GDPR data mapping: where is personal data held?
GDPR data mapping can seem like a daunting task, with personal data buried across all sorts of applications and databases. Having a clear inventory in the form of a data map which shows where data is not only helps locate data should a consumer ask for their data, but also helps you comply when asked to produce a GDPR Article 30 report by your data protection authority.
GDPR data mapping: finding the data
Understanding where you store consumer personal data across your systems is one of the most difficult tasks in GDPR compliance. If you are now trying to understand what data is where and have already been operating your business for a prolonged period, understanding where you store different data may take a significant amount of time and effort.
Personal data in databases
If your company has its own custom databases (whether on premise or cloud based): get in contact with the system owners of these databases to find out which personal data is stored in them. Examples of such databases containing personal data in your company could include:
- Microsoft SQL
It is important to note that your organization may use custom applications built on top of your own databases. Get in touch with different departments to learn about which applications your organization is using, the personal data these applications process, and the databases on which they are built.
Other than databases storing personal data, your company likely uses other paid services that process personal data on your behalf.
Personal data in applications
The world has shifted towards an “as-a-service” model of doing business, and your company probably implements several software-as-a-service (SaaS) tools. Many of these tools and applications process and store data on your behalf and so need to be accounted for in your data map.
Let’s take a look at some of the most popular SaaS tools, what they do, and the data they collect.
GSuite and personal data
GSuite is a set of business operation tools from Google which is implemented across many businesses and organizations today. One thing you may have missed is the amount of personal data that your organization has collected and is storing there. Personal data that you store in GSuite can include:
- Customer emails (including addresses, plus physical emails and data contained within)
- Billing documents
- Audio or video recordings
Go through your company’s G-Drive, find out and classify the personal data you store. It may make sense to create a survey for employees to complete, with them entering what data they have saved to the Google cloud and what category it belongs to.
Slack and personal data
Slack is one of the most popular ways for teams in a company to communicate, but it also processes personal data. Of special note here is personal data such as:
- Employee data
- Customer personal details which may be shared here
If your organization uses Slack, the chances are that personal data of all types will be in the software. Send out a poll (you can do this right in Slack!) to see if staff are sharing customer personal data and take steps to minimize this.
Hubspot and personal data
Hubspot is a marketing tool used by a whole range of businesses of all shapes and sizes. The SaaS tool offers a range of different options, so you will need to check which you are implementing. On your behalf, Hubspot will likely be processing and storing customer data regarding:
- Customer names and emails
- Tracking data for sales
- Data about a person’s professional life
Since Hubspot is a marketing tool, the data it stores is generally for sales and marketing purposes. However, it is best to double check this as there may be other categories of personal data processed by the application.
Mailchimp and personal data
Mailchimp is another application used to automate marketing activities. The tool allows businesses to create landing pages and automate email marketing campaigns. This means that the tool will store your customer data related to:
- Tracking data via behavioral targeting
- Email addresses and contact details of your customers
As with the other applications listed, check carefully the precise personal data categories that Mailchimp processes and add them to your GDPR data map.
Marketo and personal data
Marketo is one of the premier marketing automation tools for big business. The product features a range of instruments, meaning that it collects several types of personal data from your customers. Personal data that Marketo collects on your behalf may include:
- Names, emails, and other personal information
- Tracking data
- Data to profile your customers
As Marketo offers a wide range of marketing tools, it also collects a range of different categories of personal data. Check the agreements you signed with the company and the tools you have activated to find out what data they are collecting for your business.
Salesforce and personal data
Similarly to Marketo, Salesforce is one of the bigger players in sales and marketing SaaS tools. The data-driven aspect of Salesforce — with a focus of data all in one place — means that the personal data collected via the tool doesn’t just relate to sales and marketing, but can also include:
- Financial information
- Information on your employees
- Profiling and tracking data
Salesforce is a true giant in SaaS. If you have implemented this tool then you are probably using it to collect a variety of different personal data.
Shopify and personal data
Shopify is a point of sale application which allows businesses to conduct online and offline payments digitally. Shopify also incorporates marketing tools. As such, this software tool is likely collect personal data, including:
- Financial details of your customers, such as bank cards
- Personal information like name and address
- Tracking and targeting data through the tool’s marketing kit
Shopify highlights an important aspect of checking what data is collected: although Shopify is a payment tool, it also collects different personal data categories.
Stripe and personal data
Stripe is a software tool which businesses use to facilitate payments online. Again, here you would think that the personal data collected via this software generally relates to one category — payments. However, on close inspection you will find that the SaaS may process other categories of personal data:
- Financial information such as bank card details
- Email addresses
- Name and shipping address
If your business implements Stripe, you’d think the category of personal data it collects is fairly straightforward; you’d be wrong. Be sure to check.
Zendesk and personal data
Zendesk is a customer service software that helps your customer engagement and sales activities. This means that it processes and stores a range of personal data:
- Profiling of customers and employees
- Personal information for sales
- Geolocation data
- Demographic details
- Audio or visual information
As you can see, customer service software collects a whole range of personal data that you need to take into account when creating your GDPR data map.
When figuring out what services your organization uses, you’ll probably need help. It’s best to speak to the different departments to find out which services you use, then find out who the system owner of each is.
The system owner is the person responsible for the implementation and working of each SaaS tool. This person can help you document the precise data which is collected by each service. Knowing who this person is will be vital when documenting the personal data types which software applications process on your organization’s behalf.
Also, document how to get in touch with the system owner. Documenting this person's contact details will make it easier for you to find and contact them should you need to update your data map. Of course, it is a good idea to let the system owner know that they should proactively get in touch if something happens with the application in question (such as increased functionality or termination of usage).
While cloud-based software tools make the running of your business a more streamlined and effective process, the data that is collected by the SaaS services aren’t necessarily held in your home country. In fact, the vast majority (if not all) of the services listed above store their data in the US.
Track legislation changes and court decisions to be sure you are compliant.
You should note the location of the data and keep track of legislation changes. For example, the Privacy Shield or changes to UK-EU data adequacy regulations which impact practices when processing personal data through various services. If the data collected by the SaaS service provider is stored in a third country that is not covered by any international agreement, you will need to obtain additional consent from your customers when using this software to process their personal data.
The responsibility is yours
While all of these services take part in the processing of the consumer personal data collected, they are instructed to do so by you: the controller. As such, you bear ultimate responsibility for anything that happens to the personal data. This list above is by no means non-exhaustive, so check which you implement and find out what data is stored where.