep up-to-date records and create diagrams that help you stay in control of your data protection and privacy practices.
Benefits of Data Mapping
Using data mapping to identify what personal data you process is a crucial part of GDPR compliance—and brings many other benefits, too.
By the way: “Personal data” means any information relating to an identifiable individual—anything from names and emails to mobile IDs, location data, and IP addresses. “Processing” personal data means collecting it, storing it, sharing it, or otherwise using it.
Here’s a quick look at six benefits of data mapping.
1. Complying with the Data Protection Principles
The GDPR’s data protection principles apply whenever you process personal data. You can’t apply the principles unless you fully understand your data processing activities.
For example, the GDPR’s principle of “data minimization” requires that you don’t collect personal data unless you need it for a specified purpose. A data map allows you to uncover and deal with any personal data you’re unnecessarily collecting, storing, or sharing.
2. Identifying a Legal Basis
All processing of personal data under the GDPR requires a “legal basis”. The legal bases are listed at Article 6 of the GDPR, and at Article 9 for “special category” (sensitive) data. Failing to identify an appropriate legal basis is one of the most common GDPR violations.
Data mapping can help you identify all the personal data in your control, and decide whether you have a legal basis for processing it.
3. Managing Privacy and Security Risks
You can’t properly protect personal data without a clear understanding of how and why you’re processing it. Good data visibility means you can implement appropriate safeguards, and reduce the risk of data breaches.
A data map helps apply risk-based controls according to the sensitivity of the data you control, the context of the processing, and your company’s resources.
4. Facilitating Data Subject Rights
Under the GDPR, data subjects (people) can request that you erase, correct, or provide access to their personal data. You must respond within a maximum of one month. Poor handling of data subject rights requests is among the most common reasons for regulatory complaints.
Data mapping helps you organize and govern the personal data you control. This enables a timely and efficient response to data subject rights requests, keeping your customers happy and avoiding complaints to regulators.
5. Managing International Transfers
The GDPR’s strict rules on transferring personal data out of the EU have caused major compliance issues for many businesses.
A data map can illustrate how you share personal data with vendors and third parties, helping you identify where personal data is going and which international data transfer safeguards are required.
6. Creating an Article 30 ‘Record of Processing Activities’
Article 30 of the GDPR requires some businesses to create a record of processing activities (RoPA, sometimes called an “Article 30 report”). Nearly every business requires a RoPA under the GDPR.
Data maps are closely related to RoPAs. Automated data-mapping tools can even enable you to create an up-to-date RoPA with minimal day-to-day maintenance.
How to Create a Data Map
Now let’s explore how to create and maintain a data map. Every organization will approach data mapping differently, but there are some common concepts and principles.
A data mapping exercise should answer the five “W”s: Why, What, Where, When, Who, and Why:
- What personal data do we process?
- Why do we process personal data?
- Where do we obtain, store, and send personal data?
- When do we delete personal data?
- Who has access to the personal data we control?
In this guidance, we’ll break the data-mapping process down into three related concepts: data discovery, data inventory, and data flow mapping.
Data Discovery
Data discovery is the process of finding out what personal data your organization processes, and learning how and why your organization processes personal data.
The data discovery process informs your data inventory and data flow mapping. We’ll look at what types of information you need to “discover” below.
There are two main approaches to data discovery:
- Manual data discovery: Sending out questionnaires or interviewing staff to ask what personal data they collect, what they use it for, how they share it, etc.
- Automated data discovery: Using tools such as privacy code scanning to automatically discover how your organization processes personal data.
Automated data discovery is important, particularly if you’re developing software. Automated tools can scan your code to learn how your app collects, uses, and shares personal data. As your software changes, an automated tool can also automatically update your data inventory.
Data Inventory
A data inventory lists the types of personal data you process together with additional information about how and why you process it. Once you’ve started the data discovery process, you can start populating your data inventory.
Discovering what personal data you process can be time-consuming, depending on what your business does and what data-mapping tools you use.
Your data inventory can identify:
- The types of personal data you process.
- Whether you process any “special category” or “sensitive” data.
- Which third parties receive personal data from your organization.
- Which countries you transfer personal data to.
- Any APIs you’re using that might process personal data.
- Where you store personal data.
- How long you store personal data of different types.
- What security measures you have in place to protect personal data.
Automation can help with your data inventory, both by keeping your data inventory up-to-date, and by automatically exporting the relevant data to your RoPA.
Data Flow Mapping
Data flow mapping means establishing how personal data enters and exits your organization. This process will help you figure out which other controllers, processors, and third parties you’re sharing personal data with.
The GDPR requires controllers and processors to have contracts in place (“data processing agreements”) to govern how they process personal data. This means you must have agreements in place with companies like advertising, analytics, and security providers.
You also need to be transparent about the recipients of any of your users’ personal data—both in your privacy notice and if you receive a data subject access request (DSAR).
The GDPR also requires you to have safeguards in place when transferring personal data to “third countries” outside of the European Economic Area (EEA), including the US.
Having clear visibility of how data flows out of your organization is crucial.
Your data flow map should also stay up-to-date as you change the types of personal data you collect and the third parties you share it with. Automated tools can help with this by continuously scanning your code base and logging any GDPR-relevant changes.
Data Mapping: The Backbone of GDPR Compliance
GDPR compliance can be stressful: If you don’t understand how your company collects, uses, stores and shares personal data.
Creating a data map helps you stay on top of data protection and integrate privacy into the core of your operations.
The right tools make exercises such as data discovery, creating a data inventory, and data flow mapping hassle-free, helping you concentrate on growing your company.
Robert is a writer covering privacy, security, and AI. He is a respected voice on privacy and has covered and has been working in the field since 2017.