Does your business collect, process and store personal data? If yes, do you know exactly where all this data is and where it’s going? 

Like your cash flow, every business should know their data incomings and outgoings. Without this insight, it’s difficult to demonstrate compliance with data protection laws.

Data mapping is a process for tracking and logging all the data you collect, store and use. It’s the first step of your GDPR audit and helps meet many legal requirements, including records of processing activities (RoPA) and information rights requests such as subject access requests (SARs). 

In this guide, we’ll cover what data mapping includes, what it helps with and tools that streamline data management. 

What Is Data Mapping?

Data mapping involves mapping out what personal data you process, where it originates and goes, and how you store it. Essentially, you’re monitoring the ins and outs of your data collection and processing activities.

At the start of a GDPR audit, our auditors will create a comprehensive map of all personal data that flows through your organisation. It helps indicate how much data you’re dealing with and whether your existing measures are enough to keep your business compliant. 

What to Consider in a Data Map:

1. 1. What data are you collecting? You need to know what type of personal data you’re collecting and whether this is considered to be special category personal data.
   2. Where do you store data? Data can be stored anywhere, so minimise this to a secure location accessible by all relevant parties. 
   3. Do you transfer your data? If you transfer data to external parties in the EU or non-EU countries, you must outline the safeguards you have relied on to facilitate the transfer of personal data.
   4. What’s the lawful basis? You should only process data on lawful grounds. There is a common misconception that you can only share personal data with someone’s consent, but this is not the case. Consent is one of six lawful bases you can rely on, and the most appropriate will be determined on a case-by-case basis.
   5. What format is the data in? Data comes in many forms, so identifying its format will help you filter between information. 
   6. What’s your data retention period? You must establish how long you process and store data.  

What Is the Purpose of a Data Map?

Data mapping is critical to your accountability obligations as it lays the groundwork for many compliance activities. These include:

Records of Processing Activities (RoPAs)

RoPAs are a legal requirement outlined in Article 30 of the UK GDPR. You should record all processing activities, including but not limited to the lawful basis, the categories of people and data you process and any third-party transfers.

What you need to document will depend on whether you are a data controller or processor. A lot goes into a RoPA, but with data mapping, you’ll have a clearer picture of processing activities across the business. 

Want to learn more about RoPAs? Listen to part one and part two of our RoPA roundup on Data Protection Made Easy. 

Data Protection Impact Assessment (DPIA)

A DPIA is a process of identifying and minimising data protection risks of a project. Under Article 35 of the UK GDPR, a DPIA is necessary for processing that ‘is likely to result in a high risk to the rights and freedoms’ of individuals. 

Along with a risk assessment, your DPIA will outline the scope, nature, context and purposes of processing. A data map exercise will organise all the data into an inventory so it’s easier to find and identify as a high-risk data set. 

Data Subject Rights Compliance 

The UK GDPR empowers individuals (data subjects) to hold businesses accountable for the data they control or process. From erasing data to restricting processing, a data subject’s rights must be protected or face non-compliance.

So, how does data mapping come into play? 

The most common data subject right exercised is the right of access, also known as a subject access request. Organisations are legally required to provide a copy of all the data you have on them. A data map will help you locate this information so you can ensure that the request is responded to within the stipulated one-month timeframe. 

The same goes for erasing and rectifying. You can regularly update your data inventory to uphold these rights. 

Data Breach Management

If you have a personal data breach, data mapping will help you identify who has been affected and what data has been breached. This will prove crucial when handling a personal data breach and will help organisations should they be legally required to notify the ICO (Article 33 of the UK GDPR) and data subjects.

DataWise: SAR, RoPA & DPIA Management Tool 

Are you drowning in data management? We have just the tool—DataWise. This tool simplifies record-keeping for Data Protection Officers (DPO), making their lives easier. 

With our DataWise platform, you can: 

• Monitor and manage information rights requests and Freedom of Information requests so everything is addressed in time;
• Create and maintain RoPAs and DPIAs with multi-user access, revision history and transparent audit trials of what’s been done;  
• Log all incidents, including personal data breaches, allowing you to assess what went wrong and whether it’s reportable; 
• Centralise all data processing agreements and any due diligence records;
• Record all data protection training records, automate your team’s reminders and much more! 

Need a GDPR Audit? 

Data mapping isn’t enough to comply with the UK GDPR. For many businesses, it’s the first step to compliance. 

At Data Protection People, we conduct expert data protection audits that analyse how you collect, store and use information. We’ll identify gaps, provide recommendations and offer ongoing data protection support should you want to partner with us. 

Contact our team today to start your GDPR audit.