Your Data Flow Map will be entirely unique to your organisation so it is hard to give a fool proof method for doing it. That being said, there are some key things you need to think about along the way, and we’ll look at those now.
You can read out blog about How Data Flow Mapping Can Get You Compliant with GDPR here.
The key elements of Data Flow Mapping
The key elements of what you will be looking for will focus around what the data is, what format it is kept it, how it is transferred and where it is stored.
- For data think; name, email, address, health data, criminal records, location data, bank details etc.
- For format think; Paper copies, USB drives, databases
- For transfers think; post, telephone, email, social media, internal, file share services such as Dropbox etc.
- For locations think; on site (in the office), in the cloud, or with a third party.
Getting the most out of Data Flow Mapping
Now you know what it is you’re looking for, and how to assess it, how do you go about finding these things out? We have listed some questions below, along with some techniques and methods you can apply to help get the most out of it.
Asking yourself the following will help get you moving;
- How is Personally Identifiable Information (PII) collected? By phone, email, online forms, paper forms etc.
- Who is responsible for collecting it?
- Where and how is that data stored?
- Who has access to where the data is stored? (Hint: if it is paper copies stored on site, think about who has keys or even just access to that room)
- Is the information shared with anyone? Partners or third parties for example.
- Do any of the systems information is stored on transfer it to any other systems? If so, you’ll need to make sure these are included in your map as well.
There are a few different ways and settings in which to ask these questions as well. Our favourite, and probably the most productive is workshops. Setting out some time to sit down and focus on this means you can achieve quite a lot. Key things to think about here is to involve the right people – i.e. you want people that have access to the data and an understanding of at least part of its journey through the organisation.
Other techniques you can think about; start by inspecting existing documents and plot where they sit on the map. Try questionnaires to your staff to see how their daily tasks interact with the data, and maybe consider observing work in the office or wherever you’re based to see how the path of data is affected and interacted with day-to-day.
Data Flow Mapping should be seen as one of the earlier stages of becoming compliant with GDPR. After all, how do you know what needs to change if you’re not sure what the current situation is? It may seem obvious to say it, but this process will highlight any strengths and weaknesses and the short and long-term actions you may need to take to address them.
GDPR is coming, and will impact every organisation. With less than a year to go its important that people get a handle on their data, or risk the ICO’s wrath. If you’d like to know more about how Data Flow Mapping can help you become GDPR compliant, talk to us today.