GDPR Compliance Journey - 03 Data Mapping

Gydeline
19 Mar 201810:38

Summary

TLDRIn this video, Mike Sowell discusses the importance of data mapping for GDPR compliance. He outlines the steps to create a basic data map, emphasizing the need to identify personal information, its storage, purpose, source, and legal basis for use. The script covers various types of information, including employee, customer, supplier, and lead data, and highlights the challenges of obtaining and verifying consent, especially for marketing purposes. Detailed data maps are also explored, using the example of a free trials process, to demonstrate the flow and storage of personal data across systems.

Takeaways

  • 📝 Data Mapping is a crucial step in GDPR compliance, helping to identify and understand the flow of personal information within an organization.
  • 🔍 A basic data map should answer key questions about the type of personal information held, where it's stored, why it's needed, its origin, and the legal basis for its use.
  • 🏢 The script discusses various types of personal information such as employee details, customer interactions, and supplier contacts, all of which require careful data management.
  • 📧 Email and phone systems are highlighted as common yet often overlooked places where personal information is stored, requiring attention in data mapping.
  • 📑 Documents and spreadsheets are also mentioned as areas where personal data can proliferate, indicating the need for thorough data mapping to identify all data stores.
  • 🤝 Contracts with employees, customers, and suppliers are the basis for permissions to use personal information, emphasizing the importance of clear terms and conditions.
  • 📈 The script emphasizes the importance of understanding the purpose of data collection, such as for employment, service delivery, and marketing to prospects.
  • 📲 The use of CRM systems for leads and prospects is highlighted, noting the complexity of obtaining and maintaining proper permissions for data usage, especially under GDPR.
  • 🔑 Detailed data maps delve deeper into specific processes, such as free trials, to outline data flow, ownership, access, storage, and transfer locations.
  • 🌐 Data transfer locations, such as data centers in Amsterdam and Dublin, are important to document for compliance, showing where data is geographically stored and accessed.
  • 📋 The script concludes with a reminder of the importance of record-keeping for processing activities as part of the ongoing journey towards GDPR compliance.

Q & A

  • What is the main topic of the video script?

    -The main topic of the video script is data mapping in the context of GDPR compliance.

  • Who is the speaker in the video script?

    -The speaker in the video script is Mike Sowell.

  • What is the purpose of creating a basic data map?

    -The purpose of creating a basic data map is to provide a simple picture of where the company stands with their information, including what personal information they have, where it is stored, why it is needed, where it came from, and why they believe they have permission to use it.

  • What are the key pieces of information a basic data map should include?

    -A basic data map should include information about the type of personal data, where it is stored, the purpose of its use, its origin, and the legal basis for its use.

  • What types of personal information about employees does the company store?

    -The company stores personal information such as names, emails, phone numbers, dates of birth, and bank details of employees.

  • How does the company store personal information of its employees?

    -The company stores personal information of its employees in HR systems, finance and payroll systems, emails, and on phones, both personal and business.

  • What is the importance of knowing the source of personal information?

    -Knowing the source of personal information is important to understand the legal basis for its use and to ensure compliance with GDPR, especially regarding data transfers and permissions.

  • What are the challenges in managing personal information about leads and prospects?

    -The challenges include ensuring that the company has the right permissions to use the information, often relying on consent and legitimate interests, and managing the information from various sources such as online forms, events, referrals, and mailing lists.

  • What is the focus of the company's more detailed data maps?

    -The focus of the company's more detailed data maps is primarily on leads and prospects, detailing how the information is used, where it comes from, and the reasons for its use.

  • What is the significance of mapping the flow of data in the company's processes?

    -Mapping the flow of data helps the company identify all recipients of personal data, understand data transfers, and ensure compliance with GDPR requirements.

  • What is the next step in the company's journey towards GDPR compliance after data mapping?

    -The next step is to talk about the record of processing activities and what needs to be done in that area.

Outlines

00:00

📊 Data Mapping for GDPR Compliance

In this segment, Mike Sowell introduces the third part of the GDPR compliance series, focusing on data mapping. He explains the importance of creating a simple data map to understand the flow of personal information within an organization. The basic data map aims to answer key questions regarding the storage, usage, necessity, origin, and legal basis for using personal data. The types of information discussed include employee details, customer interactions, and supplier relationships, all of which are stored across various systems. The emphasis is on identifying all the places where personal information is stored, including HR systems, finance, payroll, emails, and phones, to ensure GDPR compliance.

05:04

🔍 Detailed Data Mapping for Free Trials Process

This paragraph delves into a more detailed data mapping example, specifically for the free trials process of the guideline software. It outlines the steps taken to map the data flow, from individuals signing up for a free trial to the data being transferred to the CRM system and the guideline software. The focus is on the personal data collected, such as name, email, company, and job role, and the storage locations, which include the CRM system and the guideline software database. The security measures in place and the specific internal systems that handle the data are also discussed, highlighting the importance of understanding data transfer and storage for GDPR compliance.

