The European Commission, in 2016, substituted its archaic Data Protection Directive with a new comprehensive law called the General Data Protection Regulation (GDPR). The main intention of enacting the GDPR was to ensure the security of personal data by establishing stringent rules and regulations related to the processing of personal data by organisations.
For the purpose of complying with the organisational obligations mentioned in the GDPR, accurately mapping their data flow becomes imperative for organisations to achieve compliance with the GDPR. In a technical sense, data mapping is a process through which data collected from one source is linked to data collected from another source based on their correspondence and is then amalgamated into a database for various purposes, such as compliance, deduplication or analysis.
Data mapping processes are essentially carried out by organisations to gain value from the data collected from different sources which is fundamental to various information processes such as Information Integration, Information Migration, Information Warehousing, and Information transformation.
In the Context of the GDPR
Data Mapping in regards to the GDPR, becomes an enabler for organisations to fully understand their data flows and in what way an organization processes its collected data. A firm grasp of all the data collected and the efficient mapping of such data helps organisations abide by this regulation and assures that all personal data is processed responsibly and appropriately. The alarming pace at which data acquisition and data processing is advancing and growing renders the employment of tools that efficiently map all of the data collected, increasingly crucial for organisations. Achieving similar results with the help of conventional methods would be nearly impossible.
Data Mapping as a GDPR Compliance Element
Even though data mapping is not an expressly mentioned requirement/obligation, it is an integral element of the GDPR. It constitutes a prerequisite for the fulfilment of all other legal requirements, some of which include conducting data protection impact assessments, managing data subjects' requests, or record-keeping of data processing activities. To better elaborate, some examples of data mapping-driven compliance are:
Consent
Article 4 of the GDPR requires that the user’s consent for data processing must be freely given, specific, informed, and an unambiguous indication of the data subject’s wishes. While the latter serves as a lawful basis for data processing, it also maintains that data subjects are able to withdraw consent at any given time without detriment. To this extent, data mapping assists organisations in determining the processing activities that depend on ‘consent’ as lawful grounds for processing, spotlighting situations where consent capture mechanisms may potentially be necessary, as well as facilitating the effortless withdrawal of consent.
Data Subjects' Rights
The GDPR framework grants numerous rights to data subjects with respect to their personal data. These rights include:
Right to information (Art. 13 & 14)
Right to access (Art. 15)
Right to Rectification (Art. 16)
Right to Erasure or Right to be Forgotten (Art. 17)
Right to Restrict Processing (Art. 18)
Right to Data Portability (Art. 20)
Right to Object (Art. 21)
Rights related to Automated Decision Making & Profiling (Art. 22)
Upon data subjects exercising any of these rights, the data controller is time-bound to respond to such requests. Data mapping aids an organisation in determining where the information in question is stored and enables the effective handling of data subject requests. As a result, it enables the organisation to act accordingly to a data subject’s request within the time frames specified by the GDPR.
Maintaining Records of Processing Activities
According to Article 30 of the GDPR, controllers and processors are required to maintain all Records of Processing Activities (RoPAs). Information concerning the processing activities, such as the purpose of processing, consent, legal grounds for processing, cross-border transfers, DPIA status, etc., are all included under RoPAs. Evidently, data mapping is an essential aid to organisations in successfully complying with the GDPR through the collection and maintenance of a list of data processing activities across the business.
Notification of Breaches
Article 33 of the GDPR states that organisations must adhere to notifying any personal data breaches that put at risk the rights and freedoms of data subjects. Such breaches must be reported to the supervisory authority within 72 hours from the time of their discovery. However, when there is a high risk to the rights and freedoms of data subjects, organisations are required to promptly notify personal data breaches to the impacted data subjects. Data mapping enables organisations to promptly identify impacted data subjects and comprised data in any security incident, facilitating timely notification and risk assessment.
Conducting Data Protection Impact Assessments
Article 35 of the GDPR stipulates that organisations are required to conduct Data Protection Impact Assessments (DPIAs), especially when processing could lead to high risks for individuals. DPIAs are required to account for the nature, scope, context, and purposes of the processing. Efficient data mapping assists organisations in documenting data collection and flow, enabling compliance with DPIA requirements.
Conclusion
Failing to comply with the GDPR can result in serious consequences, such as legal and class action lawsuits, negative impacts on global business operations, damage to brand image, and hefty financial penalties. The penalties for non-compliance can be as high as €10 million or 2% of the organization's annual global revenue for less severe violations and up to €20 million or 4% for severe violations. A precise data map significantly reduces response time to data subject requests and aids compliance with GDPR timelines.
Submitted by: Amogh Shetty, Junior 2023 at Cyber Law Consulting (Advocates & Attorneys), TOP Tech LAW FIRM in INDIA, as guided by Adv (Dr.) Prashant Mali ♛ [MSc(Comp Sci), LLM, Ph.D.]
