This article is written by Aristotle Gottumukkala, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).

Introduction

The term data mapping may sound like it is a tech-related term but it is just a process of identifying and classifying data that has been collected by any organization or a company. Data mapping is usually the first step that a company or organization must take before they start processing the collected data. Many data privacy professionals laud data mapping as an important component of GDPR compliance strategy, to avoid any kind of errors or disturb the data processing flow. This is due to its complex questionnaires that record; why data is being collected, why the data is being processed, what is the motive behind its collection, what type/kind of data is being collected, what is the legal basis of processing, what kind of processing tools are used, what kind of data is being retained, till when the data is been processed and how will the data be deleted. These are a few questions that will be clearly addressed in the data mapping, which in return will help the companies to improve their data processing operations efficiency.

Advantages of data mapping

• Bird’s eye view of processing activities,
• Maximize its analytics strategy,
• Locate privacy risks accurately,
• Harness big data volumes more efficiently,
• Identifies cross-border transfers,
• Prioritizes security safeguards over-processing,
• Plays a key role for companies to comply with the principles of G.D.P.R,
• It will be helpful while Data Privacy Impact Assessment.

Why is data map flow important for companies under GDPR? 

Every company which deals with data or data processing within the E.U or collecting and processing the data of EU citizens must comply with the G.D.P.R, as it is the gold standard of all privacy laws and regulations. There are a few articles in the G.D.P.R which makes it obvious as to why a data flow map is important for a company under G.D.P.R.

• Article 6 of the G.D.P.R – As every processing activity needs to have a lawful basis under G.D.P.R, a data flow map will help the companies to create a list of all the processing activities and once the list is been created it will be even easier for the companies to scrutiny and backup their processing activities in consonance with a lawful basis. 
• Article 25 of G.D.P.R – With a data flow map, the principle of privacy by design and default can be seriously implemented. A company or an organization with a data flow map is always ahead of its competition in sensing the privacy risks and if possible, initiating privacy security protocol if necessary. 
• Article 30 of the G.D.P.R – It is mandatory to have a written record of every data processing activity that a company or an organization conducts and with the data flow map it is possible to create a written record of all the processing activities even through graphical format. 

Key elements of data flow map under GDPR

The key elements that a data flow map requires under GDPR are:

• What type of data is collected?
• How and where is the data collected?
• Where is the collected data being stored?
• Format of the stored data?
• How, Why and where does the data flow?
• How long is the data retained?

If the data flow map is designed by keeping these elements then it can easily comply with GDPR.

How to create a perfect data flow map with GDPR compliance?

To comply with the G.D.P.R, a data flow map must procure a clear overall visualization of the entire data that has been collected and stored. It must pinpoint all data and store information which must also include the data stored inside and outside of the data controller’s company. A perfect data flow map must act as a watchdog on all the processing activities and keep up to date information about the data collected and stored. A perfect data flow map must also identify types/kinds of data, classification of data, data formats, cross border transfers, accurate location of the data, legal basis for processing and also the retention period of data. The most important thing to remember is that the data flow map will be most helpful to a company or an organisation irrespective of the data size and it will be even useful when a DPIAs are initiated in accordance with G.D.P.R. Last but not least, a company must initiate a three-step policy that a data controller must take while conducting a data mapping exercise and they are;

• Devise a Questionnaire,
• Meet directly with key business functions,
• Locate & review policies, contracts and data agreements.

Sample data flow map

Steps to take for a successful data flow map

• Management buy-ins must cover the definition of GDPR, cost of non-compliance, benefits, resources, timelines, budget.
• Kick-off meetings.
• Workshops.
• Improving IT knowledge.

Best practices for a data flow map

Accurately defining data processing activities, if the processing is carried out on a daily basis, or monthly basis or yearly basis and clarifying whose data has been collected, what mechanism is being used in the processing and what region the data subjects belong to, the purpose, the legal basis, consent is of complying with GDPR, rights, data retention, deletion, finding gaps, mapping internal assets, third parties and vendors for each and every processing activity, data transfer, cross-border transfer, proper technical and organizational measures, DPIAs and data flow diagrams. These are some of the best practices for data flow maps in compliance with GDPR.  

Challenges of a data flow map 

Creating a data flow map may involve some key challenges, they are;

• Identifying Personal Data: The identification of the data stored will be much harder than anticipated, even if the organization is purely focusing to comply with G.D.P.R, as per the definition of personal data within the preview of G.D.P.R, data with regards to a person can include any information that can help identify a person The challenge here is that the collected personal data will not be in a certain format, as it can be in any form, so identifying the data collected and converting it into data that the organization intends to work on takes a lot of time. 
• Identifying Technical & Organizational Safety Measures: Safety measures can be initiated if we can pinpoint the potential risk, moreover, there are N number of ways to protect the collected data, but the challenge lies in identifying who has access to personal data. The risk lies with anyone and everyone who has access to the personal data and it is up to the discretion of the organization to determine if the access to the personal data causes a potential risk that would be significant to be addressed to the public. 
• Understanding the Legal Requirements: Understanding G.D.P.R and other privacy laws is very important for a company. Though the privacy laws vary from country to country the core objective is the same, a thorough understanding of the regulations and penalties is a must, as there might be a chance of higher and more severe penalties in different areas in case of non-compliance. All the companies that are collecting personal data should train their employees and third-party associates or anyone that has access to the collected personal data must undergo G.D.P.R training, for a better understanding of the G.D.P.R and its regulations and on how to handle personal data.  

Data protection laws in different countries

• Ireland – Data Protection Act 2018.
• United Kingdom – The UK Data Protection Act, 2018.
• United States of America – New York Privacy Act, The New York Shield Act.
• Canada – California Privacy Rights Act.
• Singapore – Personal Data Protection Act 2012.
• India – The Personal Data Protection Bill.

Conclusion 

One of the main advantages of a data flow map is that it facilitates transparency within the company and discloses to its consumers, which is one of the most important core principles of GDPR. Every company or an organization must follow GDPR if they are handling or collecting or processing data and there can be no excuse in not following the G.D.P.R. A company or an organisation cannot go on record and claim that they are not aware of data collection, processing and sharing, as it will be difficult to disclose that to consumers and other data subjects through its privacy policy and other notices. Data maps not only helps to maintain transparent and risk-free processing but can also be used for a variety of other purposes, such as to enhance the business, IT sector in the company, IT controls,  swiftly identifying the areas for risk mitigation, providing ideas for annual budget planning and also for staff training opportunities. Overall the very inception of a data flow map is to provide a tool to the companies and organizations to be transparent and risk-free processing and it is arguably the best compliance tool that’s been prescribed under the GDPR. 

References

• https://www.itgovernanceusa.com/blog/what-you-need-to-know-about-data-flow-mapping
• https://www.privado.ai/post/gdpr-data-mapping
• https://www.clarip.com/data-privacy/gdpr-data-mapping-importance/
• https://www.privado.ai/post/gdpr-data-mapping
• https://www.itgovernance.eu/en-ie/gdpr-data-mapping-ie
• https://securiti.ai/blog/gdpr-data-mapping/
• https://www.vistainfosec.com/blog/what-is-gdpr-data-flow-mapping/

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.