Tag: data

Data Flow Mapping: An Essential Skill for Data Protection Professionals 

Among essential skills for data protection professionals to develop is data flow mapping. In this blog post we explore the significance of this important skill and some useful tools to get  started. 

What is Data Flow Mapping? 

Data flow mapping is a systematic process that enables organisations to visualise the flow of personal data within their systems and networks.
It involves identifying the sources of data, the purposes for which it is processed, the entities with access to the data, and any transfers of data to third parties. By creating a visual representation of data flows, data protection professionals can gain a clear understanding of how personal data moves throughout the organisation and beyond. This knowledge is essential for effective risk assessment, Data Protection Impact Assessments (DPIAs) and compliance with other regulatory requirements. 

The Benefits of Data Flow Mapping 

Data flow mapping serves as a foundation for creating a comprehensive data inventory. It enables organisations to document all types of personal data they collect, process, store, and share. This inventory provides transparency and visibility into data processing activities, allowing for better management and control of personal data.  

The UK GDPR and the Data Protection Act 2018 impose strict obligations on organisations to protect personal data and ensure lawful processing.
Data flow mapping facilitates compliance by identifying areas where data protection measures need strengthening or adjustment.
It helps organisations determine whether they have a valid legal basis for processing personal data, obtain appropriate consents, and implement adequate security measures. Mapping data flows ensures compliance with the principles of lawfulness, fairness, and transparency, as well as data minimisation and purpose limitation. It will also assist in the production and maintenance of a Record of Processing Activity (ROPA) under Article 30 of the UK GDPR.  

Understanding the personal data landscape also helps organisations identify data subjects’ rights and obligations associated with each type of data. Data flow mapping enables organisations to respond effectively to data subject requests, such as access, rectification, and erasure.
By understanding the data flows, organisations can locate the relevant data and fulfil their obligations within the required timeframes.
This transparency empowers individuals to exercise their rights and fosters trust between organisations and data subjects. Furthermore, data flow mapping enhances transparency by providing a clear overview of how personal data is used and shared, enabling organisations to communicate their data processing practices accurately. 

In the event of a personal data breach or security incident, data flow mapping becomes a valuable asset for efficient incident response and management. It allows organisations to identify the affected data, assess the potential impact, and take appropriate measures to mitigate harm.
By understanding data flows, organisations can implement data breach response plans tailored to the specific types of data involved.
Proactive incident response minimizes the risk of data breaches and ensures compliance with legal obligations, including notification requirements and remedial actions. 

A data flow map is a powerful tool for identifying potential risks and vulnerabilities in data processing activities. It assists in assessing the security measures in place, evaluating the legal basis for data processing, and ensuring that data transfers, particularly international transfers, comply with relevant regulations. By understanding the risks, organisations can implement appropriate safeguards and mitigation strategies to protect personal data from unauthorised access, loss, or misuse. 

Effective data governance and accountability within organisations is greatly increased when data flow mapping is used. It promotes a holistic understanding of data processing activities, including the roles and responsibilities of individuals involved. This knowledge facilitates the establishment of appropriate policies, procedures, and internal controls to protect personal data. It also enables organisations to demonstrate accountability by showing regulators, stakeholders, and customers that they have implemented necessary measures to protect personal data and comply with legal requirements. 

Data Flow Mapping Tools 

While the process can be complex, there are several publicly available tools that can assist in simplifying data flow mapping. 

Lucidchart is a popular cloud-based diagramming tool. With its intuitive interface and drag-and-drop functionality, users can easily create visual representations of data flows. There are various templates and shapes specifically designed for data flow mapping, allowing organizations to quickly map out their data processing activities. Lucidchart also supports collaboration, enabling multiple team members to work together on data flow diagrams in real-time.  

Microsoft Visio is a widely used diagramming tool that includes features for data flow mapping. It has an extensive library of shapes and templates and offers various connectors and layout options to ensure clear and comprehensive representations of data flows. Visio also allows for easy linking of data flow diagrams to relevant documentation and policies.
As part of the Microsoft Office suite, Visio integrates seamlessly with other Microsoft products, making it a convenient choice for organisations already using Microsoft solutions. 

draw.io is a free, open-source diagramming tool that offers an intuitive interface for creating data flow diagrams. Users can save their diagrams locally or in cloud storage platforms such as Google Drive and OneDrive. draw.io is highly customizable, allowing users to tailor their data flow diagrams to their specific needs. While it may not have as many advanced features as some other tools, draw.io remains a practical option for organisations seeking a free and straightforward solution for data flow mapping. 