10:08

🚀 Moving Towards GDPR Compliance with Data Mapping

In the final paragraph, Mike Sowell wraps up the discussion on data mapping by emphasizing its role in identifying recipients of personal data, which is a crucial step towards GDPR compliance. He mentions that the guideline software has helped identify necessary actions for compliance, and data mapping is one of them. The next topic to be covered will be the record of processing activities, indicating a continuous journey towards ensuring data protection and privacy standards are met.

Mindmap

Keywords

💡Data Mapping

Data mapping refers to the process of documenting and understanding the flow of data within an organization. It is a critical component in achieving compliance with data protection regulations like GDPR. In the video, Mike Sowell discusses creating a simple data map to identify where personal information is stored and how it is used, which is essential for understanding an organization's data handling practices.

💡GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law that focuses on data protection and privacy for individuals within the European Union. The video script emphasizes the importance of GDPR compliance in the context of data mapping, as it outlines the legal basis for data processing and the need for organizations to understand their data flows to ensure they are handling personal data correctly.

💡Personal Information

Personal information, in the context of the video, includes any data that can be used to identify an individual, such as name, email, phone number, and date of birth. The script discusses the importance of knowing what personal information an organization holds, where it is stored, and the legal basis for its use, which is a fundamental aspect of GDPR compliance.

💡Legal Basis

The legal basis for processing personal data is a concept from GDPR that outlines the conditions under which organizations can legally process personal data. In the script, Mike Sowell mentions that understanding the legal basis for using personal information is part of the data mapping process, which helps organizations ensure they have the right to process the data they hold.

💡Data Centers

Data centers are facilities used to house computer systems and associated components, such as servers, storage systems, and networking equipment. The script mentions data centers in Amsterdam and Dublin, indicating the geographical locations where the organization's data is stored, which is important for understanding data residency and transfer considerations under GDPR.

💡Consent

Consent, in the context of data protection, is one of the lawful bases for processing personal data, where individuals must give clear permission for their data to be used. The video script discusses the importance of having the right permissions to use personal data, particularly in the case of leads and prospects, and the reliance on consent as a basis for data processing.

💡Legitimate Interests

Legitimate interests is another lawful basis for processing personal data under GDPR, allowing organizations to process data without consent when it is necessary for their legitimate business interests or purposes. The script touches on the need to tighten up practices around consent and legitimate interests, indicating the complexity of balancing data use with compliance.

💡CRM System

A Customer Relationship Management (CRM) system is a type of software that helps manage a company's interaction with current and potential customers. In the script, the CRM system is mentioned as one of the places where personal data about customers and leads is stored and processed, highlighting the importance of data mapping in understanding the use of CRM systems in data processing.

💡Data Flow

Data flow describes the movement of data from one place to another within an organization or between organizations. The script provides an example of a data flow for free trials, detailing how data moves from a web form to a CRM system and then to the guideline software, which is crucial for understanding the pathways personal data takes within an organization.

💡Record of Processing Activities

A record of processing activities is a document that organizations must maintain under GDPR, detailing the types of personal data they process, why they process it, and who it is shared with. The script mentions that the next step in their compliance journey will be to talk about this record, indicating its importance in documenting and understanding an organization's data processing practices.

Highlights

Introduction to the third part of the series on achieving compliance with the General Data Protection Regulation (GDPR).

Discussion on the importance of data mapping for GDPR compliance.

Explanation of creating a simple data map for GDPR.

Key questions to answer in a basic data map: What personal information is held, where it's stored, its purpose, origin, and legal basis for usage.

Types of personal information discussed: employee details, customer interactions, supplier relationships, and leads/prospects.

The necessity of identifying all locations where personal information is stored, including HR, finance, payroll, emails, and phones.

The use of personal information for employment, service delivery, and marketing purposes.

How personal information is obtained: from employees during recruitment, from customers directly, and from various sources for leads and prospects.

The reliance on contracts and terms and conditions as the legal basis for using personal information.

The complexity of permission and consent in the context of GDPR, especially for leads and prospects.

The process of creating a more detailed data map for specific processes, such as free trials.

Description of the data flow for free trials, from web form to CRM and then to the guideline software.

Identification of data owners, access rights, and security measures for the data mapping process.

Explanation of data storage locations and the importance of specifying these for data protection and transfer.

The significance of understanding data transfer methods between internal systems for GDPR compliance.

Highlighting the locations of data storage, such as data centers in Amsterdam and Dublin, and their accessibility.

The next steps in the GDPR journey, focusing on the record of processing activities.

Conclusion and a reminder of the importance of data mapping for achieving GDPR compliance.

