GDPR data mapping sounds easier and less time consuming than it actually is. Data privacy professionals looking to create a full inventory of the personal data their organization holds can have difficulty knowing where to start in GDPR data mapping. Once you have categorized your personal data, know where it is, why you have it, and how long you should retain personal data for, you can get granular with each data point and indicate what you use each piece of data for.
If you haven’t been following this series of articles on GDPR data mapping, you many want to read about the previous steps to completing your inventory of personal data:
The last stage of creating a data map for your organization is to go digging deep into all the different types of personal data you collect and store. We already have an idea of the different categories of personal data; now you want to delve into these categories and specify:
Documenting all of this information is considered best practice in personal data protection. Should you need to provide any reports to the regulator or your organization’s executives, you will have all of the information on personal data logically structured.
Start by going through each category of personal data and discovering which individual pieces of data you collect. If you haven’t already, you should first define broad categories of personal data. Generally, there are six main categories of personal data that you should include in your data map:
When you have specified all of the data points that you hold or collect on individuals, you need to specify which categories of people you collect the data on. The main categories are:
There may be other categories of data subjects that you want to specify separately: feel free to do so.
It is important to highlight two of the categories mentioned above: potential staff and emergency contacts.
Potential staff send you vast amounts of personal information in the form of CVs and resumes. Your organization may then hold this personal data on file for future reference if another role comes up. The category given here is separate to that of employees since the basis for processing employee data is legal obligation in the form of an employment contract. Potential staff, on the other hand, offer explicit consent to processing their personal data when they submit their employment history and — unlike employees — are able to revoke this consent at any time.
Emergency contacts are provided by your employees and are processed based on the legitimate interest of the person designated as the emergency contact. We can assume that it is in this person’s best interest to be contacted should something happen to the employee.
Your organization may not collect all of the categories of personal data listed above. Within each there may be specific data that you do not collect when we are talking about your customers. However, do not forget that you also store data on employees who are also protected by the legislation.
An e-commerce company is unlikely to collect identity documents (such as a copy of passport) and special category personal data (such as trade union membership) from customers, but is likely to do so for employees.
It may be a good idea to speak to people in different departments or conduct a survey to find out the specific personal data types that your organization processes.
Once you have categorized the specific data and the personas they are associated with, you can now begin to identify why you hold this data for each persona. Speaking generally, there are five reasons your organization will hold data:
You may process personal data for different or additional purposes. If so, add the reasons why. It is best to be specific, yet with clear categories. Let’s quickly run through the different categories to make clear how to choose.
Processing personal data for accounting purposes relates to any incoming or outgoing payments. For example, this covers the billing details of your customers or bank accounts of your employees where you send their salaries.
You may process customer personal data in order to offer them support. For example, if the customer rings you with a query, you will ask their name and document the time they rang and the number that they called from.
In order to comply with various sets of regulations, you are required by law to keep specific records. For example, in accordance with anti-money-laundering regulations, companies are obliged to store financial information of customers for certain periods.
The majority of organizations collect personal data from consumers for sales and marketing purposes. For example, address information may be used by organizations to launch marketing campaigns in specific localities.
While profiling is often linked to marketing activities because it involves categorizing people into certain profiles, it can also be considered a separate category. This is because in some instances it can be used to generate automated decisions. For example, profiling based on age may take place for decisions about whether to issue credit.
Having completed all of the steps in our article series on how to carry out GDPR data mapping, you should have a super detailed inventory about all the personal data your organization holds. Moreover, you are audit-ready for GDPR Article 30 as you can demonstrate your records of processing activities: how you use the personal data you collect. In completing a GDPR data map for your organization, you can demonstrate to the data protection authorities that you know how and why personal data is collected, in addition to knowing where it is stored and for how long.
Bear in mind that the job is never finished and this is not a one-time exercise. The data map needs to be revisited on a regular basis to keep it up to date. By keeping on top of your GDPR data map, you will save time in the long run.