Data mapping and record of processing activities (RoPA) are two concepts that are often misunderstood in data privacy. Sometimes it can be unclear whether you need to create a data map or record the processing activities, or whether the two are identical.
In short, data mapping is the process of determining how data is used by an organization, when it is used and why. Data mapping is an integral step for GDPR compliance and can be defined as the answers to the following questions:
So a data map is a document that shows you the ins and outs of all of your data practices: why you have what data and where you process it. Let’s take a deeper look at the answers to the questions above.
Your organization collects data from your customers in the form of names, addresses, etc. in order to interact with them. Should you save this somewhere, you are processing this personal data. This means that you likely process data to conduct your operations with clients and even storing employee data on file is processing. So data processing is critical to every business.
After successfully defining why you use data, you need to link the personal data you collect to what you do with it. Here it is useful to bear in mind what data you will use to attain your set goals. Here you need to link why you collect data with details like location, IP address, identification number, etc.
As we already saw above, data is processed for automation, integration, human resources, sales, marketing, etc. in your business. The other thing is that customer personal data is probably processed through cloud computing and software-as-a-service (SaaS) solutions. This means you need to know where this data is held on your behalf. If you are using in-house servers, then this discovery process is simpler. Otherwise you need to know where data is transported when you are using cloud storage or SaaS. A point of note here is that the most popular cloud and SaaS services are in the US.
As we can see from the explainers above, a data map is a document which gives a general overview of what happens with data in your organization: from how you receive it and why to how you deal with it.
The GDPR requires businesses to ensure that personal data is handled lawfully, fairly, and securely. To ensure data protection, it is essential to monitor the data's path from beginning to end. It is impossible to incorporate any protection without a clear understanding of the data lifecycle. As a result, data mapping becomes a critical step toward GDPR compliance, although the exercise is not mandated by the legislation itself.
The GDPR states that a data map is a record that companies can quickly retrieve and show during a GDPR audit. Often organizations include data visualization into their data map to see how their data flows across their systems. An organization’s data map is also likely to include the legal bases for processing personal data: the legal which allow for your personal data processing activities.
When auditing the personal data you process, data maps are generally used to assess the level of third-party access to organizational data. We saw this above when we were trying to figure out where data is. For different purposes, all companies are required to keep a list of third-parties with whom they should share their business data. To determine the danger of a specific procedure, your organization must first understand its data flows, determining how data moves across different systems and where it ends up.
So if a data map isn’t required by law, why create one? Well, the biggest advantage of holding an up-to-date data map is that you have a go-to document that shows the what, where, and why of the personal data your organization holds. Should you need to provide a report about it, you already have one ready.
Let's take a look at some of the concrete benefits.
Data mapping makes clear how you collect, use, and store data, enabling you to clearly categorize it. By holding an up-to-date data map, you are always audit ready if the regulator comes knocking. Moreover, consider your data map to be an index of a company's documents and information systems. As a result, a data map can be used as a quick guide to figure out what data is stored where and why. As such, a data map helps streamline the privacy operations for your business.
From a legal standpoint, data mapping helps not only when the authorities are at your door, but also helps your in-house legal team. By having a data map ready, you can be faster and more precise with requests from legal, helping them to do their work more efficiently. Having a data map right at hand means you can streamline data requests, ensuring that the data subject requests can be responded to promptly. When you know exactly which data you have about any given data subject, it's easier to identify data that falls under the data protection law requirements as "relating to an identified or identifiable data subject" and data which isn’t subject to additional protection.
Now that we have an overview as to what is data mapping, we can take a look at what a RoPA is. As you will see, data maps and records of processing activities have a lot of overlap. But the main point of note is that RoPA is mandatory and a data map is advised. Let’s dig a little deeper.
ROPA is a record that contains:
According to the GDPR, you don’t need to report to the authorities how you are processing customer data. But you need to keep an internal report of the processing activities which must be provided to the authorities upon request. Article 30 of the GDPR terms this internal report as a record of processing activities .
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”
Article 30 (1) GDPR
GDPR mandates the use of RoPA for every organization which has over 250 employees or if the organization’s activities are data intensive. Data intensive generally refers to:
In addition, there are another two conditions to the data processing that also necessitate a RoPA:
Furthermore, the GDPR lays out minimum requirements for a record of processing activities. In order to maintain a RoPA, the following five actions should be completed:
Before implementing a RoPA, it's a good idea to conduct an information audit to determine what personal data the organization has, where it's stored, and how it's processed.
You must determine if you are a controller or a processor in each operation. If you organize the processing and use a SaaS then you are the controller and the software company processes the data on your behalf.
Breaking down the data you have on data subjects into categories is a crucial step before documenting your activities. Having set categories is fundamental to keeping your personal data in order.
Maintain written and electronic records of your activities. It's crucial to do so methodically and you should keep the documents all in one place.
RoPA isn’t a one-time exercise: the register of activities should be reviewed and updated on a regular basis. Any new processing operations or changes the intent of existing practices will require an update.
The creation and maintenance of records is a vital part of a company's readiness plan if they are subject to carrying out a RoPA. Creating a RoPA may be the first time your organization looks at its data processes from a company-wide perspective and offers several benefits.
When putting together your RoPA, you may uncover instances where the same kinds of data are saved and updated in different places at different times, making it difficult to determine which reports are the most recent, detailed, and accurate. By creating a RoPA, you have a centralized repository once you've identified these redundancies, allowing you to extract better business performance from your data.
Just as with the data map, when a data subject sends a request for access to or removal of their personal data, the RoPA can assist in determining the type of data and how it is handled. If you have this information on hand, you'll be able to respond to data subject requests efficiently and precisely.
Some businesses find they have been gathering certain categories of personal data for no specific reason during the data discovery process. RoPA may be used to verify that the data being processed has business value. Furthermore, businesses can standardize their systems, remove the need to secure unnecessary data, and concentrate their efforts on data that helps them quickly identify and resolve other business objectives.
Data mapping is an exercise to determine what personal data is stored and how it flows through your organization. It includes how you got the information and explains how you will get rid of it. RoPA, on the other hand, explains how the data is used, what technological and organizational safeguards you have in place to secure the data, who is impacted by a processing, who is the beneficiary of a processing, and who may be a data processor. A ROPA also includes a fundamental risk study.
GDPR mandates the use of RoPA but no such mandate is applied for data mapping. However, RoPA is a part of data mapping. A data mapping exercise includes all the information required for RoPA with additional information such as:
Since a data map goes deeper than a RoPA it, starting with mapping can help your organization formulate a RoPA fast because you will have already done the majority of the groundwork.
Complying with the regulations can seem difficult, but tackling it piece by piece will help your organization adapt to changing privacy requirements and consumer demands. Mapping your data is one of the most critical moves you can take in this direction. It's not only a necessary step toward GDPR enforcement, but it's also good business.