How to track down your personal data (Data Mapping)

GDPR Personal Data Inventory - Data Mapping

One of the early stages to prepare for the General Data Protection Regulation (GDPR) is identifying the Personal Data you process; this blog provides a framework to build a Personal Data Inventory. An inventory is not a requirement of the GDPR, but it is a good way to build up a picture of the personal data being collected and processed. Once the inventory is in place it can be explored so you can see where there are gaps in meeting the GDPR Principles and responding to individuals exercising their rights. The first two definitions in Article 4 tell us:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

You need to find where any data that could be ‘personal’ is collected, stored and used. For most organisations that could be a LOT of data. So how do you start this task? Split it into phases. The first phase is to create a Personal Data Inventory. The second – not covered in this blog – is to go into more detail to define the types of data held and how it is shared and protected. The second phase also confirms the legal basis for processing and how you can support individuals exercising their rights, e.g. by submitting Subject Access Requests – the deliverable will be the records of processing activities which have to be created and maintained as they need to be made “available to the supervisory authority on request”, Article 30(4).

Personal Data Inventory

It should be based on business functions, e.g. recruit staff or direct marketing. The ideal way to approach this is interviewing key members of staff. It doesn’t have to be Directors or Senior management, but don’t ignore them! It needs to be the people that know how the organisation actually works and where the ‘personal data skeletons’ could be hidden. You may be asking “why don’t we just run tools against the network to find out where personal data is kept”? The reason for this is that personal data exists outside a network – on paper, on disconnected USB drives, in cloud services or on PCs with legacy systems that are not connected to the network. But if you have tools that can search for personal data or examine the activity of users to find out which files or systems they create or access, use them. But you cannot rely on them to locate everything, and they are unlikely to link personal data to a business function.

A way to validate what has been done is to look at locations and types of data and check nothing has been missed e.g.

In-house/on-premise – paper, electronic, backup device
External/with a person – paper, electronic, backup device
Cloud/with a supplier – paper (e.g. if a third party scans your post), electronic
Offsite storage – paper, backup device

Electronic cover Servers, Desktops, Laptops, Tablets, Mobile phones, IoT devices, CCTV, Fingerprint readers, Iris scanners, Websites etc.

For recruit staff the results could be:

  • CV from job seeker – emailed, website ‘apply for job’ page, from job agency
  • Emails – CV sent to different internal people
  • Server – central folder for storing CVs
  • Paper – printed CVs
  • HR system – basic details + legacy HR system with job seeker details before 2016
  • Job Agency – contact details
  • Referees – contact details
  • DBS checks – details passed to checking agency

There is no fixed format for an Inventory. Building it is an iterative process that may require additional interviews or running of tools multiple times. The key factor is gathering details that can be put into a formal structure in the next phase.

The details can be in Word, Excel, a database or a dedicated tool. IAPP (the International Association of Privacy Professionals) maintains a Tech Vendor Report that has a list of tools.

Issues to look out for when building the inventory:

  • Finding the right people to interview – you may need to talk to more than one person in a business function to get the full picture. Using questionnaires is a good way to get initial feedback before deciding who to interview
  • False positives from tools – they may identify data that isn’t personal, manual checks are required to determine what needs to be included
  • Finding the ‘Personal Data Skeletons’ – paper records that are locked away or under desks, archived systems that are offline but could be put online if someone wants to go back 5 years to check something. Try to interview people that really know how an organisation works. Tools generally skip over encrypted or protected files and systems; they should provide a list of what they have not examined so further checks can be made