Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: Implementation series part 3 - Data mapping
Modern data protection laws require more complex and novel procedures in order to ensure compliance. Part 2 of the implementation series looked at Privacy and security considerations for BYOD, whilst part 3 aims to provide companies with practical steps to tackle different privacy-related administrative issues, as Isabel Bairrão, Principal Associate at J&A Garrigues, S.L.P, discusses data mapping and how this can help organisations meet their obligations.
The nightmare
It was the year 1998 and I had just started working as a trainee in a law firm. We had no computers, only typewriters. Notwithstanding the foregoing, we implemented a modern physical filing system that allowed us to sort files by themes, departments, and subjects. I was finishing an inventory of the personal data we handled, purposes, retention periods, recipients, and countries (we used to send data to foreign clients by mail or fax) to fill the appropriate registrations before the data protection authority ('DPA'), in order to be compliant. It seemed an easy and adequate process for a trainee like me.
I fell asleep and started dreaming. In my dream, I was in charge of the same task, but now in 2021. A new regulation called the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') had just come into force and filing systems are not validated by the DPA anymore. It is the firm, as data controller, that has to ensure the lawfulness of the processing of personal data, and apparently, we even have an obligation to keep an inventory of all the data we process! Moreover, the obsolete physical filing system has been transformed into a machine room, which is called a server room. Contracts can be drafted in minutes due to a new machine learning tool. Paper has been abolished, you heard right, abolished. Data can be instantly transferred to anywhere in the world and between devices. Phones and mobiles are now smart, and personal data is permanently processed and interpreted. Between new concepts like analytics, blockchain, artificial intelligence, and data mining I started feeling completely lost. Why do we need to map the data? Where should I start? How can I do it?
The purpose of this article is to give a little help to the hero of our story.
Data mapping - Why do we need it?
Firstly, you need data mapping because there is a specific article of the GDPR that stipulates a duty for organisations to have a record of processing activities ('ROPA'). According to this rule, all entities (controllers or processors) with more than 250 employees should carry out a ROPA. The ROPA is also mandatory for entities that have less than 250 employees (small and medium size companies), unless the processing they carry out is not likely to result in a risk to the rights and freedoms of data subjects, the processing is occasional, or the processing does not include special categories of data or personal data relating to criminal convictions and offences.
In practice, as all companies process customer data or human resources data on a non-occasional basis, the ROPA is mandatory for most organisations.
In effect, according to the Working Party 29 ('WP29'), the regular processing of employee data by a small organisation is an example of processing that cannot be regarded as 'occasional' under Article 30 of the GDPR.
However, this does not mean that all processing activities need to be described in the ROPA. If companies process non-sensitive or low risk data occasionally for other purposes, such as opinion surveys, you do not need to include them in the ROPA. Nevertheless, it is convenient to do so, because the information contained therein is the raw material necessary to comply with certain obligations imposed by the GDPR. The duty to inform data subjects, the obligation to include processing details in data processing agreements provided for in Article 28 of the GDPR or to respond to requests for access to personal data made by data subjects are good examples of that.
The ROPA will be the source of information about the location, purposes, retention periods, recipients and types of data that will allow the organisation to reply to data subject access requests ('DSARs') in an accelerated and correct way.
Additionally, without the ROPA, it would not be possible to comply with the accountability principle.
However, data mapping is not only about the mandatory requirements set forth in Article 30 of the GDPR. In order to comply with other obligations foreseen in the GDPR, you should know the data flow, where and how the information is located and stored, namely by using automated data discovery tools, as only then it will be possible to apply the appropriate security measures and comply with the principle of data minimisation, avoiding data redundancies.
Data mapping – Where to start?
You have to know one thing: the words GDPR and/or data protection give IT, marketing, HR, or procurement people the creeps because they mean work, they are time consuming, and they require financial investment. If you do not have the top management on your side, forget it, as you will not have a chance to manage your data mapping task. Your colleagues will put your data mapping at the bottom of the pile, if you are lucky, or in the bin. They will take ages to reply to you, or they will send you messy and disorganised information. Therefore, as a first step, it is critical to obtain senior management buy-in and involve the managers of the business units of the company in the project, copy them on the emails, and ask them to attend required project meetings.
Secondly, it is recommended to hire an external service provider to assist you, if possible. Whether it is a consultancy firm, a law firm, or a specialised company, it is very important to have the involvement of those entities which have the know-how to ask the right questions to the right people, in order to identify the data processing carried out and the other elements required by Article 30 of the GDPR. It is very important to carry out information audits or data mapping exercises and it is often impossible to do it alone.
