If you’re here, you probably want to know more about GDPR data mapping. We’ve got you covered! 👀 In this short post, we look at what data mapping is and why it is so important for GDPR compliance.
The short answer: Yes. Data mapping is a key requirement under the GDPR (General Data Protection Regulation). Data mapping involves identifying and documenting the personal data that an organization collects, processes, stores, and shares, as well as the legal basis for doing so.
Data mapping is a method for keeping track and cataloging all the data you collect, use and store.👉 It details the types of data and its movements/transfers throughout your business and beyond (for example, data transfer between different departments, to third parties, processors, other countries etc.)
Similar to data mapping, data discovery is a process for putting various sources of data together, sorting the data, analyzing it and organizing it in an easy-to-understand and visual way, in order to get actionable insights. Read our article to learn more.
When data activities seem “simple”, it can be tempting to use a regular spreadsheet or make a quick note.
However, keeping track of everything (types of data, third parties etc.) can be really complex and this is why we suggest you choose a dedicated tool to build comprehensive and detailed data records (as required by law).
The GDPR (General Data Protection Regulation) requires that both data controllers and data processors keep and maintain “full and extensive” up-to-date records of the particular data processing activities they are carrying out.
In general, records should include:
Full and extensive records of processing are expressly required in cases where the data processing activities:
Of course, apart from meeting one crucial legal requirement of one of the most important privacy laws in the world (the GDPR), data mapping helps organizations to:
💡 Data mapping is also a useful tool for DPIAs (Data Protection Impact Assessments):
By conducting a DPIA, you can assess and minimize the risks associated with the processing of personal data. As stated in Article 35 of the GDPR, it is only mandatory when there is a high risk that users’ rights and freedoms could be violated.
👀 Learn more about DPIAs here.
Implementing all of the above can be tricky and quite technical.
iubenda’s Register of Data Processing Activities comes in very handy as it greatly simplifies the technical process of creating and maintaining your records of processing activities. Check it out!