As a company grows larger and larger, inevitably their use of personal data (both internal and external) will also increase.
Even if your company makes no retrieval or use of customers’ personal data, there are almost always stores of personal data pertaining to its current and past employees. Because of this, there is an increase in the impact of any potential data breach.
Therefore, it is a company’s responsibility (and a legal requirement) to attempt to document the types of personal data held within the organisation as well as the flow of how that data moves around the company.
In this article, I describe my experience as a data consultant, process mapping for my organisation, and some of the issues we faced, as well as some useful tips I picked up along the way.
Starting Your First Data Mapping Project
The beginnings of this project took a surprisingly large percentage of the total time spent, neither me nor my colleague had any knowledge or experience of data process mapping or even an idea of what a good project looked like.
As a result of this, we spent a bit of time deciding on a plan for strategically mapping the personal data uses within our company, time that will hopefully be reduced for anyone reading this article.
The project’s two main aspects were creating a data map and filling out the ICO’s ROPA template Excel sheet for each department or process.
It is therefore necessary for someone doing a data process mapping project to try to work on a list of employees who oversee different processes/departments as these are the people you need to speak to.
It was helpful for us to create this list with someone who has a good general understanding of how the company works from department to department. Speaking to different people in different departments will end up being the bulk of the project so a fantastic way of developing your soft skills as a side bonus.
The ROPA Document
The ICO provides a document called the ROPA (record of processing activities) template.
This Excel document helps an organisation with a structure to log different types of personal data within different processes, where the data is stored, and how long it is retained. There are many columns in the ROPA Excel sheet, I recommend at this stage to familiarise yourself with them as you will want to create your questions to fill out this sheet.
A lot of the columns will have to be filled out by yourself as the people you speak to will not know the answers to, as the person you will speak to may not have knowledge of GDPR laws. On the other hand, some important questions that the colleague you speak to are: the types of personal data within the department, where it is stored, and how long it is retained for.
To visualise the flow of personal data, you will have to use some sort of mapping/flowchart software.
There are many different options for software, and you will have to work out what suits your budgeting and functional needs, for reference Microsoft Visio worked well for us.
At this point, it is worth mentioning the two types of data process maps that you can attempt to map: data maps and process maps. A data map shows the flow of data within an organisation, and how data moves around different storage locations and into different departments. Process maps include all the information that a data map contains however they also add all non-data processes so are automatically larger than data maps.
In terms of preparing for a potential data breach, the data maps are most useful so you can quickly see the flow of personal data and identify any points where the data may have been taken from.
On the other hand, the process maps are an additional tool for the organisation that include the flow of data but can also give a demonstration of the workflows in a department to give an understanding to someone outside of that department. For these reasons, we made both data maps and process maps for each department/process.
Creating a List of Questions for a Department
Now that you have your list of people in different departments to speak to, it is time to interview your first colleague!
To do this, it is a good idea to prep some questions that will help you both understand the flow of data and fill out the ROPA document for ICO compliance. The first question we always asked was for the person we were talking to, to try and outline a step-by-step workflow for their department/process. When doing this, you should prompt your colleague not to focus on personal data as they might miss out on steps where they don’t immediately realise personal data is involved. It is much better for completeness that the colleague tries to mention each step and you the data person can ask further questions trying to figure out if personal data is used at each step.
Due to processes and departments being different, there will be large elements of improvisation in these process mapping interviews. Lots of questions will arise as the person you are speaking to outlines their process so you can’t expect to have a comprehensive list of questions before any one interview.
In conclusion, data process mapping is an essential task for any organisation, driven by legal obligations and a commitment to responsible data management. The ICO’s ROPA template provides structure, helping organizations log personal data and adhere to regulations.
Visualisation tools like data maps and process maps offer valuable insights into data flows and potential vulnerabilities. Ultimately, this task not only ensures compliance but also enhances data security, highlights areas of unnecessary personal data use, and for anyone doing the project improves your soft skills and understanding of data governance.
Interested in joining our diverse team? Find out more about the Rockborne graduate programme here.