GDPR data mapping template: how to complete
GDPR data mapping is a great step to help your organization visualize what data is stored where, why, and for how long. Creating a GDPR data map is a daunting task, so we have created a simple template to get you started.
Download the GDPR data mapping template and read these instructions to learn how to complete it.
Data mapping template: getting started
The GDPR data mapping template is split into four sheets. On the first sheet you will find the “General settings”. Here you need to enter your name, the name of your company, and the completion date of the template.
Any information you enter in the general settings sheet will be automatically used in subsequent sheets.
On this sheet, you can modify the dropdown menus that will appear in the following sheets. Edit the dropdown menus to reflect the data practices in your organization. If you are not immediately sure of what to edit, you can return to this step later on. The fields provided in the template are general values that are common across all organizations.
When you have completed the general settings and are ready to move on, head to the next sheet entitled: Data source.
Data source: where is personal data and why?
To complete this section of the template, you need to find out where your organization stores which data and the legal basis for storing it. You are provided with 10 columns, 8 of which have dropdown lists to simplify completion of the template. Start by finding out which services your organization uses which process data on your behalf. The first column provides some of the most common software-as-a-solution (SaaS) applications to get you started.
Find out from your colleagues which SaaS apps you use. Delete the rows which contain services that your organization doesn’t use or replace the names of the services with ones that you do use. You may also use unstructured databases to handle personal data. These are listed below the SaaS apps. Again, delete or replace the suggestions in line with what you employ in your organization.
The best way to find out which services and databases you use is to get in contact with your technical team and the person responsible for technology in your organization. It is likely that this person will also be able to tell you who is the owner (the person responsible) for these systems. The system owner will be able to give you access to the places that store personal data so that you can document which data is stored within them.
Document who is this system owner in the field provided and add their contact details so that you know who to speak to and how to contact them if you need to update the data map.
Once you know where personal data may be hiding, you can get to work on documenting which categories you hold where and why.
Personal data categories
To give you an overview of where different data is held, the GDPR data mapping template groups personal data into six different categories:
- Personal (e.g. name, date of birth)
- Financial (e.g. bank details)
- Identity documents (e.g. passport scan)
- Employment details (e.g. resume)
- Tracking data (e.g. website cookies)
- Special category (e.g. health data)
You can read more about the different categories in the Soveren article GDPR data mapping: where do I start.
Personal data use
When understanding which category of data is in which system, you should be able to define the purposes for processing this personal data. Select the values from the dropdown lists to indicate what you use the data for.
Enter all of the fields and indicate where you store what data and why. Any categories of personal data (columns) can also be deleted, just as any systems (rows) that you do not use can also be deleted.
Should you use a data category for several reasons (e.g. customer support in addition to sales and marketing) per data store, add a row below the data store and indicate the additional use.
If you store and process personal data but can’t find a reason why, this is a massive red flag that something has gone wrong. If there is truly no reason for you to store this personal data then you should take steps to depersonalize, anonymize, or delete it in line with data minimization principles.
When you have completed all of the fields relevant to your organization on this sheet, it is time to move on to the next step: documenting the legal basis for why you hold the data and the period during which you store it.
Consent and retention
The next step to completing your GDPR data map is to go a bit deeper into the above reasons for why you use personal data, and find out the legal basis for each category and use. The categories of data and uses are the same as in the previous section.
The GDPR is clear on the specific six legal bases for processing personal data:
- Legal obligation
- Vital interest
- Public task
- Legitimate interest
It is worth noting that a lot of personal data processing in commercial organizations is done on the basis of contract, but consent and legal obligation to process also figure often. You will need to identify which of the bases your organization uses and this may be a tricky task.
Furthermore, there are additional bases for processing special category data. If you process this type of personal data you need to have solid grounds for why.
Read more about the specific legal bases for processing personal data to complete the data map for your organization.
Your organization should have set retention periods for all categories of data. While there are some categories of data that have retention periods that are mandated by law (e.g. financial data for audit purposes), data protection laws allow organizations to set their own retention policies and time periods based on whether you can justify storing thе data.
Since there are no strict guidelines for how long you can store personal data, you will need to judge whether storing it can be justified for legal reasons. If you cannot justify the storage, you are best to delete the personal data in line with minimizing the data stored and therefore minimizing the risk should your organization suffer a data breach.
If you don’t have set policies for data retention, it is strongly recommended that you create a set of guidelines for your organization. You can use industry standards as a guide.
If you can’t find the answers to why (the legal basis) you have the data or how long you are storing it for and the justification for storing it: this is a red flag. Take steps to understand the grounds for storing the data and speak to the relevant stakeholders to find out what the data is being stored for in terms of timespan.
If there are any gaps in your data map at this point, take steps to resolve these issues. Should you have everything complete, it is time to tackle some of the more granular reasons for each data point you store.
Documenting the data sources, reasons for why you hold certain categories, and retention policy you implement for personal data is a really good start. The Soveren GDPR data mapping template lets you go even further with a section to get granular for each data point.
Completing this section will show that you really take data protection seriously. Being unable to complete parts of the section will highlight problems and holes in your organization’s data practices that you can take steps to address.
In this section, you are presented with columns of categories of data subjects that you may store data on. Just as with other parts of the template, it is important to remember that you are free to delete or add different categories as applicable to your data collection practices. For example, if you don’t work with consultants, delete this column.
In the rows on the far left, you will see the categories of personal data that we defined earlier clearly broken down into separate data points. Add or delete, depending on which data points you process.
Now you are ready to start choosing the purposes for which you process the different data points from the dropdown lists. You may use the data for several purposes, in which case you should add a row below the data point and indicate additional uses for it.
You can now give yourself a well-earned pat on the back. However, your work is never completed. You will need to revisit your data map often to keep it updated.
This is a living document and the job is never finished.
Keeping your data map updated doesn’t just demonstrate that you are complying with data protection laws, but also demonstrates that you take compliance seriously and follow best practices if the regulator comes knocking. Moreover, when you receive a DSAR (data subject access requests), you will know exactly where to find all of the information to respond quickly and efficiently.