Data Mapping and personal data processing for GDPR
GDPR requires businesses to handle personal data lawfully, fairly and securely. To be able to do this, it is essential to understand the lifecycle of the personal data you process – what, why, where, when and how personal data is used by your extended organisation. This process is known as Data Mapping.
While the GDPR does not mandate Data Mapping, the process forms an integral part of GDPR compliance tasks including:
- the Data Processing Impact Assessment (DPIA)
- creating a record of processing activities (RoPA)
- fulfilling privacy requests
- managing data subjects’ consent and data breaches
The benefits of holding an up-to-date data map include the following:
- gaining complete visibility over the flow of data through your organisation(DPIA)
- always being audit ready
- helping you to understand your legal obligations under data protection legislation
- having a quick guide to your organisation’s documents and information systems
- creating a streamlined privacy operation for your business
- the ability to respond faster to data subject requests
- giving you a structure from which to develop and maintain a record of processing activities (RoPA)
The GDPR requires all organisations processing sensitive (special category) data to maintain a record of processing activities (RoPA).
The RoPA is an essential document in two respects. Firstly, it summarises all the processing activities across the business, identifying the organisational, technical and legal measures in place to ensure a level of security appropriate to the risk and type of personal data. Secondly, if the business has no legal establishment in the EEA/UK, then it is a required document for the Data Protection Representative to review in respect of their liability.