Introduction

The objective is to map the flow of personal data handled by the organisation through the life cycle of Collection, Usage, Disclosure and Storage. 




Once you have completed the Data Mapping of your Processes that involve personal data, you will be able to identify risks in the Processes. 


Set up

Before updating the Data Mapping Workflow, the DPO should do a one-time setting of the following, in order to set-up the drop-lists: 

  1. Data Mapping Workflow settings 
  2. Organisational and Technical Measures  

Navigate to the Data Mapping Workflow

  1. Click 'Data Mapping Workflow' in the Process Risks menu. 
  2. You will see a page similar to the one below. All Data Mapping Workflows will be displayed in a table form. 
  3. To edit an existing Data Mapping Workflow, click on the blue 'Edit' button associated with it. 
  4. To delete an existing  Data Mapping Workflow, click on the red 'Delete'  button associated with it.
  5. To create a new Data Mapping Workflow, click on the '+ New Entry' button at the top right of the page. 


Start a new Data Mapping Workflow

  1. Click '+ New Entry' to start with a new Data Mapping Workflow for a process.
  2. The system will prompt you to choose the relevant department for the process you want to data map. Choose the relevant department.
  3. The system will then enter the first page in the workflow, the Process repository. The structure of the page is shown below.



Process repository

4. Enter/Update information about your Process. 

  • Current Business Process Step 
    • Select a Process that you want to data-map from the Process Inventory drop-list
  • Business Process Description 
    • Describe the process 
  • Legal Basis 
    • Select the legal (lawful) basis for processing personal data in this process. 
    • A lawful basis for processing personal data at a universal level comprises one of the legal grounds such as Consent, etc. 
  • Description of Legitimate Interests
    • Fill this in only if the Legal Basis was 'Legitimate Interests'
  • Data Subjects 
    • Select one or more data subjects that are involved in the process being data-mapped
    • A data subject is an identified or identifiable natural person (‘data subject’)
  • Rights available to Data Subjects 
    • What rights have you made available to the individuals (data subjects) whose personal data is being processed? Select one or more
  • Controllers
    •  If you are a processor who processes personal data on behalf of another entity (a Controller) you can select the relevant controller from the list of Controllers you set up in your Personal Data Inventory.
    • If you did not set up any Controllers in your Personal Data Inventory, there will not be a drop-list to select from. This is reasonable if you are a Controller yourself. 
  • Automated Decision-making/Profiling
    • If this process involves automated decision-making/profiling, select all items that apply.
  • Business Process Owner
    • Enter the owner of the Process
  • Transferred from Business Process
    •  You can indicate the process that occurs before this one (optional).
  • Transferred to Next Business Process
    • You can indicate the next process that occurs after  this one (optional).
  • Remarks
    •  Document any important information about the process or gaps in data protection for this process. 
  • Organisational Measures
    • Select Organisational Measures that are in place for this process (optional).
  • Technical Measures
    • Select Technical Measures that are in place for this proc
  • Safeguards for Cross-border Transfers
    • Select Safeguards for Cross-border transfers that are in place for this process (optional).
  • Save
    • Click the 'Submit' button to save the updates.


Now you can add Comments, Tasks, Files, URL Links (References), and pointers to Risk Register entries 

               

  • Tasks
    • You can add tasks for attention by others.


  • Comments 
    • Add your Comments and Save

    • System will display  User name, Date and Time stamp of any previous comments by you or others.

  • Files 
    • You can upload files here for reference
    • For example, you may wish to upload a Process flow chart 
    • To start the upload, click the '+' sign in the Files section, and either upload new evidence to the system, or choose from evidence you have already uploaded to the system



Once the file upload is complete, your file will be listed on the page.

 


  • References 
    • You can point to links that support your answers
    • For example, you may wish to point to a Process flow chart  link
  • Registers
    • You can associate the process with risks in your Risk Register 
  • Form saved
    • Once the form is saved, click the forward arrow to go to the next form (Collection/Usage).




5.  Collection/Usage repository

            The system will navigate to the 'Collection and Usage' form. 

            

Enter/Update information about the Collection or Usage of the personal data for this Process.  


  • Types of Data 
    • Select all the types of data that you collect in this Process
  • Data Provided by
    • Select who provided the data (for example, the Data Subject
  • Sensitive Data 
    • Indicate if Sensitive Data or Special Categories of Data are collected based on the jurisdic
  • Basis for processing Sensitive/Special Categories of Data 
    • If Sensitive Data or Special Categories of Data are collected, you may wish to indicate the basis for its collection 
  • Source 
    • Select one or more sources of information (from the list  set up in your Data Inventory) 
  • Consent
    •  Document  if you obtain the consent of data subjects to use their personal data for a specified purpose
  • Notice
    • Document if you notify the data subject of the purpose for the collection, usage, disclosure or storage of the personal data 
  • Method of Transfer
    • Select one or more methods of transfer of the personal data 
  • Encrypted /Secured (C-U)
    • Document if the personal data that is collected or used is secured, for example by encryption or other methods
  • Use (Purpose)
    • Select the Purpose for collecting, using, disclosing or storing the personal data
    • The drop-list is drawn from 'Purposes for processing Personal Data' in the Personal Data Inventory. 
    • The multi-user version of the software will have access to more options to choose 
  • Data Minimisation
    • Document if you collect only the personal data that is necessary to fulfill your specified purposes
  • Data Accuracy
    • Document if you have measures in place to keep personal data accurate and up-to-date
  • Triggered by
    • Document if there is any process or circumstance that triggers the collection (optional) 
  • Data Format
    • Select the Data Format(s) in which the personal data is collected
  • Who can access data
    • Document who can access the personal data 
  • Who can modify data
    • Document who can modify the personal data
  • Remarks
    • Document any remarks about risks to personal data protection or any upcoming changes regarding the collection of personal data in the process
  • Save
    • Click the 'Save' button to save the updates
  • Files 
    • You can upload files here for reference
    • For example, you may wish to upload copies of forms or online pages used to collect personal data 
    • To start the upload, click the '+' sign in the Files section, and either upload new evidence to the system, or choose from evidence you have already uploaded to the system. Once the file upload is complete, your file will be listed on the page


