We all know that the GDPR came into effect in May 2018. This legislation brought enhanced rights for you and I as data subjects as well as increased responsibilities for businesses who are processing personal data.
This means that as a business, no matter how big or small, for profit or not-for-profit, you have the responsibility to ensure that the personal data you are processing is done so in a manner that is transparent, accountable, and secure.
At this stage, it can be expected that you will have an overall organisational data protection policy. You also need related procedures for example for Data Subject Access Requests or breach notifications. But don’t worry if you don’t, because it’s never too late to start.
The first step in developing your system is a data map. A data map is exactly what it sounds like. It is a way to document the personal data in your organisation so that you understand it better. It clarifies what information you hold and where. A data map is a living document that you can update and review on an annual basis or as needed when your business changes. It can be paper or electronic.
This is a relatively straightforward process that you can do on a spreadsheet and with a set of questions to follow. See these Resources to help in this process.
So what is the value of this process?
Well firstly it is the law. There is a legal obligation to document certain processing activities in Records of Processing Activities (RoPAs) unless you fall under one of the exceptions outlined in Article 30 GDPR.
Secondly, mapping out the data is this way will give you a better understanding of what is happening in your organisation. The personal data that you are processing should be advancing your strategic aims. If it’s not, then question why you need it.
Data maps help you identify if there are ways that you can legally use the personal data that you already have that you aren’t using yet. For example, you might find that you have consent to market through email and SMS but are only marketing through email. Or you may realise that you have personal data that you don’t need and that is increasing your risk profile that you can securely delete.
Your data map will help you to identify areas you are doing well in, as well as areas of risk that may need to be addressed.
And this is really why data mapping is so important. People understand the value of their personal data and expect that organisations and businesses that have and are using their personal data to do so in a way that is respectful, secure and in compliance with the law. There is no greater damage to your reputation than when a customer loses trust and once it’s gone, it is hard to rebuild again. Engaging in this process will enable you to demonstrate your good practice and build and maintain your customer reputation.
See the Resources section for all the tools you need on your GDPR Compliance Journey.