Transcripts

play00:00

[Music]

play00:04

hi I'm Mike Sowell and welcome back

play00:07

again to the guideline GDP our journey

play00:09

this is the third in our series about

play00:13

how we're getting ourselves compliant

play00:16

and this time we're talking about data

play00:18

mapping so we've completed our data

play00:20

mapping and I'm going to take you

play00:23

through a couple of steps that we've

play00:24

been through firstly about creating any

play00:27

simple data map and then we'll look at

play00:29

it in some more detail so let's take a

play00:32

look at our basic data map so when we

play00:36

talk about basic data mapping we're

play00:39

looking for a few key pieces of

play00:42

information

play00:42

now the basic data map I'm going to show

play00:45

you is one that we use with all our

play00:47

customers and it gives them a really

play00:49

simple picture of where they are with

play00:51

their information that they haven't they

play00:55

use and we're looking to answer a few

play00:57

key questions firstly what personal

play01:01

information do you have

play01:03

secondly where are you storing it where

play01:08

are you putting that information when

play01:09

you've got it thirdly why do you need it

play01:14

what is it that you're using it for

play01:17

number four is where from where did you

play01:19

get it from

play01:20

and then lastly why do you think you

play01:25

have permission to use it and this

play01:28

answers a number of things in the gdpr

play01:31

around what is your legal basis who were

play01:35

the recipients who are you transferring

play01:37

it to and numbers of other things so

play01:39

it's a good starting place on your GDP

play01:42

our journey so if we look at the types

play01:45

of information that the guideline you're

play01:47

using firstly we have personal

play01:50

information about our employees things

play01:52

like name email phone date of birth bank

play01:55

details things like that and that

play01:58

information we store it in a number of

play02:01

places and this needs some quite careful

play02:05

thinking about yes we've got an HR

play02:07

system where we store information about

play02:09

people we've got their information on

play02:12

our finance system and

play02:13

payroll system which we use to pay them

play02:16

and the payroll system is run and

play02:21

accessed by our accountancy firm and

play02:24

that might not be too unusual but as

play02:27

well as those obvious systems there are

play02:29

things like email

play02:31

there are employee details on email and

play02:33

phones and we've got a mixture of

play02:35

personal and business phones and so

play02:38

phone numbers names email addresses are

play02:41

stored on those phones so have to be

play02:43

very careful about identifying all the

play02:45

places where this information is what we

play02:48

typically see is that information is

play02:51

also on documents and spreadsheets and

play02:54

various others we're quite good in that

play02:57

space in that we don't proliferate data

play02:59

in that manner but lots of companies do

play03:02

so why do we need that information well

play03:04

we want to give them a job and we want

play03:06

to pay them their money they want and we

play03:08

won't need to be able to contact them

play03:10

where did we get the information well we

play03:12

got it from the employee as part of the

play03:15

the recruitment process and and why do

play03:18

we think we have permission to use that

play03:19

information well we've got contracts

play03:21

with these people and there'll be terms

play03:23

and conditions within those contracts

play03:25

that mean we can use that information to

play03:29

employ them we also have personal

play03:32

information about our customers name

play03:35

address email phone number but some

play03:37

other information like the history of

play03:41

what they've done with us the

play03:42

interaction with us some social profiles

play03:45

and that's important information to

play03:48

capture because we might need to give

play03:50

that information back to them at some

play03:51

stage and again where are we storing it

play03:54

well it's on our custom relationship

play03:56

management system it's an email it's in

play03:59

our filing system and it's in our phones

play04:01

and why do we have it well we need to

play04:03

deliver services to them we need to

play04:05

fulfil our contracts we need to keep

play04:07

them updated and we all know also need

play04:09

to tell them about related products and

play04:12

services where did we get the

play04:15

information well it was direct from the

play04:16

customer and

play04:18

we have a contract with them and some

play04:20

terms and conditions which is why we

play04:22

think we have the permission to use that

play04:23

information we have a relationship with

play04:26

suppliers and we use that to receive

play04:31

services from them to keep them updated

play04:33

and they gave us that information and

play04:36

again we have a contract in place with

play04:38

those suppliers the interesting space

play04:41

really is the last space which is around

play04:44

leads and prospects like most other

play04:47

businesses we are trying to grow and to

play04:49

develop our business and we need to

play04:51

record personal information about those

play04:54

leads and prospects and we do that in

play04:57

our CRM system but it's also an email

play04:59

and phones what are we using it for well

play05:03

we're using it for marketing to them

play05:05

promoting our business to them and we

play05:09

get this information from a number of

play05:10

sources we get it from online forms from

play05:14

events that we've been to in the past

play05:16

we've used bought in mailing lists we

play05:20

work on referral we get information from

