GDPR requires businesses to handle personal data lawfully, fairly and securely. To be able to do this, it is essential to understand the lifecycle of the personal data you process – what, why, where, when and how personal data is used by your extended organisation. This process is known as Data Mapping.
GDPR Compliance for Clinical Trials
The pharmaceutical and biotech industries constantly create, collect, store and share large volumes of technical, organisational and legal data. Data can be a huge asset in pharmaceutical product and medical device research and innovation, but it can also be a liability if not properly managed.
Data mapping is an essential compliance measure for companies worldwide bound by data privacy laws. While our article concentrates on the GDPR, it is important to remember that data mapping can help pharma companies comply with privacy laws wherever they conduct research. With a comprehensive health data map, your compliance teams can implement a successful privacy plan, answer data access requests, swiftly supply information for breach investigations and safeguard data in cross-border transfers.
This article gives an overview of data mapping GDPR, describes mapping health data in the context of the GDPR, outlines the basic steps, and explores why you should view an up-to-date data map as a benefit to your company rather than a time-consuming headache.
What is Data Mapping?
Data mapping is a system of cataloguing the data you collect, process, store and share, i.e., your data inventory and data flow. There are various ways to achieve this goal, whether through a simple spreadsheet or a dedicated data mapping program — and the extent or limit of your data mapping will depend on your business.
However, most data maps should include the following information:
- What data is collected – is it sensitive or personal?
- Why are you collecting the data?
- The legal basis for processing that data — should reference the six established by the GDPR: consent; contract; legal obligation; vital interests; public task; or legitimate interests.
- Where data is stored
- Length of data storage
- Under what conditions is data stored – i.e., What protective measures are in place within your organisation?
- Where data is transferred or shared
- Location of third-party recipients — external national and international data transfers
- What protocols are in place to protect data during transfers
Effective data mapping is an ongoing activity that should be part of your regular business practices. It requires the input of nearly every department in your organisation, and your GDPR Data Protection Officer (DPO) or a senior member of your privacy team should supervise the process.
Is Data Mapping a requirement of GDPR?
While the GDPR does not mandate data mapping explicitly, it does address core elements of GDPR data mapping in Article 30, stating in part the following:
- Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities (RoPA) under its responsibility.
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative shall make the record available to the supervisory authority on requests.
The RoPA is an essential document in two respects.
Firstly, it summarises all the processing activities across the business, identifying the organisational, technical and legal measures in place to ensure data security appropriate to the risk and type of personal data. Secondly, if the business has no legal establishment in the EU/UK, it is a required document for the Data Protection Representative to review in respect of their liability.
The data mapping process also forms an integral part of GDPR compliance tasks, including:
- the Data Processing Impact Assessment GDPR (DPIA)
- fulfilling privacy requests and
- managing data subjects’ consent and data breaches.
What is the data mapping process?
The specifics will vary depending on your research organisation, company systems, and the breadth and scope of your data. That said, data mapping will typically follow these fundamental steps:
- Assemble the team – Data mapping involves input from every department and an agreement to collaborate on an ongoing basis to review and update the data map. Your Data Protection Officer or compliance/privacy team can oversee the data mapping process.
- Define the data – Identify different data categories and risk levels. To determine where relevant data resides, the mapping team will need to circulate questionnaires, conduct interviews, and update retention policies.
- Map the data – Identify data flow and map it using a single accessible platform that helps you visualise what data the organisation collects, the category of data, where it is stored, who has access to it, and the purposes for use.
- Identify TOMs – Identify the technical and organisational measures in place /and needed to protect each category of personal data.
- Maintain and update – As mentioned, data maps are dynamic. When new data sources or categories are added or changed, they require constant maintenance and updates.
What are the benefits of holding an up-to-date data map?
While creating data maps can be time-consuming and requires attention to detail, we at Pharma Data Protection take a proactive approach to the data mapping GDPR process, understanding the long-term benefits it offers your company.
An up-to-date data map
- gives you complete visibility over the flow of data through your extended organisation
- means you are always audit ready
- helps you to understand your legal obligations under data protection legislation
- is a quick, accessible guide to your organisation’s documents and information systems
- creates a streamlined privacy operation for your business
- gives you the ability to respond faster to data subject requests
- gives you a structure from which to develop and maintain a record of processing activities (RoPA)
- helps you avoid administrative fines for not keeping the documents up to date.
As pharmaceutical GDPR compliance consultants, our expert team will leave no stone unturned in its efforts to help you identify and categorise the data you process. We can share our industry knowledge and experiences of best practice to support you in streamlining your records and processes as you move towards GDPR compliance.
We understand that businesses within the pharma and biotech sectors have a lot of data to organise, and small and medium-sized enterprises may need more internal resources to create a data map quickly. Our comprehensive GDPR Data Protection Officer service can help you meet your data protection and regulatory compliance requirements and DPO responsibilities, including overseeing the data mapping process within your organisation.
To learn more about our DPO service or talk to us about data mapping and the GDPR, schedule a call