NOTE
Compliance of any kind is a continuous journey that must be carefully planned and adhered to religiously. Privacy is a non-negotiable right that EVERYONE is entitled to. Data Privacy compliance can be achieved by the right tone at the top. The tone at the top is the overall attitude and culture lived and breathed by the executive and senior management – setting the right example to the rest of the organisation. When done well, it is a relatively inexpensive “soft control” and tends to be invisible. When done badly, it gets noticed and can be detrimental to your business.
Data is the fuel for modern companies and will only continue to be more essential for the continuous growth and existence of the company. Just as in finance, the company balance sheet must provide a high-level accounting of every cedi/dollar in the business, data mapping does the same thing for every piece of personal data in every company process, document, third party system, or database.
More than ever, consumers, regulatory authorities, and laws demand that companies account for all the ways they handle consumers’ data. Companies–both small, medium, and large – are increasingly using third-party tools to process data about consumers’ finances, purchases, healthcare, activities, and more. For companies to account for all these data flows, they must create a record of the data processing happening in-house, between them and the other organisations, and in any third-party apps or systems they use.
In our modern world of data privacy, where more and more data privacy laws are emerging across the globe, it is demanding that companies comply with these privacy laws to protect the consumer from all forms of privacy harm and its attendant unintended consequences.
Data mapping is an essential piece of your compliance with these privacy laws and a demonstration to your users that you respect their data. Data mapping is the process of inventorying personal data in your business processing systems. An up-to-date data map is vital for compliance with modern data privacy regulations–like the Data Protection Act 2012 (Ghana), GDPR in the EU, CCPA in the US, POPI Act of South Africa, etc.
Data maps are the lynchpins of modern privacy
Data mapping is a vital component of most privacy laws across the globe. It is the critical foundational step for the fulfilment of most, if not all other legal requirements of most privacy laws such as maintaining records of data processing activities (ROPA), responding to data subjects’ requests (DSAR), or conducting data protection impact assessments (DPIA).
Data maps ensure that the company understands how data is collected and moves, or flows, through the entire organization. Organizations need to understand what data they are collecting, how they are using it, and who they are sharing it with to enhance their data privacy protections, disclosures, and regulatory compliance. Data mapping is an important early step in the organization’s compliance journey as well as an important audit function.
WHAT IS CONTAINED IN A DATA MAP?
A comprehensive data flow map for privacy compliance shows all the data coming into the organization. It shows the clear flow of the data within the organization (internally) and out of the organization (externally).
Where is Data Collected?
Every organization needs to identify the source(s) of personal data coming into the organization. Either the organization is taking the data directly from the individual via electronic or paper-based forms or from external data sources to compile additional information about their users. Businesses need to understand what information they are getting from which sources and their obligations concerning the data collection under the privacy law or regulation.
What Data is Collected?
It is important for organizations to have a complete grasp of all the personal data that they possess or hold about individuals. This personal data can range from data about customers to website visitors to employees. Most data privacy laws consider personal data as any information relating to an identified or identifiable natural person.
Where is the data stored and in what format?
For any organization to have a proper understanding of its data privacy practices, it needs to know where all data in its possession is located and in what format it is held. In our modern times, most organizations are storing information electronically. However, many others continue to have paper-based records, or employees (data recipients) may print documents containing personal data in the conduct of their official duties.
Where does the data go?
Organizations need to know where their data is going, both internally and externally, to third parties. It is also important to pay attention to whether data is crossing borders when it is being received by the organisation when it is involved in a transfer to/from a processor or even when it is being moved for internal, due to the special implications of personal data being transferred across the boundaries of their respective jurisdictions to other countries.
What is the data used for?
Organizations need to know about their processing activities both to provide accurate disclosures to consumers and to fulfil privacy law and regulatory documentation requirements. Organizations also need to show privacy by design and data minimization. Data maps can help organizations gather this information.
How long is the data retained?
Data retention is another important area of privacy by design and data minimization. Although most data mapping is focused on its collection and sharing, a comprehensive look may include when data is being deleted by an organization as well.
BENEFITS OF DATA MAPPING
Data Mapping is a resource-intensive organizational exercise – especially when done manually. However, the juice is worth the squeeze, and it helps the organization in the following ways:
Record of Processing Activities (ROPA)
Data mapping helps organizations comply with privacy laws by collecting and maintaining a list of data processing activities across the entire business and its operational activities.
Data Protection Impact Assessment (DPIA)
For conducting efficient DPIAs, organizations must be able to document what types of data they are collecting, when and how that data is being collected and used, where the data is being stored, and how data flows through various systems and vendors. All of these are achieved via data mapping.
Breach Management
Data mapping helps organizations swiftly identify impacted data subjects and compromised data in any security or privacy incident. It also enables organizations to assess the risks to the rights and freedoms of data subjects arising from a security breach, helping organizations report only the personal data breaches that meet a required risk threshold of the stakeholders.
Consent Management
Data mapping helps organizations identify which processing activities rely on consent as a legal basis, highlight where consent capture mechanisms may be needed, and facilitate consent revocation.
Data Subjects’ Right Fulfilment
Data mapping helps organizations identify where the data subject’s data resides and facilitates data subject requests. It enables organizations to respond to a data subject’s request within the stipulated deadline, as may be stipulated by laws or regulations.
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author ekgadasu@gmail.com or Mobile: +233-243913077
