Senior Content Marketing Manager II
May 20, 2022â˘9 min read
When considering a companyâs privacy program, the relationship between data mapping and the EUâs General Data Protection Regulation (GDPR) can be confusing. Common questions we hear include:
The truth is that data mapping is not required by the GDPRâbut that doesnât mean youâre off the hook.
In 2020, mid-size companies were using an average of 288 different software-as-a-service (SaaS) apps, according to a 2020 SaaS Trends report.
Between 2016 and 2021, the amount of data organizations manage grew from 1.45 petabytes to 14.6 petabytesâa 10x increase.
The sheer quantity of data combined with velocity at which businesses implement new systems is simply staggering. And, ultimately, complying with many GDPR requirements means having a level of knowledge and organization thatâs simply not possible without a unified data inventory.
The GDPR may not require companies to complete a full data mapping document, but it does require:
Data mapping supports and/or enables all of the items on this list. The next section takes a deeper dive on the specific GDPR articles that require or are supported by some level of data mapping.
Learn more about the basics of data mapping here.
GDPR Article 30 requires that companies create and maintain records of processing activities (ROPA). ROPA must document:
The final ROPA must be made available digitally and in writing, in a format thatâs easy to read and transmit.
Check out our full guide to GDPR Article 30 requirements.
Article 35Â requires that any âhigh riskâ data processing undergo a complete data protection impact assessment (DPIA), stating:
âWhere a type of processing [âŚ] is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.â
DPIAs help ensure a consumerâs data is safe throughout processing and shows privacy regulators that your company is taking the necessary steps.
Balancing risks and benefits is a key part of completing a DPIA. They are not meant to completely eliminate processing risk, but rather should act as a decision-making framework for how and why your company processes data.
So how is data mapping related to the GDPR DPIA requirement? Completing a DPIA means an organization must be able to understand:
Remember, DPIAs are meant for high-risk data processing activities and without a clear view of your data, itâs essentially impossible to identify risky processes.
Additional resources
Data mapping is also foundational to Article 33 compliance, which requires that companies notify authorities and consumers, within 72 hours, about personal data breaches that may threaten a consumerâs rights and freedoms.
The 72 hour timeline is what should stand out here. Though data mapping is not explicitly required by this article, itâs crucial for:
As weâve mentioned throughout, data mapping helps companies understand, analyze, and organize an immense data trove that can span hundreds of systems. Attempting to re-create this level of understanding under a 72 hour deadline, while also addressing the vulnerability itself, is not an ideal scenario.
Under the GDPR (and most modern privacy laws), consumers have the right to request access to their data. This means, after receiving a request, a company must identify and collate all personal data they hold on that individual and then send them their data in a format thatâs easy to read and understand.
Like many of the compliance activities discussed here, data mapping isnât specifically required under the GDPR right to access. However, it can support the process.
If your company has no idea when it collects personal data and where that data is being stored, collating and packaging that data becomes a herculean task. The GDPR gives organizations 30 days to fulfill a DSAR, so having a process in place that supports DSAR fulfillment is key to remaining compliant.
Creating a data map for GDPR compliance can be a complex process, especially if youâre not using an automated data mapping tool. However, there are a few key questions that can guide your efforts.
Identifying where you collect data/understanding your data sources builds the foundation for the rest of your data map. Remember the stat about an average of 288 SaaS tools? Many of those likely represent sources of personal data that should be included in your data map.
Outside of that, you should also look at how your company uses cookies, pixels, or other tracking technologyâthese tools collect troves of data about what a person does while they browse the internet.
Once you understand where personal data is coming from, you need to know what exactly youâre collecting.
When talking about GDPR data collection, you may have seen the acronym PII, which stands for personally identifiable information. This is actually an older, narrower term thatâs not as relevant to modern privacy laws.
The GDPR focuses on âpersonal data,â which includes PII but extends to a wider array of data elements. The GDPR defines personal data as:
ââŚany information relating to an identified or identifiable natural personâŚâ
An identifiable natural person is someone who can be identified, directly or indirectly, by their:
So though many people look to create a comprehensive list of PII data when building their data map, they should be working to identify the broader pool of all personal data.
Understanding where your data goes has two end-goalsâcreating a map of data flow and identifying whether your data is being transferred out of the EU.
Creating a data flow map is the next logical step after identifying the âwhereâ and âwhatâ of your companyâs data collection processes. A data flow map acts as a visual representation of the entire data ecosystem, providing clarity on:
Data flow mapping can be used across a wide variety of scenarios, but in the context of the GDPR it can be particularly useful for identifying cross-border data transfers.
The GDPR does not have specific data location requirements. It does however regulate data transfer between the EU and other countries (Article 44)âessentially requiring that data transferred out of the EU receive the same protections it had while still in the EU.
