The success of every GDPR compliance process depends on an unsurprising requirement: Know your data.
When you respond to a data subject request or when you create GDPR-compliant privacy policies, you must have a detailed map of what data you have, how it is collected and used and where it is stored.
This is why you need data mapping because it allows you to combine disparate data sources, have detailed overview of your data assets and streamline your GDPR compliance efforts.
Read more to learn all there is to learn about data mapping and GDPR.
What is a data map?
A Data Map refers to a process that allows you to identify personal data you hold, where you store personal data, how you process it, and who you share this data with.
Let’s assume that you have a SaaS-based accounting software that you sell to accountants. When you want to send marketing emails to your prospects, you will need to customise your marketing emails to the specific needs of your prospects. Therefore, you will need to understand the previous purchase histories of your customers to personalise your offerings.
However, these data points will likely be in different databases, in different formats. For instance, your sales team might have these records in a CSV file whereas your marketing team has this data in excel files.
Combining this data will help you target your prospects effectively by drawing highly accurate insights about them.
In addition, you will better understand where this personal data is stored and which third-party tools are used to process this data.
Therefore, you need to carry out data mapping to have a detailed understanding of how personal data flows through your business, from the collection of personal data to its storage on third-party systems such as CRM tools.
What is included in a data map
When you decide to implement GDPR data mapping, you need to consider two key elements:
- Understand how personal data flows through your business and how it is transferred to external third parties
GDPR data mapping requires you to determine if you transfer personal data to third parties such as the third-party SaaS tools you use. For example, if you have names, email addresses and purchase histories of your customers and you store this data on an email marketing tool such as Mailchimp, you need to be aware of how you share data with Mailchimp.
Therefore, you need to identify all IT systems where you store and process personal data such as email marketing tools, cloud data storage applications and customer relationship management tools. For example, you may be using Zendesk for customer support and Hubspot for lead generation and customer management. Since you share personal data of your customers with these third parties, you need to describe what personal data is transferred to them and how it is stored and used.
- Describe the key elements of personal data flow
After you identify the flow of personal data, you also need to report on its key elements such as:
- What type of personal data you collect and use: For example, it may be financial data of your customers like their credit card details.
- Where you store personal data: You may store personal data on cloud or data may be transferred to third parties.
- What third parties access which personal data: When you use different third-party tech tools, you share different categories of personal data with each separate tool. For instance, while google analytics may access personal data about IP addresses of your website visitors, Hubspot may receive personal data from you about your prospects and their email addresses.
Why you need a Data Map to comply with GDPR
GDPR compliance is a challenging process with highly complex requirements. To comply with the GDPR, you need to know what personal data you collect, who it is transferred to and where it is located.
Therefore, a robust data mapping tool is essential to ensure your GDPR compliance.
In particular, data mapping is critical to fulfil the following GDPR requirements:
- Consent management
Under article 7 of the UK GDPR, you need to keep records of consent obtained from consumers - withdrawal of consent should be as easy as giving it. Data mapping can help you identify all cases where you rely on consent to collect and process personal data and manage this consent if it is withdrawn.
- Data subject requests
Under the UK GDPR, individuals can submit various requests such as data access, deletion and rectification requests. Furthermore, they can opt out of direct marketing. If you wish to fulfill these requests in accordance with the GDPR, you need to know what personal data you hold about the individual, who you transfer this data to and in which IT systems you store their data.
For example, your website visitors may ask for access to all data you hold about them. Under the UK GDPR, you must provide them with all data you collect via cookies and all records you have on your customer relationship management tools.
- Creating records of processing activities
Article 30 of the GDPR requires you to document your data processing activities, which includes details such as categories of personal data you collect and where you store them. Data mapping can streamline compliance with this obligation.
- Breach notification requirement
When you have a data breach, you need to quickly determine if hackers accessed personal data of individuals and which inidivuduals are affected. In other words, you need to identify all stolen personal data and who this data belonged to.
Data mapping can help you answer these questions and enable you to report data breaches within the 72-hour limit set by the article 33 GDPR.
- Data processing agreement
Article 28 of the UK GDPR requires that data controllers and data processors enter
into a data processing agreement. This data processing agreement should describe
what types of personal data is processed, how it is stored, how it is used and what
organisational and security measures are applied. GDPR data mapping is essential for
you to put in place a data processing agreement that complies with the Article 28
The key challenges of data mapping
There are 4 key challenges to implementing an efficient data mapping process for GDPR compliance.
Challenge 1: Identifying all third parties a company uses
Most of the small and medium-sized businesses, particularly SaaS businesses, use a wide variety of third-party software tools to carry out different business functions such as customer support, sales, accountancy and marketing. In fact, an average company uses around 110 saas tools.