  • References 
    • You can point to links that support your answers
    • For example, you may wish to point to a forms or online pages that are used to collect  personal data in this Process


  • Registers
    • You can associate the process with risks in your Risk Register 
  • Summary
    • You can click the 'Summary' button at the top of the page, to view a summary of the input for the workflow so far.


  • Form saved
    • Once the form is saved, click the forward arrow to go to the next form (Disclosure).


Note: You can click the 'Summary' button to view what has been documented so far, for example:


6.  Disclosure repository

     Update  information about the Disclosure of personal data in this Process. 

  • Disclosure Category  
    • Select the Disclosure Category for this Process. 
  • Contract
    • Document if you have a contract with the disclosure party (recipient) that stipulates requirements on the disclosure party for data protection 
  • Contract Reviewed
    • Document if there is a regular review of the contract with the disclosure party (recipient) 
  • Third Party Suppliers or Recipients  
    • Select a third party or recipient from the ticked/checked items in the list of vendors/processors you set up in the Personal Data Inventory 
  • Purpose of disclosing data 
    • Document the purpose of disclosing the personal data to the third party or recipient 
  • Method of Transfer
    •  Select one or more methods of transfer of the personal data to the third party or recipient 
  • Location of Recipient 
    • Select the location of the recipient from the  ticked/checked items in the list of countries in the Cross-Border Transfers section of  the Personal Data Inventory
  • Remarks
    • Document any remarks about risks to personal data protection or any upcoming changes regarding the collection of personal data in the process


   Complete entering the information for the Disclosure Category.

  • Save
    • Click the 'Save' button to save the updates
  • Files 
    • You can upload files here for reference
    • For example, you may wish to upload copies of agreements/contracts with the third party/recipient named in this form 
    • To start the upload, click the '+' sign in the Files section, and either upload new evidence to the system, or choose from evidence you have already uploaded to the system. Once the file upload is complete, your file will be listed on the page


  • References 
    • You can point to links that support your answers
    • For example, you may wish to point to contracts/agreements with the third party or recipient 


  • Registers
    • You can associate the process with risks in your Risk Register 


  • Form saved
    • Once the form is saved, click the forward arrow to go to the next form (Storage).


Notice how the flow is being revealed.  You can click the 'Summary' button to reveal what has been collected up to this point. 




If you wish to add another third party or recipient under Disclosure, click the blue '+' button to document the information for another third party or recipient. 

Click the 'Forward' button to proceed to the Storage repository. 


7.  Storage repository

     Update  information about the Storage of personal data in this Process.  

    

  • System or Application Used  
    • Select the system or application used for this Process
    • The drop-list is populated from your ticked/checked list of systems in Electronic Storage Media
  • Number of records
    • Select the range that best represents the number of records of personal data that are store
  • Data Retention Period  
    • Document the specific Data Retention Period for the personal data in this process, for example '7 years after the transaction date '  
  • Justification for Retention Period  
    • Document the justification for the Data Retention Period, for example 'Statutory Requirement' 
  • Encrypted/Secure (S)
    •  Document if there are measures in place to secure the personal data, for example, encryption
  • Storage Location
    • Select the storage location of the personal data from the  ticked/checked items in the 'Storage  of Personal Data' section  of  the Personal Data Inventory
  • Destination Disposal Method
    • Select one or more Destination Disposal Methods in place to dispose of the personal data (if applicable)
  • Retention Policy 
    • Document if the personal data involved in this process is covered by a Retention Policy
  • Controlled Access
    • Document if access to the personal data is controlled, for example by role-based access 
  • Remarks
    • Document any other information pertaining to the storage and disposal of the personal data
  • Save
    • Click the 'Save' button to save the updates
  • Files 
    • You can upload files here for reference
    • For example, you may wish to upload copies of the Retention Schedule applicable, evidence of security measures, evidence of Access Control etc.  
    • To start the upload, click the '+' sign in the Files section, and either upload new evidence to the system, or choose from evidence you have already uploaded to the system. Once the file upload is complete, your file will be listed on the page


  • References 
    • You can point to links that support your answers
    • For example, you may wish to point to a Retention Policy, Retention Schedule or any other evidence that supports your answers for this Process  


  • Registers
    • You can associate the process with risks in your Risk Register 


  • Form saved
    • Once the form is saved, click the forward arrow to go to the Summary.
    • In the Summary, you can click the blue hyperlinks to navigate between the Process, Collection and Usage, Disclosure and Storage repositories




Your Data Mapping Workflow for this Process is completed. Click the Back button to return to the main Data Mapping Workflow page.