Introduction

 

 The European Commission, in 2016, substituted its archaic Data Protection Directive with a new comprehensive law called the General Data Protection Regulation (GDPR). The main intention of enacting the GDPR was to ensure the security of personal data by establishing stringent rules and regulations related to the processing of personal data by organisations. For the purpose of complying with the organisational obligations mentioned in the GDPR, accurately mapping their data flow becomes imperative for organisations to achieve compliance with the GDPR.

 

 In a technical sense, data mapping is a process through which data collected from one source is linked to data collected from another source based on their correspondence and is then amalgamated into a database for various purposes, such as compliance, deduplication or analysis. Data mapping processes are essentially carried out by organisations to gain value from the data collected from different sources which is fundamental to various information processes such as Information Integration, Information Migration, Information Warehousing and Information transformation.

 

 In the Context of the GDPR

 

 Data Mapping in regards to the GDPR, becomes an enabler for organisations to fully understand their data flows and in what way an organization processes its collected data. A firm grasp of all the data collected and the efficient mapping of such data helps organisations abide by this regulation and assures that all personal data is processed responsibly and appropriately. The alarming pace at which data acquisition and data processing is advancing and growing renders the employment of tools that efficiently map all of the data collected, increasingly curial for organisations. Achieving similar results with the help of conventional methods would be nearly impossible. Even though data mapping is not an expressly mentioned requirement/obligation, it is an integral element of the GDPR. It constitutes a prerequisite for the fulfilment of all other legal requirements, some of which is the conducting of data protection impact assessments, managing data subject’s requests, or the record-keeping of data processing activities. To better elaborate, some examples of data mapping-driven compliance are:

 

Consent:

 

Article 4 of the GDPR requires that the user’s consent for data processing must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes. While the latter serves as a lawful basis for data processing it also maintains that data subjects are also able to withdraw consent at any given time without any detriment. To this extent, data mapping assists organisations in determining the processing activities that depend on ‘consent’ as lawful grounds for processing, spotlighting situations where consent capture mechanisms may potentially be necessary as well as facilitating the effortless withdrawal of consent.

 

Data Subjects’ Rights:

 

The GDPR framework grants numerous rights to data subjects, with respect to their personal data. Those set of rights include:

 

1.   Right to information (Art. 13 & 14)

 

2.   Right to access (Art. 15)

 

3.   Right to Rectification (Art. 16)

 

4.   Right to Erasure or Right to be Forgotten (Art.17)

 

5.   Right to Restrict Processing (Art. 18)

 

6.   Right to Data Portability (Art.20)

 

7.   Right to Object (Art. 21)

 

8.   Rights related to Automated Decision Making & Profiling (Art. 22)

 

 

 

Upon data subjects exercising any of these rights, the data controller is then time bound to respond to such requests. Data mapping aids an organisation in determining where the information in question is stored and enables the effective handling of data subject requests. As a result, enabling the organisation to act accordingly to a data subject’s request within the time frames specified by the GDPR.

 

Maintaining Records of Processing Activities:

 

According to Article 30 of the GDPR, controllers and processors are required to maintain all Record of Processing Activities (RoPAs). Information concerning the processing activities, such as the purpose of processing, consent, legal grounds for processing, cross-border transfers, DPIA status, etc., are all included under RoPAs. Evidently, data mapping is an essential aid to organisations in successfully complying to the GDPR through the collection and maintenance of a list of data processing activities across the business.

 

Notification of Breaches:

 

Article 33 of the GDPR states, organisations must adhere to notifying any personal data breaches that put at risk the rights and freedoms of data subjects. Such breaches must be reported to the supervisory authority within 72 hours from the time of their discovery. However, when there is a high risk to the rights and freedoms of data subjects, organisations are required to promptly notify personal data breaches to the impacted data subjects, without further adieu. In doing so, data mapping enables organisations to promptly identify impacted data subjects as well as comprised data in any security incident. Additionally, it allows organisations to perform risk assessments on the effect that they may have on the rights and freedoms of data subjects, in any given security incident. Thus, providing organisations with the ability to effectively report only personal data breaches that are match the prescribed risk threshold, to the proper stakeholders. Ergo, organisations are able to meet the notification time limit laid down by the GDPR.

 

Conducting Data Protection Impact Assessments:

 

Article 35 of the GDPR stipulates that organisations are required to conduct Data Protection Impact Assessments (DPIAs), whereby processing can potentially lead to a high risk for the individual. DPIAs as such are required to account for the nature, scope, context and purposes of the processing. In effect, to conduct DPIAs efficiently, organisations are expected to document the types of data they collect, where, when and how the said data is collected, used and stored, and how the data flows within the organization and to it vendors. All aforementioned processes also require efficient data mapping.

 

To sum up, failing to comply with the GDPR can result in serious consequences such as legal and class action lawsuits, negative impact on global business operations and opportunities; damage to brand image, and hefty financial penalties. The penalties for non-compliance can be as high as €10 million or 2% of the organization's annual global revenue (whichever is greater) for less severe violations. For more severe violations, the fines can go up to €20 million or 4% of the global annual turnover (whichever is greater). The amount of the penalty depends on numerous factors, including the nature, severity, and duration of the violation, as well as the organization's response to the breach. A precise data map would considerably reduce the response of data subject request and aid organization comply with the timelines prescribed by the GDPR. Hence, it is crucial for organizations to have a comprehensive understanding of data flow within and outside the organization to facilitate compliance with the GDPR.

 

 Submitted by Amogh Shetty (Junior 2023 at Cyber Law Consulting (Advocates & Attorneys) TOP Tech LAW FIRM in INDIA) as guided by Adv (Dr.) Prashant Mali ♛ [MSc(Comp Sci), LLM, Ph.D.]