GDPR Step 1: Creating a Data Map
Producing a data map of where all of the data lies throughout your organization will help you comply with Article 30’s RoPA requirement. Not only that, your business must have full context of all the data you are processing to exercise granular control over all the data flowing through your systems.
To accomplish this, you’ll want to create a visual representation, or “map” of:
| Title | In simple terms... | Description |
|---|---|---|
| Data Categories | What? | The types of personal data you are processing. Common categories of personal data include names, email, address, location, etc. These are personal information belonging to an identified or identifiable user. |
| Categories of Processing | Why? | The reason or purpose for which you are processing the data. To identify the correct purpose, consider how that information is being used. An example would be a statement such as "We use email and names for personalized marketing.." In this case, the category of processing would be "personalized marketing." |
| Systems | Where? (Organizationally) | The systems in which the data is being processed. Think of this as your internal technology systems or third-party vendors. Taking the personalized marketing example from above, the system might be your CRM like HubSpot or Salesforce. |
| Location | Where? (Geographically) | A slightly more precise version of “where.” This is about knowing where the data geographically resides. For example, perhaps you use AWS to cloud host your databases. The AWS region might be the U.S., Europe, or elsewhere. That location should be documented. |
| Data Retention Policy | For how long? | Privacy best practices dictate that you should keep data for as little time as possible. That is to say, only store and process data for as long as it's truly necessary. For this reason, you should have a record of when and how you delete each category of data that you process. |
| Data Processing Agreement | Legal Policies | If users' personal data is processed by a third-party on your behalf, e.g. a SaaS company or an external business, you should establish a contractual agreement for how they comply with privacy regulations and manage data on your behalf. This is often called a Data Processing Contract or Data Processing Agreement. |
| Security Controls | Security Policies | For each of your systems, you should have a record of the security controls and policies enforced on that system. That way, you can ensure that you are adequately protecting your users' data. |
Manual data mapping is a labor-intensive process that will involve multiple stakeholders of your business to complete. A manually generated system and data inventory can take several months to create.
💡
If you'd like to accelerate your data mapping and are unsure where to start, ask a question on the Fides Slack Community.
If you want lightning-fast, automated data mapping with Privacy engineering intelligence from Ethyca, get in touch now (opens in a new tab).