What is Data Mapping?

If your business uses its customers’ personal data to operate, several data protection rules will apply. The UK General Data Protection Regulation (‘UK GDPR’) is the law governing the use of personal data. The UK GDPR applies several rules to organisations that process personal data. Under the UK GDPR, an essential requirement is to understand which types of personal data you use and why. A data mapping exercise can help establish this. This article will explore what data mapping is and why it is an essential step for UK GDPR compliance. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Why is UK GDPR Compliance Necessary?

Compliance with UK GDPR is compulsory for any organisation using personal data. The UK GDPR applies to virtually all businesses, as most businesses will collect and use some form of personal data. For example, businesses regularly collect personal information about:

• customers; 
• suppliers; 
• candidates; and 
• staff.

If your business processes any type of personal data, then the UK GDPR rules will apply to you. Depending on your business activities and how you use personal data, there are various steps you will need to take to comply with the UK GDPR. 

For example, common obligations under the UK GDPR include:

• keeping data secure; 
• having a lawful basis for processing personal data; and 
• having a system in place to prevent and respond to data breaches. 

Further, organisations need to train staff about data protection law rules and put various policies and procedures in place to comply with the UK GDPR. However, in order to determine what you need to do to comply with the UK GDPR, you first need to understand how and why you use personal data. 

What is Personal Data?

Personal data includes information relating to any living individual who can be identified from that data either directly or indirectly. Some examples of personal data include:

• names and surnames;
• addresses and email addresses;
• telephone numbers;
• health information;
• location data and online identifiers;
• signatures; and
• photographs.

Personal data can be a single item of information or a combination of different types of information. Ultimately, every business will process different types of personal data, and the types of personal data your business processes will dictate your obligations under the UK GDPR regime.

What is a Data Mapping Exercise?

The first essential step for UK GDPR compliance is a data mapping exercise. The data mapping process involves documenting all the data sets of personal data that your business collects and uses and how it flows through your business. 

As part of the data mapping procedure, you should review and document:

• which types of personal data does your organisation collect and use and why; 
• what format do you store personal data in, for example, in hard copy or virtually; 
• where you collect personal data from and if any third parties collect data on your behalf; 
• how you store personal data;
• whom you share personal data with and why; 
• how long you keep personal data for; and 
• whether any personal data is transferred to countries outside of the United Kingdom. 

Your data mapping exercise should be detailed and outline the categories of data subjects you process data about. Different data subjects include current or previous customers or website users who make enquiries on your website. 

If you collect any special category personal data, criminal offences data or children’s data, you must comply with additional stringent rules. For example, you may need to put extra policy documents in place and require individuals to agree to additional consent forms. 

Data mapping is the very first step to UK GDPR compliance. You can carry out data mapping in different ways, for example, by using a data mapping tool or software. You should ensure that your data mapping covers all areas of your business and speak to different departments to understand which data they collect, if necessary. 

What Should Businesses Do After Completing Data Mapping?

After mapping the personal data your business collects, you can act on its results and use them to determine your obligations under the UK GDPR rules. Your data mapping exercise will help you establish the following factors: 

Understanding Your Business’ Legal Obligations 

The UK GDPR regime is vast and complicated, and it is common for businesses to need to comply with several requirements. If you need support with understanding how the data you process affects your UK GDPR legal obligations, you can work with a data protection solicitor. 

A data protection solicitor can review your data mapping exercise results and advise you on what compliance actions your business will need to take. A data protection solicitor can also guide you on the data mapping process and what questions you need to consider for UK GDPR compliance. They can also help you prepare a data mapping template, which you can use for data mapping.

Data mapping should be updated and reviewed on a regular basis. For example, you should revisit your data flows when you start to collect new types of personal data or use personal data differently. 

Key Takeaways

Compliance with the UK GDPR is not a one-size-fits-all approach. As such, you must understand exactly what personal information your business processes and why. Your data mapping exercise is a critical first step to help you determine your legal obligations. Ultimately, what you need to do to comply with the UK GDPR will depend very much on which types of personal data you use and why. 

If you need legal advice on compliance with the UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.