Mapping the Flow of Personal Information for GDPR Compliance and Beyond
Data Mapping has become a hot topic in the context of complying with the coming European Union (EU) General Data Protection Regulation (GDPR), which will be implemented and enforceable in May of 2018. This is particularly relevant with respect to GDPR’s Article 30, which requires the creation and maintenance of “records of processing activities.” The precise meaning of “data mapping,” however, tends to vary widely depending on with whom you’re speaking. In the context of this post, data mapping is comprised of two components: (1) a visual depiction of the flow of personal information through its lifecycle, within an identified process, including flows between internal and external systems, parties and jurisdictions, and (2) an Article 30 register of processing activities.
Benefits Beyond GDPR
An effective data mapping exercise will not only help you meet your obligations under Article 30, but also delivers numerous ancillary benefits. Perhaps most significantly, data mapping facilitates a better understanding of how personal information is used across the enterprise, establishing a starting point for implementing controls to effectively manage that information in accordance with applicable legal and business requirements. By creating visual depictions of the data flows, individuals across different functional groups – including Privacy, Information Technology, Data Security and Information Governance – are provided a toolset to better understand the organization’s personal information lifecycle, risks and controls.
Understanding Non-Linear Data Flows
If you work in the privacy field, you likely know that personal information does not flow in a straight, linear manner through your organization. With increasingly complex data environments extending well beyond an entity’s own network, it is more critical than ever before to track the flow of personal information throughout a process, not simply through a single system.
Take for example, employee recruiting and hiring. The flow of personal information begins outside of your organization with a resume being submitted by an applicant to a third-party recruiter. That may be received by your HR team, which then loads information about a successful candidate into a cloud-based, third-party HR management system (e.g., Workday or Peoplesoft). From there, the information likely flows out to additional third parties such as payroll and benefits providers, then back into the organization for further processing in the cloud-based HR management system and on an internal database, which may be backed up remotely. All of which illustrates that the manner in which personal information flows through a process is very different than how it may flow within a single system. It is those process-based data flows that should be understood to support not only the Article 30 GDPR requirement, but also to understand interdependencies with other personal information-based initiatives across an organization.
Mapping for Effective Data Management
As you prepare for GDPR compliance, consider the following benefits of conducting a data mapping exercise:
Regulatory Compliance – Data mapping outputs demonstrate to both EU and non-EU regulators that your organization understands how personal information is processed and managed. In fact, if a Data Protection Authority (DPA) ever has reason to question your data processing, it is nearly certain that one of the first items they will request is your register of data processing. Also, if you are considering using Binding Corporate Rules as an intracompany cross-border transfer mechanism in the future, the data maps and the corresponding registers will facilitate the review by your lead DPA.
Data Inventory – When conducted in a thorough and thoughtful manner, the data mapping process enables the creation of detailed personal information inventories. While, it may not be feasible for most organizations to map every process, mapping those involving large volumes of personal information, or smaller volumes of high-risk personal information, provides representative samples and can be leveraged throughout the enterprise. Creating a data inventory, and understanding what personal information is being collected and processed, is a fundamental component of any privacy compliance program.
Third Party Risk Management – Data maps and the corresponding registers of processing provide records of both internal and third-party processing of personal information. This helps organizations effectively identify and manage risks associated with third-party sharing and international data transfers. It also enables organizations to ascertain the precise points in the data lifecycle where transfers occur, and where corresponding procedural controls (e.g., data minimization controls, data processing agreements, model contracts) and technical controls (e.g., encryption, pseudonymization) should be implemented.
Risk Identification – Data maps provide a structured approach for identifying the points within the data lifecycle where personal data may be at risk. The visual depiction of the flow of personal information through a process is an excellent tool for identifying where controls are required and where they may be missing. For example, a data map indicates collection points, as well as international transfers and the final disposition at the end of the data lifecycle, all of which require certain controls. Completed maps and corresponding registers of processing can be leveraged to identify existing gaps in requirements, enabling organizations to evaluate and mitigate those gaps and corresponding risks.
As you prepare for GDPR, keep in mind that the foundation of an effective privacy program is built with a genuine understanding of exactly what personal information you’re collecting, for what purposes, and how that information is used throughout its lifecycle. That understanding enables the development and implementation of a privacy program that not only meets the requirements of critical regulations such as the GDPR, but also your business needs and customer expectations. Data mapping presents an excellent opportunity to gain that understanding, reach your programmatic objectives, and ensure preparedness for GDPR and the complex web of international privacy requirements.