Some organisations may already have elements of this in place in compliance with the “old” 1998 Regulations. It essentially involves a data audit identifying all the data processing activities carried out within your organisation and an analysis of why, where, how and for how long the data is stored or processed. An understanding of how it is disposed of is also important and any third parties with whom it is shared.
Engagement by key members of the organisation is necessary to ensure comprehensive data mapping of all activities. Functions such as human resources, records and information management, IT, finance, marketing, governance and legal should all be involved and a working group assigned to complete this task.
It is useful and in some cases mandatory to appoint a Data Protection Officer, or DPO. Having a designated person who is responsible for the co-ordination and analyses of the findings of a data mapping process will enable an organisation to identify areas where there is greater risk of exposure to non-compliance and drive momentum generally.
Once the mapping process is complete, the data must then be categorised as personal or sensitive and this is important as it determines how the data must be processed and what criteria must be met to do so lawfully.
Personal Data is simply any information relating to an individual or identifiable person such as their name, location, email address or bank details but can also include opinions and informal comments made. Special Categories of Data include information relating to race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health records (including genetic and biometric data) and sexual orientation. As you might expect, the legal obligations and penalties imposed are weighted more heavily where special categories of data is being processed so it’s important to get this right.
Data mapping will enable you to assess whether the organisation is a data controller or data processor. It may be that the organisation is both controller and processor and the organisation must adhere to the obligations attached to each.
If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.
Data Mapping Checklist
- What data processing activities do you have?
- Are there different types of personal data and/or data subjects involved? If so, specify.
- How is the data obtained and where is it stored?
- Is the data personal data or special categories of data?
- How long is the data stored for and how do you dispose of it?
- For what purpose is the data processed?
- Do you share the data with any third parties?
- Do you determine the means and purpose of processing the data?
- Are you the data controller or processor or both?
- Have you made a record of your data mapping?