In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time. You may only have a limited understanding of data protection and privacy. Perhaps this is not your main job. Or perhaps you are relatively new to creating and maintaining data protection compliance programmes. It may be that you know the law, but you’ve never put it into practise before.
We appreciate that in these circumstances certain jobs may appear daunting. Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky. Hopefully, we can help and give you the confidence to get this right.
Talk about your data flows
We are going to say this once more. This is not a job for IT. This is a job for all your functions. Don’t let anyone tell you that your organisation is so simple that IT will be able to take care of it. Or perhaps that your organisation is so complicated or innovative that IT better take this one on. Rubbish. This is misunderstanding the purpose of mapping data flows. We need to catch all the data flows and we need to illustrate those data flows in a way that everyone understands.
Get representatives of all the functions in a room. Ideally, they have been in the business some time, so they understand where everything is kept (and perhaps where it used to be kept). They should cover all your offices/locations. At The Privacy Compliance Hub, we call these people ‘Privacy Champions’. Let’s not be afraid to get messy. We are going to use white boards and flip charts. We are going to talk a lot. And we are going to take our time.
Keep it high level at first
Get a representative of each function to talk about how they use personal data in their function. How they use personal data. Why they use personal data. How much personal data they have. What media they keep the personal data on (eg. applications, devices). How they move it around (eg. email, file transfer). Who is responsible for it. Who else outside the organisation touches it.
Now ask the person to go deeper. Ask them to list each category of personal data (eg. name, email address, IP address etc.), where they get it from (eg. website forms), how they use it (eg. for creating a newsletter marketing list), what applications they use it with (eg. Mailchimp, Gmail) and where it is stored (eg. Google Drive). Write it up on a whiteboard or flipchart. Everyone needs to be able to see it for the next part.
Now talk. Give feedback. Ask questions. Is there anything that you don’t understand? Is there anything that you think has been missed? Is there anything that doesn’t appear to make sense. Give that feedback. Capture the feedback. Get your marker pens out!
Now it is the next person’s turn. When everyone has had their turn, agree a list of different data flows (eg. online advertising data flow, customer sign up data flow, invoicing data flow, recruitment data flow, product data flow etc), agree a responsible person for each data flow and ask them to draw it up in anticipation of another meeting.
Draw your data flows (or map your data flows if you prefer!)
Don’t worry about what these look like. Scribbling them on a sheet of paper or in a notepad works great. You need to be able to cross things out, add bits and start again. Our first data flow for our business looked like this.
It isn’t quite right and we did need to change it, but the process enabled us to move onto the next stage.
Talk about your data flows some more
Take your scribbled data flows back to another meeting of your functions. Go through the process again. Each person talks about their data flows. People ask questions, they give feedback and someone makes notes to make sure that nothing is missed.
On a detailed level, this process is enabling you to map your data flows. It enables you to do other things in your data protection compliance programme such as create your Article 30 Record, create your Record of Vendors and Partners, or draft your privacy notices. On a higher level it is getting the people in your organisation to understand personal information. It is persuading them to care. And it is getting them all (not just IT!) involved in doing a compliance programme properly.
Agree your data flows
You are now in a position for your team to agree your data flows. They may still look a little messy at this stage, but all the personal data is captured, you know where it is stored, what it is used for and who it is shared with.