The Information Commissioner’s Office (ICO) has a staged approach to an effective data protection impact assessment, which is a legal requirement of the GDPR for certain types of processing. The second stage in this process states that organisations should “describe the information flows” throughout the company in order to properly assess the privacy risks.
What is personal data?
The GDPR’s definition of personal data is now also much broader than under the DPA. Article 4 states that “’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Meaning personal data now refers to:
- minutes of a meeting,
- CVs received from job applicants,
- HR data and payroll,
- customer database,
- IP addresses,
- mobile device IDs,
- supplier contacts…the list goes on
What is a data flow map?
A data flow map shows the flow of your organisation’s data and information from one location to another, for example, from suppliers and sub-suppliers through to customers. When mapping data flows, the interaction points between all parties should be identified.
By mapping the flow of data, you identify any unforeseen or unintended uses of it. A data flow map also helps you to consider the parties who will be using the information and the potential future uses of any data processed.
Data flow maps should identify key information, including the types of data items processed, how they are collected or transferred (e.g. via a form, online data entry or a phone call) and who is accountable for the personal data.
Where to start?
Creating a data flow map requires a meticulous eye and a lot of time. The three most important parts are:
- Identify all of your personal data
Personal data means any information that identifies or could be used to identify a natural person. This can include name, email address, identification number and location data. Personal data can be stored in a number of formats, including paper, digital or audio. Your first challenge is likely to be identifying what information is stored in which formats.
- Identify technical and organisational safety measures
Your second challenge is identifying the types of technology and organisational procedures that protect personal data. Part of this challenge is determining who has access to this information. This is where Hero IT Support come in. With products from secure encrypted backups to military-grade file sharing and cyber security training/awards to help you to show your organisation’s commitment to GDPR, we can help you with the technical side of GDPR compliance. Let’s have a chat today.
- Understand legal and regulatory requirements
Your final challenge is determining your organisation’s legal and regulatory obligations.
If you’re unsure of any of the above, it’s probably time to consider hiring a Data Protection Officer.
How to create a data flow map?
Compliance is a big issue and we would recommend using a third party data mapping tool to understand how personal data is collected and processed, and to help you systematically identify all the stages in a personal data flow that have data protection implications. This will allow you to more quickly determine the appropriate administrative and technical controls necessary to comply with the GDPR.
Hero IT Support are currently testing several such products. Recommendations will be posted here on the most suitable, intuitive and user-friendly.
We take GDPR seriously
Ragnar is the Director of Hero IT Support and has been for over 10 years after graduating The University of Sussex with a BSc in Computer Science and Artificial Intelligence. Ragnar originally set up the company as Fitsystems Ltd and rebranded to Hero IT Support in September 2017. To see why he rebranded the company, click here.
Over the years, Ragnar has developed an expertise in software development, data security and encryption. He is also an active public speaker and business technology partner alongside being a GDPR practitioner, which helps our existing customers feel safe and compliant when it comes to data and IT.
Ragnar’s mission for Hero IT Support is to continuously improve and optimise businesses with the latest and leading technology. He aims to for us to become technology partners to every customer. His passion for technology means reducing downtime and saving money for our customers is a priority. To find out more about who we are and what we do, read about us.