Enforced since last 25 May 2018, the GDPR is raising many questions about data privacy concerns for organization within the scope of the regulation. Reaching compliance is necessary to enable your organization to provide strong guarantees towards the way you process the personal data concerning your clients and your employees.
To be clear, the objectives of the regulation can be summarized as following:
- Aim transparency and loyalty towards data subjects
- Accurate management of clients/employees personal data
- Be able to answer concerned persons enforced rights
Amongst all requirements to implement to demonstrate compliance (e.g. data processing registry, data breach incident response process, data subjects access rights management…) one exercise appears to be a key tool when approaching the question: where are the personal data we handle ? This step is called the data mapping and this is what we focus on in this very article. Then, it would be interesting to wonder how organization can approach it from a pragmatic perspective.
It is important to keep in mind the following points when dealing with data flow mapping:
- This task is not required for each data processing nor explicitly described in the law
- It will enable your organization to build up solid knowledge about your assets and thus ensure a better data flow control
- A data flow mapping is amongst IT Security best practices. It will help you to discover flaws that could lead to data breach event.