page-banner

Practice Areas

Data Mapping

EM Law are experts in data mapping. Our lead data protection lawyer is Neil Williamson who has extensive experience in advising clients on a wide range of data protection matters.

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with.

One of the new core requirements of the GDPR is to know and to document the personal data that an organisation uses, what it is used for, where it is stored, where it flows from and to, and how it is protected. This is summarised in Article 30 of the GDPR, which requires organisations to establish and maintain records of processing activities. Controllers must document all the applicable information under Article 30(1) and processors must document all the applicable information under Article 30(2). Records of processing activities must also be made available on demand to applicable data protection authorities (in the UK, the Information Commissioner’s Office).

What is data mapping?

Data mapping is an important technique used to help organisations clarify what personal data it holds and where it holds it. Conducting a data mapping exercise should be the first step towards making an organisation GDPR compliant.

Why do I need a data map?

A record of processing is a critical document for any organisation that processes personal data in the EU. Creating a data map will help organisations establish and maintain these written records of processing to the standard required by Article 30. Once the data map is complete, an organisation will not only know where all their data is held but will be able to use it to support several other GDPR obligations such as completing Data Privacy Impact Assessments and various privacy notices. A data mapping exercise will also help organisations spot any high-risk processes, making GDPR compliance much easier in the long-run.

How do I create a data map?

Commonly, a data mapping exercise will begin with a questionnaire. The type and number of questions asked will depend upon the size of the organisation and the nature of the service they provide. Common questions to ask include:
• What kind of data is being processed; e.g. name, email, address and telephone number?
• How is this data stored; on a database, in hardcopy?
• Why does the organisation need this data and what is it used for?
• Who has access to the data in question?
• What is the legal basis for processing; e.g. consent, legitimate interests?

When documenting the findings, the records you keep must be in writing. The information must also be stored in a granular and meaningful way and it is often beneficial to create a visual map.

The whole data mapping exercise can be a time consuming and complicated process. If you are looking for assistance with data mapping or want advice on GDPR more generally contact Neil Williamson.

EM Law Neil Williamson

Make An Enquiry

Reviews

Make An Enquiry Now

Please call us now on 0203 637 6374 or Make An Online Enquiry and we will soon be in touch with you

Close

Make An Enquiry

Can We Help You?

We are here to help with any of your questions.
Just click "Yes" below.

Yes
No
+

Please enter your question below

Send Your Question

Please enter your name and email address so than we can send you a response

Thank You!

Technical issue

Thank you for sending us your question. We will contact you shortly to discuss this.

Sorry, there is a technical issue. Please contact us by telephone: 0203 637 6374

Close