GDPR creating data flow maps

The General Data Protection Regulation (“GDPR”) allows residents in the European Union (“EU”) to have control over their data. Under the GDPR, a controller must maintain an internal record of all its processing activities. In addition, the controller must make the record available to a supervisory authority upon request. In this guide, we will explain:

  • What is a data flow map under the GDPR: General Data Protection Regulation?
  • How to create a data flow map to comply with the GDPR

What is a data flow map under the GDPR: General Data Protection Regulation?

The GDPR requires a controller to maintain an internal record of all its data processing activities. Creating a data flow map can help an organization visualize if the controller is meeting the requirements of the GDPR. As a benefit, data mapping gives an organization control over its data and allows it to monitor the flow of data.

Article 30 provides the requirement for controllers and processors to have a record of processing activities, which must be made available on-demand to a supervisory authority. Article 30 is concerned with recording the details of data processing activities. After the basic details of the requirements are met, a controller may choose to add more details to its record.

In the EU, a “controller” determines the purposes and means of the processing of personal data. A “processor” processes personal data on behalf of the controller.

Under Article 30, a controller or its representative must maintain a record of processing activities under its responsibility. The record must contain all of the following information:

  1. The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
  2. The purposes of the processing;
  3. A description of the categories of data subjects and of the categories of personal data;
  4. The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
  5. Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  6. Where possible, the envisaged time limits for erasure of the different categories of data;
  7. Where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

Each processor or its representative must maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  1. The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
  2. The categories of processing carried out on behalf of each controller;
  3. Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  4. Where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

The records must “be in writing, including in electronic form.” If requested, the controller or the processor must make the record available to a supervisory authority.

The obligations do not apply to:

  • An enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects,
  • The processing is not occasional, or
  • The processing includes special categories of data as referred to in Article 9(1) or
  • Personal data relating to criminal convictions and offenses referred to in Article 10.

To comply with Article 30, a data controller may use a recording method, such as a data inventory or a data flow map. A data inventory is a list of all the personal data that belongs to an organization. A data flow map provides a visualization of how data flows through an organization. Either or both methods may be used to help comply with the GDPR.

How to create a data flow map to comply with the GDPR

A data flow map provides an organization with a visual overview of all the data that it collects and stores. The map should pinpoint all of the locations where personal data is stored, which includes data located both within and outside the controller’s organization. Using the map, an organization can gain insight into the potential risks related to its data. 

To assemble a flow data map, an organization must understand the flow of its data, which includes the transfer of data from one location to another. Then, the organization will be able to describe the flow of data.

Obtaining a detailed data flow description requires walking through the information lifecycle to identify the uses of data throughout the organization. A controller must identify:

  • Data items – What type of information is being processed?
  • Categories – How many categories of data is processed?
  • Formats – In what format is data stored?
  • Transfer method – How is data collected and shared?
  • Location – Where is the data transferred?
  • Accountability – Who is responsible for the personal data?
  • Access – Who is authorized to access the data?
  • Legal basis – What is the lawful basis for processing the personal data?

Once a controller has a basic idea of what personal data it has, it will be ready to begin documenting its data processing activities that it must record under the requirements of the GDPR. 

To document data processing activities, the Information Commissioner’s Office (“ICO”) in the United Kingdom suggested three steps that a controller should take to conduct a data-mapping exercise or an information audit. The steps are:

  1. Devise a questionnaire 
  2. Meet directly with key business functions
  3. Locate and review policies, procedures, contracts, and agreements

First, a controller should distribute a questionnaire to areas of its organization that processes data. The questions should be concise so that organizational leaders can understand what information needs to be documented. The goal is to understand the various business processes throughout the organization. Example questions include:

  • What personal data do you collect?
  • When do you collect the data?
  • Why do you use personal data?
  • Is collecting the personal data necessary?
  • Do you encrypt the data?
  • Who may access the personal data?
  • Do you share the data with other organizations?
  • How long do you keep data?
  • Do you transfer data outside of your country?
  • How do you secure the data?

Second, the controller’s top data managers should meet directly with leaders of the departments that provide core business functions. This will help the controller to gain a better understanding of how certain parts of its organization collect, use, and transfer data. Examples of departments include:

  • Information technology (IT) – The IT staff can help answer questions about business applications, technical security measures, and data retention periods.
  • Administrative – Human resources and accounting departments usually share data back and forth for activities related to hiring and paying employees.
  • Legal and compliance staff – Employees that provide legal and compliance services should have access to the details of any data-sharing arrangements.

Third, a controller should gather and review its policies, procedures, contracts, and agreements. These documents should be compared and contrasted to understand the controller’s data processing activities. Examples include:

  • Privacy policies and notices
  • Data protection policies
  • Data retention policies
  • Data security policies
  • System use procedures
  • Data processing contracts
  • Data sharing agreements

Once a controller gathers the completed questionnaires, meets with organizational leaders, and reviews company documents, the controller should put its findings in writing, which can be in paper or electronic form. As a best practice, an organization should maintain its documentation electronically so the organization can easily update its data processing activities.

The record of a controller’s processing activities needs to reflect all the different types of uses of its data. A data flow map needs to show the meaningful links between the different types of data. For example, a controller may:

  • Collect different categories of data with different retention periods
  • Have a variety of purposes for processing the personal data
  • Share personal data with different types of regulated organizations

The ICO’s guidance for creating a data flow map is a flexible model that controllers can customize to fit their needs. However, the ICO strongly suggests that a controller should complete the process in a “granular and meaningful way.” A “generic list of pieces of information” will not meet the GDPR’s documentation requirements. As a helpful tool, the ICO provides documentation templates for both controllers and processors on its website.

A data mapping exercise helps an organization meet other GDPR obligations such as Data Privacy Impact Assessments and Subject Access Requests. Additionally, the data flow map process helps an organization with:

  • Discovering unforeseen or unintended uses of data
  • Finding ways to minimize what data is collected
  • Improving efficiencies with organizational processes and controls
  • Making sure the users of the data are trained in best practices
  • Identifying the need for contractual updates with third-party providers
  • Considering the potential uses of data in the future

The GDPR protects the personal data of consumers in Europe. If you are a controller or processor of the personal data of EU citizens, your organization must be ready to provide documentation about your data processing activities. Termageddon’s Privacy Policy generator can help you meet the GDPR requirements and avoid fines.