Why is data mapping so crucial?
Locating data across your business and creating your records
It’s widely recognised as the best foundation for any successful privacy programme; map your data and create a Record of Processing Activities.
It’s one of the UK Information Commissioner’s Office’s (ICO) key expectations:
‘Your organisation carries out information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.’
Believe it or not, some people don’t get excited by data mapping and record keeping! Nevertheless, maintaining effective records of your data processing is an important obligation under data protection law, which gives a range of benefits to your privacy programme. So let’s take a look.
Data discovery and mapping
This is the process of mapping out your data and how it flows across the business. Personal data may be held on a wide range of systems used by almost every function of the business – including HR, Marketing, Operations, IT, Logistics and so on. In many situations the data may be located on third party supplier systems.
So where to start? First talk with your IT colleagues who look after the systems the data is located on. Some businesses may already have inventory of their systems.
Mature businesses might even have an Information Asset Register (IAR), which lists all your information assets on each system. If so, you’re off to a flyer!
But if you’re not in that fortunate position, there are various ways to conduct a data mapping exercise. We suggest you take it a step at a time and set clear priorities.
Focus on datasets are likely to pose the greatest data protection risk, in the event of a data breach or other privacy violation. You can always build out from there later.
You might consider using technology to ‘sniff out’ personal data. Or you might talk with your IT teams to draft an inventory of your key systems & service providers, what personal data they hold and who the internal ‘owners’ (decision-makers) for these datasets are.
Record of Processing Activities (RoPA)
A RoPA is a key requirement for many organisations under the UK & EU GDPRs; notably those with 250 plus employees. This requirement applies to both controllers and processors. There is a limited exemption for small and medium-sized organisations who don’t handle particular sensitive data.
But what is the data used for? A RoPA links your personal data assets to the activities which the data is used for, by whom, where the data is located, any third parties its shared with, what measures are in place to protect it… and so on.
Fortunately, these activities (or uses for personal data) are usually linked to specific business functions/teams within an organisation. For example, the HR team will know all the activities associated with recruitment and employment of staff.
To create the RoPA, the two main approaches are to a) invest in privacy software with a RoPA module or b) use an Excel base template from a Supervisory Authority (e.g. the ICO) and populate it by collaborating with all the business functions which use personal data.
This is not a task to be taken lightly; the requirements for record keeping are onerous. It’s an area which many businesses have found challenging. And once you’ve create the RoPA, you’ll need to keep it up to date over time.
Gain extra benefits
Your RoPA should be the first place to look if you suffer a data breach, helping you to identify the categories of individual, sensitivity of the data, any data processors involved, who the data was shared with and so on. It can also be very helpful to reference your RoPA when handling Data Subject Access Requests, so you know where to look for the data required.
A proportionate approach for smaller organisations
Even smaller organisations, which may benefit from exemption from creating a full RoPA, still have basic record keeping responsibilities, which should not be overlooked and could still prove very useful. Smaller organisations only need to document their processing which is:
- not occasional – therefore all the frequent processing must still be documented; or
- activities which could result in a risk to the rights and freedoms of individuals; or
- those which involve the processing of special categories of personal data, or data on criminal convictions.
A short guide to keeping your data records complete and up-to-date
1. Why? – The need for accurate records
If your records are allowed to become outdated, you can quickly lose track of the reach of your processing. Resulting in uncertainty when you most need it. After all, if you don’t know about certain processing, or hold a record of it, how can you possibly be sure the business is protecting that data?
There’s always some new system, processing activity or change of suppliers, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a Data Protection Impact Assessment or Legitimate Interests Assessment.
If requested you might need to make your records available to a Supervisory Authority, such as the ICO, so you’d want to be sure they are in good shape. Allowing them to get out of date makes the job of getting them back into order all the more difficult.
2. Who? – Stakeholder relations
Make sure you have enlisted the support of your Board, as you’ll need help from many stakeholders to update you about changes to data processing in their area and notify you of new service providers to keep the RoPA updated.
No DPO or data protection team can create or maintain the records their own. They always need the support of others. We suggest you use a ‘top down’ as well as ‘bottom up’ approach.
Have you identified ‘data owners’ who are accountable for key datasets within the business? For example:
- Human Resources – employment & recruitment data
- Sales & Marketing – customer / client data
- Procurement – supplier data; and so on
Each data owner needs to understand their role & responsibilities to meet internal data policies and ensure their function’s processing complies with data laws.
Building a regular two-way dialogue with data owners is essential, not only for record keeping but many other data protection tasks. They will be best placed to tell you what data they hold, what it’s used for and what measures they use to protect it.
3. What? – Make sure you’re capturing all the right information
Check you’re capturing all the RoPA requirements. These are slightly different if you act as a controller or processor (or may act as both). If you want to check, see the ICO’s guidance on documentation.
I hope this short guide helps you to keep your own records up to scratch. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach, or receive a data subject access request, can motivate others to support you with this important task. Remember, you can’t make sure personal data is adequately protected if you don’t know where it is and what it’s used for. Good luck!