Data Mapping solicitors

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with.

One of the new core requirements of the GDPR is to know and to document the personal data that an organisation uses, what it is used for, where it is stored, where it flows from and to, and how it is protected. This is summarised in Article 30 of the GDPR, which requires organisations to establish and maintain records of processing activities.

Controllers must document all the applicable information under Article 30(1) and processors must document all the applicable information under Article 30(2). Records of processing activities must also be made available on demand to applicable data protection authorities (in the UK, the Information Commissioner’s Office).

What is data mapping?

Data mapping is an important technique used to help organisations clarify what personal data it holds and where it holds it. Conducting a data mapping exercise should be the first step towards making an organisation GDPR compliant.

Why do I need a data map?

A record of processing is a critical document for any organisation that processes personal data in the EU. Creating a data map will help organisations establish and maintain these written records of processing to the standard required by Article 30. Once the data map is complete, an organisation will not only know where all their data is held but will be able to use it to support several other GDPR obligations such as completing Data Privacy Impact Assessments and various privacy notices. A data mapping exercise will also help organisations spot any high-risk processes, making GDPR compliance much easier in the long-run.

How do I create a data map?

Commonly, data mapping lawyers will begin with a questionnaire. The type and number of questions asked will depend upon the size of the organisation and the nature of the service they provide. Common questions to ask include:

  • What kind of data is being processed; e.g. name, email, address and telephone number?
  • How is this data stored; on a database, in hardcopy?
  • Why does the organisation need this data and what is it used for?
  • Who has access to the data in question?
  • What is the legal basis for processing; e.g. consent, legitimate interests?

When documenting the findings, the records you keep must be in writing. The information must also be stored in a granular and meaningful way and it is often beneficial to create a visual map.

The whole data mapping exercise can be a time consuming and complicated process. Get in touch with our data mapping solicitor Neil Williamson if you would like some guidance or advice.