Whats more, each of these tools collects and processes different types of personal data so creating an inventory of all these third party tools is quite a challenge.
Challenge 2: Time-loss
Inaccuracies and incorrect data during a data mapping process may cause your business to waste valuable time. For example, one study found that an sales representative wastes around 27% of his selling time due to low quality or inaccurate data.
Challenge 3: Keeping it updated
Since personal data is not static and it constantly changes, data mapping should be a dynamic process as well so that personal data is kept up to date. If personal data is not updated, inaccurate data may result in financial loss. For example, a study by Gartner showed that inaccurate data may cost a pre-seed start-up up to $18,000 per month
Challenge 4: Complex regulatory environment
Privacy is an evolving field where new privacy laws comes into force frequently. Furthernore, both the UK and the EU data protection authorities keep publishing new guidelines and more detailed requirements for GDPR compliance.
Keeping up to date with new laws and regulations is critical to data mapping. For example, the UK has introduced a new draft bill on Data Privacy and this Bill will make changes to records of processing activities requirements for businesses, if it becomes law.
Why opt for automated GDPR data mapping
Technically, you can manually map data from the data fields in source to the data fields in destination. Although the manual data mapping offers unlimited flexibility, it is likely to be time-consuming and prone to errors and inaccuracies as your business scales.
Therefore, most businesses use automated GDPR data mapping software. Automated GDPR data mapping software is a code-free tool that enables you to map data with a state-of-the-art scanning technology, combined with recommendations.
Using automated data mapping software tools have the following key advantages:
- Automated GDPR data mapping saves time and requires less resources
On average, data analysts spend around 50-60% their time on data preparation, which includes data mapping. When you use an automated data mapping software, you save significant amount of time and resources. For example, you will not need to do manual coding and you will not need to waste your developers’ time.
- Mitigating risks
When you rely on manual coding to carry out data mapping, you run the risk of having inaccurate data and inconsistent data mapping. For example, your marketing team may not know all the IT systems where your data is located or they may miss out on certain details.
However, an automated data mapping software eliminates these risks and guarantees that your data mapping is accurate, error-free and up-to-date. This is because the automated data mapping software can scan across all your IT systems and uncover all third party tools and programs you may not even know about. Therefore, it is more reliable compared to manual data mapping.
- Streamline GDPR compliance efforts
When you comply with your GDPR obligations such as when you fulfill data subject requests or when you create required GDPR documents, you need to have a detailed view of all data you hold and you need to know where each data asset is located. For example, if your sales team is using a new software tool to store prospects’ data, you need to know about this tool and how it processes and shares data. Automated data mapping software ensures that no stone is left unturned.
Use your data map to become GDPR compliant with Privasee
When it comes to choosing an automated GDPR data mapping software, you need to look into three main criteria:
- Is the automated data mapping tool capable of scanning and determining all your personal data assets and create necessary policies based on its review?
- Does the automated data mapping tool update constantly?
- Does the automated data mapping software identify all your vendors accurately?
With Privasee’s automated GDPR data mapping tool, you can streamline your GDPR compliance efforts and have an esy-to-use data mapping tool.
Let’s now look at how Privasee’s automated data mapping tool helps you carry out GDPR-compliant data mapping:
- Scanning your domain (including website and web app), identifying your vendors and mapping data flows: Privasee’s data mapping software determines all your vendors and identify active cookies on your website. The Privasee portal takes your personal data map and creates policies/cookie banners from this information.
To summarise what we covered in this post:
- A Data Map refers to a process that allows you to identify personal data you hold, where you store personal data, how you process it, and who you share this data with.
- While you can manually do data mapping, automated GDPR data mapping software tools are highly recommended because, they ensure accuracy, streamline your GDPR compliance efforts and help your sales team save up to 27% of their selling time by ensuring accuracy of data..
Interested to learn more about how Privasee helps you implement GDPR-compliant data mapping?
Try our free GDPR audit and see for yourself!
How frequently a data map should be updated?
You must keep your data map up to date. We recommend that you check it quarterly or twice a year and always when something changes in your business. For example when you use a new tool or vendor or use data for a new purpose.
How is a data map different from a ROPA?
Data map and Records of Processing Activities (ROPA) document are different both in nature and in their content.
While data map refers to an IT process where you identify personal data you hold, where you store personal data, how you process it, and who you share this data with, ROPA is a legal document required by the GDPR. Put simply, data mapping is a must for you to create ROPA and your ROPA is like an exported version of your data mapping exercise.
In addition to the details described in your data mapping exercise, your ROPA will also include additional information about your use of personal data as required by the GDPR. For example, your ROPA must explain what legal basis you rely on to collect personal data by using a third party tool like google analytics.
However, data mapping exercise is critical to creating a ROPA document that complies with the GDPR.