How to map your data flows

“Data flows”. Sounds like a job for someone in IT right? Wrong! Creating accurate maps of your data flows is an essential building block of any data protection compliance programme. Don’t get this bit wrong. If you do, everything else will be wrong as well. Time spent on getting this right will save you time over and over again as you build out your programme. Let us give you some pointers.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

April 2020

In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time.  You may only have a limited understanding of data protection and privacy. Perhaps this is not your main job. Or perhaps you are relatively new to creating and maintaining data protection compliance programmes.  It may be that you know the law, but you’ve never put it into practise before.

We appreciate that in these circumstances certain jobs may appear daunting.  Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky.  Hopefully, we can help and give you the confidence to get this right.

Talk about your data flows

We are going to say this once more.  This is not a job for IT. This is a job for all your functions.  Don’t let anyone tell you that your organisation is so simple that IT will be able to take care of it.  Or perhaps that your organisation is so complicated or innovative that IT better take this one on. Rubbish.  This is misunderstanding the purpose of mapping data flows. We need to catch all the data flows and we need to illustrate those data flows in a way that everyone understands.

Get representatives of all the functions in a room.  Ideally, they have been in the business some time, so they understand where everything is kept (and perhaps where it used to be kept).  They should cover all your offices/locations. At The Privacy Compliance Hub, we call these people ‘Privacy Champions’.  Let’s not be afraid to get messy.  We are going to use white boards and flip charts.  We are going to talk a lot. And we are going to take our time.

Keep it high level at first

Get a representative of each function to talk about how they use personal data in their function.  How they use personal data. Why they use personal data. How much personal data they have. What media they keep the personal data on (eg.  applications, devices). How they move it around (eg. email, file transfer). Who is responsible for it. Who else outside the organisation touches it.

Now ask the person to go deeper.  Ask them to list each category of personal data (eg. name, email address, IP address etc.), where they get it from (eg. website forms), how they use it (eg. for creating a newsletter marketing list), what applications they use it with (eg. Mailchimp, Gmail) and where it is stored (eg. Google Drive).  Write it up on a whiteboard or flipchart. Everyone needs to be able to see it for the next part.

Now talk.  Give feedback.  Ask questions. Is there anything that you don’t understand?  Is there anything that you think has been missed? Is there anything that doesn’t appear to make sense.  Give that feedback. Capture the feedback. Get your marker pens out!

Now it is the next person’s turn.  When everyone has had their turn, agree a list of different data flows (eg. online advertising data flow, customer sign up data flow, invoicing data flow, recruitment data flow, product data flow etc), agree a responsible person for each data flow and ask them to draw it up in anticipation of another meeting.

Draw your data flows (or map your data flows if you prefer!)

Don’t worry about what these look like.  Scribbling them on a sheet of paper or in a notepad works great.  You need to be able to cross things out, add bits and start again.  Our first data flow for our business looked like this.

It isn’t quite right and we did need to change it, but the process enabled us to move onto the next stage.

Talk about your data flows some more

Take your scribbled data flows back to another meeting of your functions.  Go through the process again. Each person talks about their data flows. People ask questions, they give feedback and someone makes notes to make sure that nothing is missed.

On a detailed level, this process is enabling you to map your data flows.  It enables you to do other things in your data protection compliance programme such as create your Article 30 Record, create your Record of Vendors and Partners, or draft your privacy notices.  On a higher level it is getting the people in your organisation to understand personal information.  It is persuading them to care.  And it is getting them all (not just IT!) involved in doing a compliance programme properly.

Agree your data flows

You are now in a position for your team to agree your data flows.  They may still look a little messy at this stage, but all the personal data is captured, you know where it is stored, what it is used for and who it is shared with.

Here Tom from Peak Labs, who make the number one brain training app on the market, Peak Brain Training, explains how The Privacy Compliance Hub helps his organisation establish and maintain a culture of continuous compliance.

Watch video

Make your data flows pretty

Ours look like this.  We used Google Slides.  We know that there are probably better, more specialist infographic packages out there.  We know that Photoshop could do this just great, but not everyone knows how to use these packages and we knew how to use Google Slides!

It is a good idea for all the data flows to adopt the same format.  At this stage you may want to get one person to draw up all these ‘pretty’ data flows.  There is usually someone in an organisation who is good at this sort of stuff and enjoys making everything look ‘just so’.

Record your data flows

Make sure that you keep your data flows somewhere safe.  If you are a customer of The Privacy Compliance Hub (or a ‘Hubber’ as we call them), you will put the data flows in your Hub which is one place where you can demonstrate all your data protection compliance.  It is also the one place where anyone in your organisation with the necessary access can check on the current status of your data protection compliance as well as search for up to date information and templates.

Revisit your data flows

You need to keep your data flows up to date.  As you develop new products and processes and take on different suppliers your data flows will change.  You need a process in place to enable you to capture these changes, record them in revised data flows and then amend your records and notices as necessary.  At The Privacy Compliance Hub, our Route Map easily guides you through this process so that nothing is forgotten.

The Privacy Compliance Hub, its screens, its features and how it helps organisations to establish and maintain a culture of continuous privacy compliance.

Watch video

A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA.

More to watch and read