GDPR and Data Maps

As corporations deal with the latest milestone in compliance, the EU General Data Protection Regulation (GDPR), data maps will prove useful for getting rid of personal data that falls in scope of GDPR Article 17, commonly referred to as “The Right to be Forgotten.” If a company is asked to delete personal data in accordance with the GDPR’s specific requirements, it needs to first understand where personal information resides within its data storage systems.

An effective data map has multiple uses within the scope of the GDPR. It could be used to comply with Article 15, “Right of Access by the Data Subject.” A company can leverage a data map that captures the flow between data storage systems to confirm not only where the data subjects’ personal data resides but also the methods of “processing,” which broadly means any actions performed on the personal data.

A data map has uses outside GDPR. For example, an effective data map can also be leveraged for information governance, and to develop processes for the identification, preservation and collection of information during the e-discovery cycle. When considering a data mapping initiative that is focused on data privacy, start with existing documentation. System IT owners and business users will both be good sources for interviews. Ensure that the data map development exercise includes technologies and/or methodologies to keep the information current. A stale data map can quickly become a paperweight with little value.