We tend to think of data as relatively static. Systems might be updated from time to time, but most of the time the information is organised and then forgotten about. Ideally, though, there needs to be more attention paid to the nature of your data, both how it was collected, what it’s being stored for, and it’s final destination will be.
It’s an ongoing battle to optimise your data though, and even harder to prove how it’s being processed. When organisations have to process data, there has to be a clear path from how it went from one point to the next.
The first step of this process is data mapping. This will not only facilitate the migration, but also the integration that makes it possible to catalogue and retrieve the data. We’ll look at why this is so important and what you can ask to make it easier.
Data mapping is the process of matching fields when moving information from one database to another. It’s critical to understanding how data flows. From how it was acquired to how it is processed, the maps reveal crucial details about how the information was protected and whether it moved around correctly.
It’s smart for companies to keep this information just for its own reference, but data mapping can be as much a practical matter as it is a legal one. GDPR stipulates the need for some enterprises to keep records of your data mapping processes.
Of course there are certain data mapping exceptions for organisations of 250 people or less. This can make smaller enterprises feel immune from the more complex bits of the regulation.
However, the first thing you should know about these looser expectations is that the exceptions are conditional. And even if the rules don’t apply to you, you are still highly encouraged to keep these records.
Here are three questions to ask before moving forward.
The question needs to be answered in detail and the answer needs to include both realised and potential collection purposes. Not all data is meant to be mapped. The rules only apply to sensitive or personal information.
For example, are you collecting information on criminal convictions? Does any of your data meet the special category criteria, such as ethnic origin, political stance, religious beliefs, or health data? This information can be some of the most destructive if it’s in the wrong hands. If you’re storing it for any reason, you’ll need to keep records on data mapping.
If you’re a part of a larger business, you also need to think about the data you collect from clients. For example, if you store information on the client’s customers, you may be responsible for creating records for their data as well.
This does not mean having post-it notes or spreadsheets that document the transfer either. There needs to be systematic record keeping that details the processes. You need to show that you’ve done everything possible to protect sensitive information in your possession.
Much like listing all sources of data and their purpose, you’ll need to define how you will use the data, both now and in the future. Are you planning to process the information several times a year? If so, would this present a reasonable risk to the data subject? For instance, selling a person’s political affiliation to an outside source. Or excluding certain people from opportunities (e.g., loan offers, employment, etc.) based on personal history.
You need to think about who you’re collecting information about and how their lives may be affected by the storage of it. This is true across the departments in the company. Some teams will have the same data, but use it in very different ways.
If you’re a large organisation, you need to think about what steps different departments will take and how that affects the data subject. For instance, the marketing department may group people together based on perceived buying behaviour, a practice that might raise more red flags than an accounting department that is simply storing invoice history.
When you map data, you also have to think about the level of detail that you need to achieve. There is such a thing as creating records that are too complex to follow. The more granular you are, the more likely it is that the general flow will become garbled somewhere along the way. If you’re working with Data Subject Access Requests or Privacy notices though, you may need more information included in each map.
The GDPR guideline is to store other’s personal information for the shortest time possible. To keep your data, you’ll need an appropriate justification. All organisations are under legal obligations to delete certain data after a fixed period of time. For example, employers are forbidden to keep information on their employees past a certain period. Note than you can’t either hold certain types of data regarding your employees. A consideration that H&M should have taken into before collecting and storing their employees’ holiday experiences, family issues, religious beliefs, and symptoms of illness and diagnoses. It resulted with a 35 million euros fine.
If you’re planning to use the data in the best interests of the public, such as for historical or medial research, you may have a justification for longer periods. As long as you’re putting protection measures in place, such as encryption, you won’t risk violating compliance laws.
If you do have a legal justification, you should determine how long you’ll need the data for. Your company should have standardised processes to either erase or review data based on its type. Keeping this on your radar will make it easier to determine how to store data it and what to do with it later.
Data inventory can be more involved than you might expect, especially if it’s coming from a variety of sources. GDPR rules apply to anyone who processes personal data and there needs to be a record of the steps taken . At the very least, having the records (even if you don’t need them) can prove that steps were taken to meet regulations.
PrivIQ is here to help people keep track of what they’re doing without having to agonise over every decision. Information can be entered into individual fields or you can use import templates for larger jobs. You can create processing categories, such as SaaS, payroll, or automation, and write descriptions detailing your activities.
With PrivIQ, you can choose multiple countries based on where the processing takes place, and indicate whether there will be other processors involved. Finally, you can add any clients that you process data for. Once those clients are assigned to the proper processing category, you can simply save your information.
There’s a lot to learn about data mapping, but most of it is keeping track of what you’re doing with information. The right software can give you the means to keep better tabs on data, so you will know where you data is going.