GDPR Data Mapping & Information Flow

Organising your personal data, reviewing the avenues for obtaining, using and storing the information and completing an information audit is an important part of the General Data Protection Regulation (GDPR) planning and implementing process. Starting with a data mapping exercise is pivotal to ensuring that you comply with the GDPR requirements and for structuring your personal information in a standardised and easily accessible format. This short article gives you an overview of why carrying out an information audit is important and what types of information you should be recording.

Records of Processing Activities

Article 30 of the GDPR requires organisations to maintain a record of the processing activities under their responsibility. The records must contain: – (a) The name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer (b) The purposes of the processing (c) A description of the categories of data subjects and categories of personal data (d) The categories of recipients to whom the personal data has been (or will be) disclosed (including to third countries/international organisations) (e) Where applicable, transfers of personal data to a third country or an international organisation, including their identity and documentation of suitable safeguards (if applicable) (f) Where possible, the envisaged time limits for erasure of the different categories of data (g) Where possible, a general description of the technical and organisational security measures The above must be documented by all controllers, with processors being required to record points (a), (e) and (g) along with the processor’s name, contact details and the categories of processing carried out on behalf of each controller. Organisations with fewer than 250 employees only need to keep records of their processing activities where they are likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.

Why Map Your Data?

The Information Commissioners Office (ICO) recommends that organisations document what personal data they hold, where it came from and who they share it with in order to comply with the Article 30 requirements and to enable individuals to exercise their rights under the Regulation. If you do not know what personal data you hold, how you obtained it or who you have shared it with; it is unlikely that you will be fully compliant with the GDPR and will also find it more difficult to uphold the rights of data subjects.

Information Audits

List of RequirementsCarrying out an information audit across your organisation is essential for knowing the what, where and why of your personal data and helps you to comply with the GDPR’s accountability principle. You need to evidence that you take data protection seriously and that you know and understand what personal information you obtain, maintain and share. We have created Excel and Word versions of our Information Audit template, which are provided free of charge with orders from our GDPR range. Whether you use existing templates or create your own record, you should aim to review all areas of your business and compile a central register that includes: –

  • What personal data you hold
  • Where it came from
  • Who you share it with
  • The lawful basis for processing it
  • What format(s) it is in
  • Who is responsible for it?

You can also include information such as level of access and timeframe for accessing the data. Your information audit register enables you to map your personal data and ensure that if you need to comply with an indidivuals’ rights or provide information to the Supervisory Authority, you can do so easily and compliantly.