Thirdly, you should have a ROPA in electronic format to enable you to keep it updated. This can be an Excel spreadsheet, in which you may include a processing activity per row. Please, be aware that there are companies, such as OneTrust, that provide software tools specifically tailored for that purpose and some EU supervisory authorities have created basic templates for controllers and processors. The size of the company, the complexity of the activities, and the type of data processed will determine the type of tool that you should choose.
Fourthly: Responsibility. The several company business units which were identified as processing personal data (such as IT, compliance, legal, marketing, HR, procurement, security, etc.) should appoint a person responsible for completing and updating the ROPA whenever it is necessary, for reporting on the need to update policies, procedures agreements, etc., so that the matter is not left in anyone's land. All privacy fellows should report to the data protection officer ('DPO') (if any) or to the company's privacy officer and should meet at least monthly.
Fifthly, it is essential to provide training. Everyone has a notion of what personal data is and of some obligations and concepts, but there may be knowledge gaps and misconceptions to address. If you want to get all people involved, you will have to teach them the basics: concepts, principles, obligations, rights, and liabilities. But not only that. You will have to provide tailored training to the persons in charge on how to fill out the ROPA, with use cases. The training should be refreshed yearly if possible and ideally face-to-face, so that employees ask questions and feel involved in the process.
Last, but not least, do not forget the procedures. Without implementing written procedures on revising and updating of the ROPA, you take the risk that the document is impeccable on day one, but outdated one year later: no one included the three data processors located outside the EU that were appointed or the access control through facial recognition recently implemented! This is a common occurrence. The ROPA is a work in progress that should be subject to regular reviews to ensure the accuracy of the information.
How can I prepare a ROPA?
As we said before, the ROPA is a record that shows the data processing activities of an organisation. Even if the data is only stored in servers, you should include it in the record!
According to Article 30 of the GPDR, companies have an obligation to keep a record of processing activities with regard to processing activities as a data controller and the activities as a data processor.
The data controllers' ROPA should include the following information for each processing activity:
- name and contact details of the data controller and its representative, joint controller, and DPO, if applicable;
- description of the categories of data subjects and of the categories of personal data processed;
- description of the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations, the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data; and
- where possible, a general description of the technical and organisational security measures.
As regards the expression 'where possible', the WP29 has already stated in a similar context that 'if a data controller seeks to rely on this exemption it must demonstrate the factors that actually prevent it from providing the information in question'. Therefore, in practice, these elements or an indication of the reasons of their absence should be provided.
Additionally, although the indication of the legal basis of processing (Article 6 of the GDPR) is not mandatory, it should be included in the ROPA. In fact, you will need it to draft the information notices to data subjects, and to comply with Article 24 of the GDPR (which requires that every data controller should 'be able to demonstrate' that processing is performed in accordance with the GDPR).
Also be aware that processors must maintain ROPAs as well. Although less detailed than those of controllers, these records should include the following information:
- all categories of processing activities which a processor carries out on behalf of each controller (ex. security services, marketing, technical services etc.);
- the name and contact details of the recorded processor and, where applicable, its representative and DPO;
- the name and contact details of each controller on whose behalf the processor is acting and, where applicable, the controller's representative;
- the name and contact details of other 'processors' (sub-processors or processors that have instructed the recorded processor to a specific task) and names of the representatives and DPO, where applicable;
- transfers of data to third countries or international organisations; and
- a general description of the technical and organisational security measures which are put in place by the processor.
As a first step to the ROPA, you can start by preparing a questionnaire (including questions to obtain the information foreseen in Article 30 of the GDPR) and distribute it to the persons responsible for each area. The questions should be simple and straightforward.
Then, you should review the procedures, policies, contracts, and agreements in place and match them with the answers of the questionnaires.
After that, you should conduct meetings with the responsible persons in order to confirm the accuracy of the information provided and complete the ROPA.
Finally, it is a good practice to include links in the ROPA to the all the documents (policies, agreements with processors and joint controllers, procedures, records of consent, as well as Legitimate Interest Assessment and Data Protection Impact Assessments).
Waking up
I woke up with the strident sound of the alarm clock. It is 8 a.m. and I am still a bit dazed from the dream I had. The new soundtrack from the Titanic movie is playing in the radio but I cannot stay and listen. I have to run to the DPA to file the authorisation requests for the data processing activities. Fortunately, in the present-day, accountability does not exist and ROPA just means 'clothing' in Portuguese!
Isabel Bairrão Principal Associate
[email protected]
J&A Garrigues, S.L.P., Lisbon