Data flow mapping is a critical skill for data protection professionals in the UK. By mapping data flows, organisations can create comprehensive data inventories, identify and mitigate risks, facilitate compliance, respond to data subject requests, and manage data breaches effectively.
As data becomes increasingly valuable and personal privacy gains greater significance, mastering the skill of data flow mapping is an essential step toward maintaining trust, building robust data protection frameworks, and ensuring the security and integrity of personal data. Data protection professionals who acquire this skill will be well-equipped to navigate the complex landscape of data protection and play a crucial role in upholding individuals’ privacy rights in the digital age.  


Sharpen your data flow mapping skills by joining our nextData Flow Mapping workshop. By the end you will understand the key concepts of data flow mapping, the benefits of this work and how to develop and implement a data flow mapping process in your organisation.

The New EU Data Governance Act

On 17th May 2022, The Council of the European Union adopted the Data Governance Act (DGA) or Regulation on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (2020/0340 (COD) to give its full title. The Act aims to boost data sharing in the EU allowing companies to have access to more data to develop new products and services. 

The DGA will achieve its aims through measures designed to increase trust in relation to data sharing, creating new rules on the neutrality of data marketplaces and facilitating the reuse of public sector data. The European Commission says in its Questions and Answers document

The economic and societal potential of data use is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges“.

Application

The DGA will increase the amount of data available for re-use within the EU by allowing public sector data to be used for purposes different than the ones for which it was originally collected. The Act will also create sector-specific data spaces to enable the sharing of data within a specific sector e.g. transport, health, energy or agriculture.

Data is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording” that is held by public sector bodies and which is not subject to the Open Data Directive but is subject to the rights of others. Examples include data generated by GPS and healthcare data, which if put to productive use, could contribute to improving the quality of services. The Commission estimates that the Act could increase the economic value of data by up to €11 billion by 2028.

Each EU Member State will be required to establish a supervisory authority to act as a single information point providing assistance to governments. They will also be required to establish a register of available public sector data. The European Data Innovation Board (see later) will have oversight responsibilities and maintain a central register of available DGA Data. 

On first reading the DGA seems similar to The Re-use of Public Sector Information Regulations 2015 which implemented Directive 2013/37/EU. The aim of the latter was to remove obstacles that stood in the way of re-using public sector information. However the DGA goes much further. 

Data Intermediary Services 

The European Commission believes that, in order to encourage individuals to allow their data to be shared, they should trust the process by which such data is handled. To this end, the DGA creates data sharing service providers known as “data intermediaries”, which will handle the sharing of data by individuals, public bodies and private companies. The idea is to provide an alternative to the existing major tech platforms.

To uphold trust in data intermediaries, the DGA puts in place several protective measures. Firstly, intermediaries will have to notify public authorities of their intention to provide data-sharing services. Secondly, they will have to commit to the protection of sensitive and confidential data. Finally, the DGA imposes strict requirements to ensure the intermediaries’ neutrality. These providers will have to distinguish their data sharing services from other commercial operations and are prohibited from using the shared data for any other purposes. 

Data Altruism

The DGA encourages data altruism. This where data subjects (or holders of non-personal data) consent to their data being used for the benefit of society e.g. scientific research purposes or improving public services. Organisations who participate in these activities will be entered into a register held by the relevant Member State’s supervisory authority. In order to share data for these purposes, a data altruism consent form will be used to obtain data subjects’ consent.

The DGA will also create a European Data Innovation Board. Its missions would be to oversee the data sharing service providers (the data intermediaries) and provide advice on best practices for data sharing.

The UK

Brexit means that the DGA will not apply in the UK, although it clearly may affect UK businesses doing business in the EU. It remains to be seen whether the UK will take similar approach although it notable that UK proposals for amending GDPR include “amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.”

The DGA will shortly be published in the Official Journal of the European Union and enter into force 20 days after publication. The new rules will apply 15 months thereafter. To further encourage data sharing, on 23 February 2022 the European Commission proposed a Data Act that is currently being worked on.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.