Step 3. Map Your Data

3. Map Your Data – GDPR consultant 12 step guide to GDPR compliance

Carrying out an information audit is necessary to understand where your data is held, where it came from, who it is shared with, and who can access it. An information audit is a vital first step to GDPR compliance and don’t forget to document, document, document!

Information Flow

Where is the information going?

An information flow is a transfer of information from one location to another. Passing information from inside to outside the European Union is one example, as is passing information from suppliers and sub-suppliers to customers. Document all information transfers as part of your information audit.

Information Lifecycle

How is the information being collected and used?

Walk through the information lifecycle and identify if there are any unforeseen or unintended uses of data. Document whether any information collected may be required in the future, and ensure the people using the information are consulted on the practical implications.

What is the Data?

Where is it stored?

Determine what data is being processed (e.g. name, email, address, etc.) and what category it falls into (e.g. health data, criminal records, location data, etc.).

Then consider how this data is recorded, such as hardcopy, digital, database, bring your own device, mobile phones, and document where this data stored, for example, offices, the Cloud, third parties.

How is Data Shared?

Who is accountable?

Establish the methods used to transfer data, for example, by post, telephone or social media. Also consider what data is shared within your organisation (internal sharing) and with third parties (external sharing).

As information moves within an organisation, access and accountability often changes. Re-examine the information flow to determine who has access to the data and who is responsible for it during different stages of information transfer.