play05:22

free trials from face to face meetings

play05:24

from a number of different spaces and

play05:28

this is where the permission gets

play05:30

slightly tricky because really a lot of

play05:34

the effort and the gdpr is to make sure

play05:36

you do have the right permission to use

play05:38

this information and we're relying on

play05:41

consent and legitimate interests and we

play05:44

know that we need to tighten up to do

play05:46

some work to make sure that we're doing

play05:48

everything we need to do in those spaces

play05:49

but by dint affine the information in

play05:52

where we've got it from it enables us to

play05:54

them focus in on those areas so in terms

play05:57

of our more detailed data maps which

play06:00

we'll come onto in a second we're doing

play06:03

one for the employees we're doing one

play06:06

for our payroll system because that goes

play06:08

externally and there's a different set

play06:11

of considerations we're doing them for

play06:14

our customers it goes into the CRM and

play06:17

we won't see how that works through

play06:18

we're doing one for our suppliers but

play06:22

principally our data maps are going to

play06:24

be focused around our leads and

play06:26

prospects how we use that information

play06:27

where we get it from

play06:29

and and the reasons we have to use it so

play06:33

that's our basic setup and the

play06:36

information that we use not too

play06:39

dissimilar to many of our customers

play06:42

we're going to take a look at the detail

play06:45

mapping for one of those areas in a

play06:47

second we have a system that we use but

play06:51

it's very similar to the data mapping

play06:53

template that we make available for free

play06:55

on guideline comm so there's a link on

play06:58

the screen please use that and go and

play07:01

get the template for yourself but now

play07:04

let's take a look at our system and one

play07:06

of our more detailed data maps so this

play07:11

is our more detailed mapping view and

play07:16

I've chosen our free trials process to

play07:21

do a map of the data that we receive and

play07:25

we use there so some basic bits of

play07:29

supporting data in terms of the date

play07:32

that it was done and who did it and a

play07:35

name for this data flow I've called it

play07:37

free trials personal data and then I've

play07:41

just given a description of the personal

play07:43

data and really just says that people

play07:45

can sign up for a free trial of

play07:47

guideline and they enter some

play07:49

information gets passed to our CRM

play07:51

system and we generate an account in our

play07:53

software the who owns the process we

play08:04

describe who owns the process we then

play08:07

describe who has access to the personal

play08:10

data in this case is employees of

play08:12

guideline only and a small bit of detail

play08:16

about the security we've got on there

play08:19

details about where the personal data

play08:21

comes from and then which information we

play08:24

collect so in this case is a very small

play08:26

amount of data name email company and

play08:29

job role next we give more detail about

play08:33

where we're storing the data so in this

play08:36

case we're storing it within our CRM

play08:39

system it goes into an outgoing email

play08:42

and within the guideline in turn

play08:44

software database so we need to be quite

play08:47

specific about where it is because that

play08:51

can affect the recipients and the new

play08:53

transfers of data I've given a very

play08:57

brief description of the flow of data

play08:59

and it talks about some of the systems

play09:01

that data passes through so it goes from

play09:03

the web form on the website to our

play09:05

customer system it then goes via email

play09:09

and then finally arrives in the

play09:11

guidelines software and then because we

play09:16

are moving data between the systems how

play09:19

are we transferring it and really the

play09:22

key piece where it comes from external

play09:25

to us is it comes direct from the

play09:28

individual into an online form from then

play09:31

on it stays within our own internal

play09:33

systems and those internal systems are

play09:36

in various locations and that's the

play09:38

final question of the data map which is

play09:41

which locations are in so our CRM is in

play09:45

data centers in Amsterdam and Dublin and

play09:47

our software is in date sense in Dublin

play09:50

and these are accessible via web

play09:53

browsers so that's the detailed view of

play09:57

one of areas and obviously we've

play09:59

completed that data map across all the

play10:01

areas of personal information that we're

play10:03

processing if we remember the reason why

play10:07

we're doing this is because the

play10:08

guidelines software is identifying a

play10:10

number of actions that we need to

play10:11

complete and so for data mapping a key

play10:14

one is having identified all the

play10:16

recipients of personal data and that's

play10:18

something we can now cross off our list

play10:19

so a small step that we're moving

play10:22

towards a compliance status so that's

play10:26

data mapping next time we're going to

play10:28

talk about our record of processing

play10:30

activities and what we need to do in

play10:31

that space so until then we hope you

play10:34

find a compliant simple

Browse More Related Video

GDPR Compliance Journey - 14 Process Documentation

GDPR Compliance Journey - 06 Data Protection Impact Assessment

GDPR Compliance Journey - 13 Technical Measures

GDPR and Data Mapping

GDPR Compliance Journey - 16 Training

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR ComplianceData MappingPersonal InfoBusiness GrowthPrivacy LawEmployee DataCustomer CRMData SecurityLegal BasisData TransferCompliance Guide