How Data Mapping Supports Privacy Compliance
In the last article, we considered the potential impact of the Data Protection Act on businesses in Kenya. This week, we consider how creating data maps can contribute to the overall success of your data privacy compliance program.
What is Data Mapping?
The whole point of the Data Protection Act is to protect an individual’s personal data from unlawful or unauthorised processing. It follows, therefore, that organisations handling personal data must demonstrate data privacy compliance. How do they do that? By developing a privacy compliance program. While this sounds obvious, building a privacy compliance program is an arduous and often daunting task. Any compliance officer will tell you that the hardest bit is getting started.
Global privacy experts have determined that the best way to start a compliance program is by data mapping. Data mapping is an in-depth assessment of all the personal data within an organisation. Its main purpose is to give an organisation insight into the types of personal data it holds and the conditions under which the data is held. In addition, the map helps you to see risks or gaps that exist in handling the data in the current way that you do.
Elements of a Data Map
Depending on the size, nature of your organisation, you can develop a data map either through a manual process or by automated systems. Manual mapping involves the development of questionnaires, surveys, and interviews with key personal data handlers or stakeholders within the organisation. On the other hand, automated mapping involves the use of specialised data mapping systems or software. Whatever means is chosen, the output is generally the same. That is, a holistic process flow revealing how data moves within the organisation.
The typical elements of a data map fall into the following broad categories:
- data entry points, that is, how data enters an organisation. e.g. by email, phone, physical or online forms, directly from the website.
- categories of individuals whose data is processed e.g. customers, employees, suppliers.
- the types of personal data collected e.g. personal and personal sensitive data
- uses of the data.
- data processing reasons – what legal basis do you have for processing the data?
- sharing of data – who has access to the data both internally and externally?
- data storage area and the storage conditions – where do you keep the data? in what formats? what are the security protocols in place?
- length of storage – how long do you keep data?
- transfers to other countries – does the data move from Kenya?
Benefits of Data Mapping
- Aerial Perspective: Before you can comply with your data protection obligations, you must understand your full personal data portfolio. A data map helps to paint a complete picture of how information flows within an organisation from the point of collection to exit (where applicable).
- Privacy Risks Assessment: A data map reveals any potential gaps or privacy risks associated with your organisation’s data flows. It gives you an opportunity to pick up on the risks and define appropriate measures to address or minimise risks.
- Development of Policies and Processes: The information you get through data mapping helps you to customise privacy policies that are in tandem with your current operating model.
- Identification of the Legal Bases of Processing: One of the key principles of data protection is that a data controller or processor must have a lawful basis for processing data. A data map helps you to identify legal bases for all processing across all data sets.
How Data Mapping Supports Compliance
Conducting Data Protection Impact Assessments (“DPIA“): If a processing activity likely to result in high risks to the rights and freedoms of a data subject, the data controller or processor must conduct a DPIAs before implementing it. Generally, this requires the development of data maps and risk assessment for the envisaged project or processes. Developing data maps at the start of your compliance journey simplifies the DPIA process.
Implementation of Privacy by Design and by Default: Apart from DPIAs, the law mandates data controllers and processes to adopt a privacy by design and by default approach to data protection. In other words, you must, from the very beginning, build privacy into every process or system that handles personal data. Data mapping gives you an opportunity to embed privacy in each data processing activity.
Responding to Data Subject Requests: The owners of personal data, data subjects, have various rights over any data that is in the hands of a data controller or processor. For example, they have the right to access any data that is in your control. This means that they can approach you at any time and ask you to give them a copy of the information that you hold. Without a structured or organised record of data, it can be relatively difficult to respond to such data requests.
Responding to personal data breaches: Reporting data breaches is yet another key requirement of the Data Protection Act. Data controllers have to report data breaches within 72 hours of learning of the breach. On the other hand, data processors must report within 48 hours of learning of the breach. All data breach reports must include detailed descriptions of the incidents leading to the breach. Evidently, pulling a report together without a centralised record would be difficult to achieve.
Data mapping sets data privacy compliance programs in motion. Apart from providing the full picture of how data flows within the organisation, it also helps you to identify risks and develop appropriate mitigation measures. In addition, it gives you an opportunity to build on other areas of compliance areas such as policy and process development and breach reporting. Finally, it gives you a chance to embed privacy by design and by default into your operations.
Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.