As you start your journey towards GDPR compliance, (see GDPR Article 30), one of the first steps is to undertake a Data Protection Impact Assessment and, within this, to conduct a Data Mapping exercise. This article introduces the concept and how it may best be approached.
The ICO proposes that you must conduct what is referred to as a data mapping exercise by describing the information flows throughout the organisation in order to properly assess the risks to privacy.
A data inventory will be required before you can commence mapping the data. This will highlight the many types of personal data and will include examining staff data (HR, Payroll, Compensation and Benefits), employee monitoring data (routine forms signed by staff, for example), ID numbers, security passes, IT passwords and much more besides. Client data will include all of the obvious names, emails, addresses etc., but also the less obvious such as notes entered in a CRM system, order histories, payment details, loyalty card data, photographs and so forth. It never fails to surprise an organisation of any size when they realise just how much PII (Personally Identifiable Information) they hold. Once you’ve identified that you do hold such data, where does it go?
An HR Example
Taking Human Resource as an example, we might start from exploring the recruitment process: how do CVs arrive (paper, email, even WhatsApp), and are they emailed, printed, or processed into a screening application? If printed, how are they tracked to ensure deletion according to the retention policy? If emailed, to whom, and why? Are they encrypted? Is it possible that a department head might then retain a copy in his/her Exchange folders? Does that same person also receive the email via a mobile device, and is it a corporate device or do you have a BYOD (Bring Your Own Device) policy?
An employee might be registered with a pensions provider, a gym, vehicle insurance company, a training provider and many others too. It all must be tracked!
Linked data may include a bespoke Human Resources application such as PeopleSoft, or perhaps you just use a combination of MS-Excel and your CRM? If so, is the CV stored within these applications? Was the CV scanned, and does the scanning device have a hard disk (most office ‘multi-functional devices’ aka copiers have a hard disk)? How secure is that hard disk, and could data scanned be re-printed by a different user?
Throughout the interview process, notes will be taken, and requests for references gathered. Was a consent form used, and where is all of this data stored, and how is it shared?
During the on-boarding process, information will be shared with third parties too. An employee might be registered with a pensions provider, a gym, vehicle insurance company, a training provider and many others too. It all must be tracked!
Compliance without Data Mapping? Impossible!
By mapping the flow of data, you identify any unforeseen or unintended uses, and you build a picture of risk. The data flow map will encourage you to consider the qualifications of the third party with whom you are sharing the data, and to prompt an assessment of their policies and procedures.
Ultimately, the objective is to help you comply with the eight Rights of Individuals, such as ensuring your data is accurate, not excessive, their right to disclosure and their right to be forgotten. If you don’t know where all such PII might have been stored or shared, GDPR compliance is impossible.
How to Approach the Task?
There are many tools on the market, and while MS-Excel can be effective, the task is made easier through the use of software applications developed for the purpose. Vigilant Software’s Data Flow Mapping Tool can help you meet the requirements of Article 30 of the GDPR.
As Vigilant put it, ‘The tool simplifies the process of creating data flow maps, making them easy to review, revise and update as your organisation evolves. It will also fast-track your understanding of how personal data is collected and processed, as well as systematically identify all the stages in a personal data flow that have data protection implications’.
Such tools represent an affordable approach to compliance, and while no amount of software can make you compliant, if it can expedite and document your efforts then it can only be to your advantage.