GDPR data mapping can be a tricky exercise and it is difficult to know where to start. That is why we decided to create a series of articles to explain how you can map data, creating a data inventory for your organization. Read on to learn where you should start your data map process. (Spoiler: you need to define which categories of data you hold.)
Data mapping is used in organizations to understand what data is where and how it moves across systems. In order to understand how data flows, you need to firstly identify the data you have and where it is being held. This is where holding a data map, which is also known as a data inventory, comes in.
Knowing where your customer data is located across your systems isn’t just useful in case you need to find it, but is also a requirement for the General Data Protection Regulation (GDPR). As part of the GDPR, businesses handling lots of consumer data are expected to be able to produce reports which show how the companies handle their customers’ data, indicating which specific data they collect, where it is stored, why it has been collected, and so on.
An ideal tool for keeping track of all of your customer personal data is a data map. Data maps are created in two phases. The first phase is to identify all of the data you have. In fact, if you are a business that has just launched or about to launch, it is best practice to implement privacy by design: start creating a data map and planning what data you will collect before you even start collecting customer data. In this case you can ensure compliance if the regulator comes knocking.
The task of creating your GDPR data map to get an overview of your inventory can be broken down into three logical parts:
The remainder of this article will cover how to identify the categories so that when you start looking for and finding your customers’ personal data, you will be able to immediately assign the category which they belong to.
There are several different types of personal data and some are considered more sensitive than others. It is best practice to group the data into different categories, with each category generally being used for a specific purpose. For example: financial information is a subcategory of personal data which is generally used for billing and accounting purposes.
The main idea here is to group sets of data into logical categories that the person viewing the data map can easily understand. Conversely, making too many categories can lead to overlap or to a situation where you aren’t sure which category a certain data point belongs to. Better not to confuse things and keep it simple.
Below are some possible categories of personal data that you could use in your GDPR data map:
When defining your categories, it is important to bear in mind what personal data is defined as under the GDPR:
personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier
The word identifiable carries importance here. For example, is a person’s date of birth personal data?
Answer: it depends.
If you are holding other data points which together with the person’s date of birth can be used to identify them (for example, address), then the date of birth is classified as personal data. You probably hold several data points which allow you to identify the customer.
Anyway, now that we understand the nuances of the legislation a little better, let’s take a look at the different categories in more detail.
As mentioned above, personal data is a very broad term and is defined as information that relates to an identified or identifiable individual. As such, this data could include the person’s name, address, telephone, and so on.
Financial information in your data map will generally relate to any data you have collected from a customer when they have made a payment or to employee payroll information. This data will generally include bank account details, such as the numbers of credit or debit cards, and could include information from credit checks.
If you collect any form of identification from your customers and then store this, you will need to document this activity in your data map. The same goes for employee documents. Examples of this category of personal data can include copies of passports, driving licences, or other documents used to verify an individual’s identity.
Should your company collect data regarding an individual’s employment details, it is best to document this in a separate category. This category generally relates to members of staff you employ and can include resumes, education and training records, or references.
If you work in an online business that processes your customers data, you probably employ tracking tools to retarget customers. This is done by cookie trackers and these are also a category of personal data because they can be used along with other pieces of information to identify an individual. If you record user interactions with your website or have CCTV recordings in and around your office that you have control of, you will need to note this in your GDPR data map.
Special category data is personal data that requires additional protection by law. This is because this type of data is especially sensitive to the individual. This category includes things like data about a person’s health, any religious beliefs they hold, their sexual orientation, and other sensitive information.
Now that we understand how to subcategorize the personal data you hold, it is important to assess how you use the data, i.e. what is the purpose for why you hold this data. For each subcategory, indicate whether you hold personal data for the purpose of:
It is important to note that you may use the data for more than one purpose and you should note this too.
This is a really important and useful exercise as you can see what categories of data you have and why you hold them. Should you not know why you hold certain data, you can delete it in line with the data minimization principle of the GDPR.
An important principle of the GDPR is noted in Article 5, 1(c) of the regulation, which mandates that collection of personal data should be:
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)
By using your data map to see exactly what data you hold and why you hold it, you can see what data that you have collected and don’t use: data which you can erase from your systems.
Now that we have defined data subcategories and the purposes for why this data is processed in your organization, you will have a better understanding of the data you need and why you need it, and the data you can erase in line with data minimization principles. This is a great starting point for creating a data map for your organization.
Read the next article to learn about where personal data is stored.