GDPR Data Map Template

An easy to use self-assessment tool for understanding how data moves through your organisation

Ideea
5 min readJan 22, 2018

Since developing my WordPress plugin, All-in-One GDPR, it has become increasingly clear to me that many clients do not know what data they are currently in possession of and if that data has been collected legally under GDPR. At present businesses do not have a structured method to understand what data falls under GDPR and how to handle it appropriately. To address this, I have created the GDPR Data Map, this self-assessment template tool will allow you to get a clear understanding of exactly what data your organisation is in possession of and how that data is moving through your organisation.

DOWNLOAD HERE

Since GDPR does not come into full effect until May 25th your organisation’s GDPR transformation can be iterative. This template has been specifically designed so that you can use it multiple times as you make incremental changes to your business (see the version field); this will minimize disruption and allow you to test different processes. For example, you may want to A/B test different designs of permission request pages if your clients personal data is mission critical. I also highly recommend that you take photos or scan this document each time you use this template. This will constitute documented decision making as advised by the GDPR.
Read more: ico.org.uk
See Article 30

Source

In the first column titled ‘Source’ write the source of personal data into your organisation. This could be a contact form on your website or this could be an email marketing list from an extremal 3rd party. Remember if the source is not directly from the data subject (for example an email marketing list), you must ensure that this list was collected legally. Always refer to the 3rd-party’s T&C’s and privacy policy when in doubt.

Personal Data

The personal data column is for describing exactly what types of personal data you are collecting. It’s important to go into as much detail as possible. PII could be any of the following; physical address, phone number, email address, IP address, health information, criminal records, place of work etc.
Read more: ico.org.uk
See Article 4

Reason

In the reason column justify your reasons for collecting this data. Explain exactly how and why the collection of this data is necessary for the organisation. For the avoidance of doubt, everything in this column should start with “We need this data because… ”.

Handling

In the handling column, explain where the data will be stored. Data storage can be physical (printed documents), local (computer owned by organisation) or remote (on the cloud; Google Drive, AWS S3, CRM). Explain who this data will be exposed to both inside and outside of your organisation. If you are a data processor detail how and what processing you will be doing. Also list all security measures you have to protect the data.

Disposal

The Disposal column is for explaining how and when your organisation will dispose of the PII. All personal data should be deleted after a specified period of time but also special situations and events like a user deleting their account may result in the disposal of that user’s data.

Flags

The flags section (last four columns) is for highlighting important information about the data. When reviewing this document pay special attention to these columns, these items will require extra attention in order to comply with GDPR.

Consent obtained — In order to collect any PII the appropriate level of consent must be explicitly provided by the data subject. If this column is not ticked you should clearly justify your reasons for collecting this data in your T&C’s and privacy policy
Read more: ico.org.uk
See Article 7

Subject is a over 13 — If the data subject is under the age of 13 (the age of consent can be up to 16 outside of the UK), put a tick in the column. If you are collecting and/or processing data of a person under the age of 13 consent must be obtained from a person holding “parental responsibility”.
Read more: ico.org.uk
See Article 8

Mission critical data — Tick this column if this data is considered mission critical. For the purpose of this tool, “mission critical” is defined as a piece of data that, if not collected or processed, the business could not operate. If this column is not ticked you should consider not collecting this data at all. Not collecting data demonstrates that you are implementing a privacy by design pattern.
Read more: ico.org.uk

Sensitive personal data — Under GDPR not all personal data is considered equal, some data is considered “sensitive personal data”. Examples of this kind of data would be racial or ethnic origin, political opinions, religious beliefs and physical or mental health conditions. Additional GDPR regulations will apply if you intend on storing or processing these kinds of sensitive personal data.
Read more: ico.org.uk
Criminal data — see Article 10
Special categories of personal data — see Article 9

Hire Me

I am a WordPress expert with 6 years of experience, 1 premium plugin and 4 open source projects built specifically to give WordPress advanced application-like functionality. GitHub.com/AnthonyBudd: WP_Model, WP_AJAX, WP_Cron and WP_Mail. I have 3 years of experience with Laravel building MVPs, Applications and APIs. I’m a certified AWS Practitioner, with 3 years of experience working with AWS.

I’m an IT consultant who provides digital project management, business development and AWS infrastructure consultancy services to businesses across London. Feel free to drop an email to anthonybudd@ideea.co.uk for all work enquiries.

www.linkedin.com/in/anthonybudd

--

--