If you don’t know where your business collects, stores, and processes consumer data, you can’t manage that data in a compliant fashion. You won’t know whether:
The EU’s General Data Protection Regulation (GDPR) has changed the way the world approaches data privacy—and without the ability to map your data, it’ll be challenging or impossible to build a foundation for compliance.
The term “data mapping” is not mentioned in the GDPR, so some argue it’s not truly mandatory. However, the GDPR does require businesses to meet requirements like creating records of processing activities (RoPA), fulfilling data subject access requests (DSAR), and conducting data protection impact assessments (DPIA). Without data mapping, complying with these requirements is not possible.
In simple terms, data mapping means mapping sets of data to their destination. For companies concerned about GDPR compliance, this means having well-organized and structured records of their data that are easily accessible when needed.
GDPR data mapping, specifically, will assist you with a number of compliance activities, including developing your RoPA, answering DSARs, and creating DPIAs. Consider your process for fulfilling DSARs. If you’ve never mapped your data, you won’t know where the data you collect from users flows to or what form it takes once it reaches its destination.
That’ll make it challenging to respond to a DSAR within the 30-day timeline mandated by the GDPR or to provide the data subject with their data in a portable, easily accessible format (which is another GDPR requirement).
But if you mapped all your data, this entire process will be much easier and smoother. You’ll know exactly where the data is, why you needed to collect it, and how you use it.
Since the regulation doesn’t explicitly mention data mapping, there are no official GDPR data mapping requirements. But considering what we know about the record-keeping requirements in the GDPR, there are a few key elements we can consider.
What data are you collecting? You should have a good grasp of the data you’re collecting. Is it names, addresses, locations, local identifiers, sensitive information, or something else entirely? Document everything even before you start the data mapping process.
Where are you collecting the data? Be sure to account for all sources of data collection, not just the most visible ones.
Where are you storing the data? This is one of the most important questions, especially when it comes to fulfilling DSARs. The answer might become complicated if you use multiple data stores.
Do you transfer the data? If so, where? Look at both internal transfers and especially at external ones. If data is crossing borders, particularly to non-EU countries, this step will be even more important in helping you achieve GDPR compliance.
What are the purposes behind the data processing? Remember that you need consent from the users in most cases. Ideally, you’ll only process data for strictly necessary purposes to reduce the risks of data breaches and to simplify compliance.
How long do you retain the data? Last, but not least, you need to know exactly how long you’ll be processing and storing the data. The duration is not necessarily part of data mapping, but answering this question will help you reduce your risk.
GDPR’s Article 30 details everything about an organization’s obligation to maintain records of processing activities (RoPA). Because RoPA and GDPR data mapping go hand in hand, this is a crucial article that sets the direction for all your efforts in this area.
Among its provisions, businesses must document:
We could say Article 30 provides a template for GDPR data mapping. You still need to put in some effort to identify all the necessary information, but once you do that, you’ll see creating your data map isn’t as complicated as it looked at first.
In theory, data mapping can be done manually. In practice, that’s not recommended. Unless you’re a very small company and processing the data of only a handful of users, the process will be extremely challenging. By the time you’ll finish mapping everything, there’s a high chance your organization will have new data sources to map.
Finding the right GDPR data mapping software will require some careful planning and analysis. Here’s what to look for.
Data mapping can be challenging enough on its own. The software you choose shouldn’t make your job harder. There will be a learning curve, a certain time you might need to factor in before you start using it. But your data mapping tool should be as user-friendly as possible so that even those who aren’t used to such software can master it quickly.
Flexibility is also a must. GDPR requirements may be the same for all companies, but each business has its particularities, so you want to have room to customize the process.
You should also check the data visualization options. This is not mandatory, but it will make your life a lot easier. Imagine trying to view your data map, looking for patterns, and trying to explain security measures without a simple and clear visualization option. It is possible, but it won’t be easy. A GDPR data flow diagram will simplify this step a lot.
You can’t begin to map if you don’t know all your data. That’s why you’ll need a data discovery tool. Sometimes, these are part of the data mapping tool. Other times, they come as separate software. Choose the solution that works best for your company, but make sure the tool you select will help you find all the data, regardless of where it is stored or how it is processed.
When selecting a data mapping tool, you’ll need to make sure it can support all the types of data you work with and all the formats in which you store it. This can include databases, spreadsheets, APIs, and other file formats.
Without the right mapping capabilities, you’ll be unable to capture all the details need, including relationships between sets of data or storage units.
Most GDPR data mapping software is ready for this, but you might still find the occasional tool that is built for one sector only.
If you want to be compliant, ensure the tool you use for data mapping is also compliant. Find out what security measures it has in place, how they handle sensitive data, and more. The last thing you want is to insert a vulnerability into your system by using a non-compliant tool.
Data mapping is often a team effort, so it’s best to choose a tool that has collaboration features. Preferably, select one that allows multiple people to work on the project simultaneously. Tracking changes and the option to leave comments will also come in useful for large teams.
Your GDPR data mapping solution will also need to integrate with your other systems. Check for compatibility and other integration options. Can this software work with your other data management tools? Don’t forget about technical support. No matter how good your team is, it’s always best to know the new software comes with support in case you run into any difficulties.
Data mapping is an essential stepping stone on your journey to GDPR compliance. Knowing what data you collect, where you store it, for how long, and with whom you share it is essential not just for privacy, but also for making strategic business decisions.
Data mapping can sound very difficult—if you try to do it manually, that is. But automated tools take a lot of the challenges off of your shoulders, helping you find, categorize, and map all the data you process.
Osano can support your GDPR compliance journey. Book a demo today to learn how.