GDPR Data Mapping Compliance Requirements – How granular must a data map be?
Data Mapping is the process of identifying, understanding and mapping out the data flows of an organisation. A good Data Map (also referred to as a “Data Inventory”) will provide a comprehensive overview of the data flows within, to and from an organisation. Although a granular data map is recommended, all that is really required is a high level data map.
The data mapping requirement under Article 30 states that controllers or controller’s representative must maintain records of processing activities (see Recital 82). These records of processing activities must contain contact info for the controller and processor, the purpose of the processing, a description of the categories of data subjects and categories of personal data, any recipients of that data, any transfers to 3rd parties/countries, and any time limits.
You are required to list the categories of data subjects and categories of personal data. That could mean “any website visitor” or “all clients”. It can also mean that you need to list out “demographic information” or “contact information” as those are categories. Depending on what data elements are contained in the categories (sensitive) or how they are obtained (automatically), you should conduct a Privacy Impact Assessment or a Data Protection Impact Assessment (Article 35).
The UK data authority has published their suggested data mapping template. Download the Record of Processing Activities above.
The opinions expressed are the views of the author alone and should not be attributed to any other individual or entity and shall not constitute a legal opinion.
Go to NightOwl Discovery’s blog.