Between 2020-2022, issues around trans-Atlantic data transfer made frequent appearances in the news. Multiple companies were penalized for using Google Analytics on the grounds that it represented an unprotected trans-Atlantic data transfer.
Privacy Shield, the original agreement meant to regulate trans-Atlantic data transfers was also struck down, on the grounds that it did not properly protect data after it left the EU. Critics claimed the agreement left the door open for law enforcement agencies in the US and elsewhere to obtain the data using national security as the justification.
Determining how your company uses personal data is critical to GDPR data mapping, as it informs next steps after the map is complete. For example, if youâre using data for âhigh riskâ activities or systematic profiling, youâll need to complete a DPIA.
More broadly, this exercise will help your company comply with purpose limitationâone of the GDPRâs core principles.
Personal data shall be [âŚ] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
In practice, this means:
For reference, GDPR Article 6 outlines six foundations of lawful processing, which include consent, contract fulfillment, protecting vital interests, and more.
Defining company-wide data retention policies (how long you keep data before deleting it) is crucial for complying with several GDPR requirements including creating records of processing activities (ROPA), storage limitation, and data minimization.
If you canât yet define a specific data retention timeline, you should at least define criteria that will help you determine that period as the need arises.
GDPR data mapping is a complex process, one youâre unlikely to complete working alone. Do your research and then create a brief to socialize throughout the organization. This document should outline what data mapping entails and why itâs important for GDPR compliance.
Remember, itâs necessary for complying with Article 30 and plays an important role in identifying what activities require a DPIA (Article 35), effective breach management (Article 33), and DSAR fulfillment.
Schedule a meeting with key leaders and managers to set expectations, outline the process, and preemptively field any questions or concerns. This will not only help ensure buy-in, but will get crucial gears turning before the next step.
After the initial meetings, send out assessments for each team to fill-out. These assessments should solicit specific details on each data system and relevant processing activities, including lawful basis, purpose, need for consent, timelines for data retention, and more.
Once youâve received all completed assessments, combine your findings in a document that is available digitally and in writing.
GDPR data mapping is not a one and done activity. To be compliant, your companyâs data map must be currentâincluding all relevant tools, databases, and systemsâso itâs very important that you implement a process that ensures continual updates.
For many companies, this process is simply repeating steps three and four on a regularly scheduled basis: sending quarterly surveys or assessments and then manually integrating updates into the existing data map. Due to the complexity and time required, automated data mapping is often a better choice.
Beyond a certain data quantity, manual data mapping is extremely time consuming and can be prone to error.
Automating some or all of your GDPR data mapping process is recommended in most cases. It will improve your companyâs overall GDPR compliance stance and allow your team to focus on their core responsibilities.
For the majority of companies, creating a complete data map can take over a year. This means that, by the time youâve completed your initial map, the systems you added and updated at the beginning of the year are likely already out of date.
The right automated data mapping tool will scan your website and various data systems to identify sources of data processing, organize everything into a live map, and then run continual automatic updates.
Not only does this remove the burden from an individual or team, but it ensures greater accuracy in a much shorter timeframe.
Automated data mapping creates a central hub that tracks:
Automating these tasks saves hours, if not hundreds of hours, that your team can use on other compliance activities.
Risk comes in many forms, especially for larger companies with more data complexity.
Each person involved in a data mapping task represents a vulnerability. At its core, the GDPR deals in the protection of sensitive and personal dataâso opening all your companyâs data to an increasingly large group of people isnât ideal.
Not only do automated data mapping platforms limit the number of individuals involved in your data mapping process, but they provide better security overall: secure gateways (that eliminate the need for API key access), end-to-end encryption, and granular access configurations.
Automated data processing platforms can be configured to flag sensitive dataâmaking it easier to identify and address risky or illegal data processing activities.
Sometimes non-compliant processing simply stems from lack of oversight, but that wonât stop regulators from applying a hefty fine. Automation helps ensure that all your processing activities follow the necessary guidelines.
In a similar vein, but with a wider view, automated data mapping provides broad support for your privacy compliance program.
Advantageously positioned with a full view of your companyâs data, automated tools can help support efficient DSAR fulfillment (with minimal manual intervention), as well as provide critical information about the scope and effects of any potential data breach.
Transcend can help your organization automate data mapping for privacy law compliance. Use Transcend Data Mapping to discover your companyâs data silos, classify personal data, and auto-generate reports â all in an easy-to-use, collaborative platform.
Power your companyâs regulatory compliance with actionable data governance suggestions based on your real-time data map. Transcend is the first and only data mapping tool that ensures the systems discovered in your data map are seamlessly included in user deletion, access or modification privacy request workflows.
Senior Content Marketing Manager II