World map on black background with lines between different countries showing the data flow and data mapping process

Data Mapping: How to Map Your Data for Better Privacy Management

Published at 04:42 on 19 Jun 2021

Data mapping is one of the most critical steps in any privacy program. Maintaining a record of the types of processing undertaken and the data involved may be a compliance obligation. But it is also often the starting point for the development of a comprehensive privacy management program. 

Data mapping shows the journey of an organisation’s data from collection to destruction or de-identification, with all the steps in between. Another important use of data mapping is as part of a privacy impact assessment. Being able to describe the data journey from collection to destruction/de-identification is key to identifying potential privacy issues during that journey.  

Even though it sounds simple, data mapping can be very complex. The process usually stretches across the whole organisation and will require interaction with different functions across the business. This blog post will clarify how to map your organisation’s data for privacy compliance.  

What is a data map? 

Undertaking a data mapping exercise provides organisations with a detailed picture of the data being collected and where it’s stored, who has access to it (including both internal and external parties) and how it might be being used.  The data mapping process also highlights unknown data stores and the importance of deleting personal information.  

While it is essential that you understand which categories of data you collect, you do not need to inventory individual data items for the purposes of this exercise.  Aggregating data into categories can assist with the process, particularly where certain sets of aggregated data items can be linked to particular processing systems such as personal contact details which are used for direct marketing purposes. 

For privacy compliance, your data inventory should also include details about why your organisation is collecting or using the information.   As most privacy practitioners know, there are limitations on the ways that different types of data may be used and also transparency requirements (where individuals need to be told about different data uses). 

This is one significant way in which a data inventory for privacy compliance varies from network maps or lists of IT assets or applications, which rarely contain detailed information about the purpose of collection or use. It’s also why it’s essential that privacy professionals are involved in the process of mapping your data inventory.  

Creating Data Flow Maps 

There are different techniques organisations can use to track down and map data flows. The following are steps that you should undertake as part of that process.  

Step 1: Identify where the data you collect comes from.  

At this point, you should identify each method used to collect personal information. Consider all sources such as contact form completions, newsletter signup pop-ups, social media scraping, online tracking (like Google Analytics), referral networks, and customer intake forms (physical and electronic).  

Don’t forget physical files, including printed versions of electronic documents. Or where information might be created by analytics or aggregation with other data sets. 

Step 2: Identify the categories of data you collect.  

For each collection point, you should identify which categories of personal data you collect, by references to the different data points. You should make the categories of data as granular as possible to comply with privacy laws in different jurisdictions. Examples of data categories might include customer sales information; employee contact information; newsletter subscribers; prospective customer information. 

Step 3: Catalogue where the data is stored.  

You should identify exactly where the data you collect is stored. Categorising storage as electronic or physical isn’t sufficient. Is the data stored in the cloud or on a physical server? Do employees have access to the personal information, and can they download it and store it locally on their devices? If so, can they print that data?  

For information about how poor storage practices can impact your business, read our overview of the Flight Centre data breach.  

Step 4: Catalogue where your data flows.  

Once you’ve identified the data you collect and where it’s stored, you should document where it goes during its lifecycle. Where and how is data used by your team and third-party vendors?  

What reporting might be done on different data? What analysis is carried out, by who and for what purpose? 

Does the data cross borders, whether as part of the sharing of data within your corporate group or as part of arrangements with service providers, partners or other third parties? If data does cross borders, how is it protected when it is?  

Step 5: Detail what the data is used for.  

Organisations should be moving away from collecting data for data’s sake. For any of the data you collect and store, you should document your purposes for collecting and storing that data. These purposes should align with your operations.  

Step 6: Document how long the data is retained.  

You should have strong processes in place to ensure that the data you collect and store is securely destroyed when you no longer need it. For each category of data, you should detail how long you retain the data and the processes and safeguards that ensure it is securely destroyed either when you no longer need it or when the data subject requests that you do so. 

An alternative to destruction is de-identification, where personal data is de-identified so that it is impossible to re-identify an individual from the de-identified data. De-identification is complex and challenging and needs to be approached with some caution if being used as a method to support the re-purposing and continued use of data.  De-identification will be covered in a separate blog post. 

Step 7: Develop detailed maps that document these data flows.  

With all the information to hand, you should develop a data flow map that demonstrates the data’s journey from collection to destruction. These maps should be visual, and electronic storage can make them easier to review and update – which you should do regularly.  

These data maps provide a data processing lens to the organisation’s operations, helping easy identification of where and why different types of data is used and the different parties involved in different processing activities. 

From these maps, you will be able to draw much of the information required for GDPR compliant processing registers or to support the development of a privacy management program or successful privacy risk mitigation activities.  

Need assistance mapping data flows in your organisation? 

Accurate data flow maps are an important tool for successful privacy impact assessments. They are at the heart of the development of a privacy management framework and essential for privacy compliance. They can also help you improve internal data handling practices and collect data with purpose.  

Privacy 108 has extensive experience in supporting organisations with data mapping activities. If your organisation would benefit from assistance in mapping your data flows, reach out. 

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.