GDPR: Each entity processes personal data differently and it’s difficult for most organisations to know where to start.
To understand how the regulation applies to your organisation you need to understand which data you’re processing. You can’t protect personal data if you don’t know what it is, where it is and how it’s currently managed. This means you need to create a data map. It’s an absolute must!
A data map will help you understand which data you’re processing, why it’s processed, when it’s collected, where it’s stored, who it’s shared with and how it’s protected. Given the number of departments that may be collecting and processing different data sets for different purposes it can be a bit tricky.
Cloud-based collaborative services can simplify this process by involving relevant individuals from different departments and giving oversight to the data protection officer (DPO) or data protection representative responsible for GDPR compliance.
1.Personal data and processing
To create a record of all the personal data held by your organisation you need to understand how personal data is defined under the GDPR.
Personal data is ‘any information relating to an identified or identifiable natural person (data subject)’. An identifiable person is a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an ID number, location data, an online identifier or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. So it’s extremely broad.
Processing is any operation (or set of operations) performed upon personal data (or sets of personal data) whether by automated means or not, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying. So this is even broader.
2.Create your data subject inventory
Now that you understand what personal data is and that a data subject is any identifiable natural person you hold personal data on, it should become clear what a data subject inventory is.
The first step in creating a map is to make a list of the different types of data subjects for which your organisation processes personal data. Broadly, some general data subject types would be clients, prospective clients, employees, prospective employees, consultants, contractors and suppliers.
Each organisation’s data subject definitions will be unique to them and should be defined by the organisation. It can be as detailed as you like, for example clients could be defined by product or service category.
3.Creating the data map
For each data subject you’ll need to define the processing purpose, i.e. the why and how you’re processing their personal data. Under the GDPR, processing of personal data must be done lawfully, so for each processing purpose you’re required to provide a legal basis or justification. The legal bases are defined in Article 6 and Article 9 of the GDPR. One of the key principals of the GDPR is data retention so, as part of the data mapping process, when you consider the purpose for which you hold the information you should also decide whether and for how long to retain it.
The data mapping process needs to include an inventory of the types of personal data and sensitive personal data that you hold on each data subject type. It should contain an inventory of the processing locations and data transfers, as well as an inventory of where the personal data is collected. Good data mapping tools collect this information in a structured fashion and allow you to see a visualisation of the links.
4. Mapping the 5W’s
This section provides guidance for all controllers (and processors) in creating an inventory and map of data processing activities. In many cases, application/contact forms (hard copy or online) will often provide a good point from which to start to follow the data trail for customers and similarly for staff. Whilst this resource follows the path below, it is only a guide to the basic thought-process. The type, complexity, volume, sensitivity or risk of the processing may require a more “in-depth” or sophisticated exercise.
5. WHY… is personal data processed?
Personal data is broadly defined in the GDPR and means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Consider all areas of the business and list all the reasons that personal data is used.
6. WHOSE…Personal data is processed?
For each of the reasons identified list all the different categories of persons about whom personal data is processed.
Non-exhaustive examples of categories of persons include:
• Staff (specify: current/potential/former)
• Clients (specify: current/potential/former)
• Business contacts/suppliers
• Complainants, correspondents, enquirers
• Members or supporters
• Offenders and suspected offenders
• Other (describe)
7. WHAT… personal data is processed?
For each reason identified list all the different types of personal data recorded or used and identify the source and legal basis of the data. Non-exhaustive examples of types of personal data:
• Personal details – (specify – name, address, email, telephone, date of birth, emergency contact, sexual orientation, ethnicity, etc.)
• Financial details – (specify – bank account, credit card details, NI, Tax reference etc.)
• Health information
• Images/ Voice recordings
• ‘Know your customer’ or due diligence (specify – passport, tax reference, source of wealth etc.)
• Passport/driving licence/national ID card details
• IP address
• Criminal convictions/offences
• Biometrics – Finger print/retinal scan/DNA etc.
• Education & training
• Employment details (specify – CV, references, annual appraisals, employment status, work permit, leave, sickness etc.)
8. WHEN … is personal data processed?
‘Processing’ includes the actions of obtaining, disclosing and deleting personal data. For each reason identified establish:
• when the personal data is obtained
• to whom, it may be disclosed and why
• how long it is retained for
9. WHERE … is personal data processed?
For each of the reasons for processing identified establish: Where processing occurs (may be more than one)
• Manual records – location?
• Electronic records – format?
• In-house managed systems
• Bring your own device (BYOD)/remote working
• External hosted service – specify IOM/UK/EU/USA/another jurisdiction
• Cloud service – specify IOM/UK/EU/USA/another jurisdiction